Security implications for cloud as Microsoft ends its support for Windows Server 2003
Another year approaches and we are about to see yet another Microsoft Server reach its end of life. Windows Server 2003 (WS2003) is widely used within the industry and in a recent survey conducted by Microsoft, it was estimated that 22 million instances were still running on Windows Server 2003. Whether this announcement be a headache or opportunity, it does place an additional burden on organisations as it requires careful consideration, strategic planning and execution.
We have previously witnessed a similar scenario when the support for Windows XP ended back in April 2014. When this happened I recall working with several organisations that heavily relied upon XP deployments, so you can imagine the hysteria.
In recent years, the IT industry and the concept of cloud computing has spread but along with that so has the attack surface for cyber criminals, hacktivists and people simply wanting to test an organisation’s security posture. It is important to note the potential security implications that organisations will face as a result of Windows 2003 approaching end of life.
What are the EoL Security implications?
The first point here is that it is very important not to panic. Your Windows 2003 servers will still operate in the same way the day after 14th July 2015 but as time goes on, you could be more susceptible to a cyber attack.
Security Updates – You will no longer be able to obtain the latest security updates, thus making the confidentiality, integrity and availability of your systems and data more prone to malicious attacks. You only have to look back to the last six months and you can quickly read critical updates such as MS07-031 which was released to address a vulnerability in the Schannel security package. One of the core controls around the cloud environment is your protection of data in transit, whether that be actual data crossing networks and/ or authentication credentials. Let’s say for now, that the main impact for Windows 2003 would have been a Denial-of-Service (DoS), which is not great if you are in retail and this attack materialises during your peak working hours…
Software and Hardware compatibility – If you are running a mixture of physical and virtualised servers, then priority should go to addressing physical aspects, as most WS2003 licences are tied to the physical box, which is usually commodity hardware. If you continue to run WS2003 and are unable to take advantage of new security and hardware products you have invested in as part of your cloud strategy, it may be more cost effective to migrate to a later version, say 2012.
Compliance against industry requirements and/or best practice – Compliance with industry standards and legislative frameworks have swiftly moved from a best practice ‘nice to have’ requirement to mandatory within a lot of industries. If you are running a WS2003 without any support, you run the risk of becoming non-compliant.
- Payment Card Industry Data Security Standard (PCI DSS) v2 and/or 3 - Whilst there are always existing vulnerabilities within an infrastructure, the longer you run with WS2003 the more vulnerable services will be present. Even with a solid security architecture, increased intrusion detection and prevention controls, you will struggle to provide an adequate assurance level of assurance to address the requirements of PCI.
- UK Government – Within UK Government compliance requirements such as connecting to the Public Services Network (PSN), whether that is an assured connection or protected via Inter Provider Encryption Domain (IPED) you will also face hurdles without being able to support and update your WS2003 securely.
Other industry standards such as ISO 27001:2013 and the Cloud Security Alliance all require you to ensure that your systems and applications are up to date and therefore you will need effective mitigating controls to remain compliant.
Disaster Recovery and Resiliency – You really need to consider how you plan on re-starting servers that are out of support and beyond your IT team capabilities. If disaster recovery and resiliency are key to your business, then migrating is an absolute necessity, unless you try and negotiate a custom support contract with Microsoft, which I imagine will be fairly expensive.
How big is the issue and steps to take?
I didn’t want to leave people reading this article with a load of doom and gloom and then no advice on activities you should consider, so here goes!
Ensure that your servers and their lifecycle are integrated into your strategies and risk management processes – the Microsoft Support Lifecycle (MSL), provides various information on their products in terms of each product line phase and associated roadmap. Microsoft provides a search facility that will enable you to run through your product line and plan with your cloud provider a 3-5 year strategy for migration, should you require them.
Ask yourself the obvious……. Why? – It is really important that you understand what these Servers are delivering for you. Speak with your security people (if you have them) and your cloud provider to start completing a data mapping and services exercise. Key factors in security risk assessments are understanding your data flows and services. Identifying your information assets and then risk assessing them against confidentiality, integrity, availability and the likelihood of compromise will help your architects and decision makers with future design and investment decisions. If you decide to retain your 2003 servers, this activity will need to be continual, as your likelihood of compromise will increase over time, whether that is an external malicious attack or an insider threat.
Look at building a fit-for-purpose security architecture within your cloud – Whether a decision is made to retain WS2003 or migrate to a later version, a review of your security architecture is important, to avoid making decisions based on flawed assumptions. For example, 2003 servers hosting legacy data that is not often used, but needs to be retained and secure for legislative reasons e.g. UK Data Protection Act 1998. To deal with this you could design security zones using layered firewalls, ingress and egress controls, File integrity and protective monitoring. The cost of this may be less than a migration and still provide adequate protection.
Test, test and test again – Last but not least, do not wait for a malicious attack to be carried out. Hire a professional to conduct ethical hacking on your environment. A certified security professional can identify weaknesses in your architecture and provide remediation advice. This again may not be good enough, dependent on where your 2003 servers are situated within the architecture but it will give you that concrete evidence to improve and support the case for investment.
The end of extended support announcement for WS2003 does raise concerns from a security perspective and presents a risk. That risk is only likely to increase over time and companies operating in cloud must plan ahead, understand the flow of their key information assets flow and take steps to ensure that they are adequately protected, based on the business impact of compromise and cost to remediate.
By Scott Nicholson, information assurance and security manager, Adapt