Windows Server 2003 Reaches End of Life In July

Several readers sent word that we're now less than six months away from the end of support for Windows Server 2003. Though the operating system's usage peaked in 2009, it still runs on millions of machines, and many IT departments are just now starting to look at replacements. Although Microsoft publishes support deadlines long in advance -- and has been beating the drum to dump Server 2003 for months -- it's not unusual for customers to hang on too long. Last year, as Windows XP neared its final days of support, there were still huge numbers of systems running the aged OS. Companies lined up to pay Microsoft for extended support contracts and PC sales stabilized in part because enterprises bought new replacement machines. Problems replacing Windows Server 2003 may appear similar at first glance, but they're not: Servers are critical to a business because of the applications that run on them, which may have to be rewritten or replaced.

[In many cases, legacy applications are the sole reason for the continued use of Server 2003.] Those applications may themselves be unsupported at this point, the company that built them may be out of business or the in-house development team may have been disbanded. Any of those scenarios would make it difficult or even impossible to update the applications' code to run on a newer version of Windows Server. Complicating any move is the fact that many of those applications are 32-bit -- and have been kept on Windows Server 2003 for that reason -- and while Windows Server 2012 R2 offers a compatibility mode to run such applications, it's not foolproof.

PosReady for Server 2003?

Does anyone know if I can use the PosReady registry hack that can be used on XP to get support updates until 2019 on Server 2003?

Re:PosReady for Server 2003?

[fuzzyfuzzyfungus]

There may be an analogous hack(if MS was using a simple registry key, rather than something embedded in Windows Genuine Advantage(tm) to validate one specialty SKU, they might well have done the same elsewhere); but odds of the same one working are pretty much zero. There never was an 'embedded' version of Server 2003 for client devices.

Might be something to be found by sniffing around "Windows Server for Embedded Systems", which had a 2003-based version, as did "Windows Compute Cluster Server" and "Windows Storage Server".

Re:PosReady for Server 2003?

I would seriously doubt there is a hack for continued updates, ala PosReady 2009.

PosReady 2009 is based on, and uses the same kernel, as Windows XP (version 5.1). Technically, PosReady 2009 updates are XP updates. https://en.wikipedia.org/wiki/Windows_Embedded_Industry

Server 2003 has a new kernel (version 5.2). And to my knowledge, there are no products based on this kernel that will be supported past this July. https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions

MS FAIL

This is stupid. WS 2003 is still the default server platform that most companies deploy. WS 2008 is not even close in comparison. If you want something small that can maximize utilization especially in a virtualization environment, then there's no alternative. Vista on my server, no thx. And the new tablet-version, seriously what were you thinking?

Re:MS FAIL

Bullshit, WS 2003 hasn't been the default organisations have been deploying for a long time, only those that are incompetent and should not be in IT would still be doing that. I work for a vendor and see mostly 2008 R2 as the default, now getting a lot more 2012 R2 as well (they seem to mostly be skipping 2012 initial release).

Re:MS FAIL

Bullshit, WS 2003 hasn't been the default organisations have been deploying for a long time, only those that are incompetent and should not be in IT would still be doing that. I work for a vendor and see mostly 2008 R2 as the default, now getting a lot more 2012 R2 as well (they seem to mostly be skipping 2012 initial release).

Its pretty common among people who don't actually pay for software but need a GUI and a box that pretty much behaves as they'd expect it to though.

Re:MS FAIL

[thegarbz]

Ahhh you work for a vendor. That explains why the idea of a budget, or that IT is unable to upgrade something because of upper management may seem foreign to you.

But by all means, throw the front line workers in the IT group under the bus for something beyond their control.

Re:MS FAIL

Who upvoted this? I haven't deployed 2003 once in years! Sure, 2008 is "Vista Server" and nobody wants that. Or even worse: 2012 which feels like "Windows Phone Server" because of the stupidified user-hostile UI. But right in the middle, we've had a better option for years: 2008 R2 which is basically "7 Server" and which works great, costs the same, will still get updates for a while and so on.

Re:MS FAIL

[Richard_at_work]

If companies are deploying Windows 2003 today, or at any point in the past 3 years, they are fucking dicks who deserve to be in this position.

But then, your entire post is just stock anti-MS bollocks, so...

Re:MS FAIL

I've got to agree here, I don't let anyone deploy MS Server 2003 any where in our company and if they did, I would be pissed off.

I am currently in the process of migrating everything off of Windows Server 2003 machines. (legacy stuff)

Re:MS FAIL

Are you mad? It's Windows NT or nothing here. You can run 5 VMs with NT for each Windows 2000 VM. If you want something small that can maximise your VM host utilization, then there's no alternative. Windows XP, or Vista on my server, no thx. And the new tablet-version, seriously what were you thinking?

Re:MS FAIL

[fisted]

You're kidding, right? Most companies actually run DOS 6.22; see Burger King, for instance. You can run 5 processes with access to the high memory area using EMM386.EXE for each Windows NT system. If you want something small that can maximise your high memory utilization, then there's no alternative. Windows NT, or XP on my server, no thx. And vista? Seriously what were you thinking?

Re:MS FAIL

WS2003 is the last MS OS that didn't go to a KMS/MAK system, so someone can snarf a VLK from the Internet, and have an activated system.

With W2008 and newer, there are zero activation cracks that don't get patched, so people who pirate are pretty much stuck with W2003 if they want security updates.

Re:MS FAIL

Yes, Server 2012 is touch screen only. There are no classic tools. There is no remote desktop. You have to be in the same room as the server. You have to touch the screen with one hand and masturbate furiously with the other hand.

Re:MS FAIL

Who would install a WS 2012 outside of Microsoft campus? Are there actually any admin out there, who has touchscreen on their servers, as the metro-ui was targeted for those?

What competent admin logs into the 2012 console to run UI tools? It's called Powershell and RSAT, son.

Re:MS FAIL

[nine-times]

That's really not fair. He's responding to someone claiming that Windows 2003 is the default for many companies for new deployments. If you're deploying a new server, you shouldn't be deploying a Windows 2003 server, and that's been the case for a few years. Whether you have the budget to deploy a new server is a different question.

Aside from that, honestly, any company who is relying on servers and other IT resources, and doesn't have an IT budget to fund regular updates/upgrades/replacements, really needs to rethink their strategy. It's not the IT worker's fault that there's no IT budget, but it's certainly someone's fault.

Re:MS FAIL

Bullshit and bullshit. KMS activators abound and work just fine. Updates arrive and are installed with zero problems.

Re:MS FAIL

Agreed. 99% of my employer's clients have migrated away from Server 2003, the majority of them doing so on their own initiative. Relying on a 12 year-old soon-to-be-unsupported platform did not sit well with IT and the "C"-level offices.

Re:MS FAIL

[randm.ca]

With W2008 and newer, there are zero activation cracks that don't get patched, so people who pirate are pretty much stuck with W2003 if they want security updates.

Not sure about 2008, but 2008 R2 can be rearmed indefinitely. Not quite as good as an activation crack since it requires rebooting to safe mode to run a script to reset the rearm count every couple months, but that's no big deal if someone really wants to avoid paying for something.

Re:MS FAIL

[Ol+Olsoc]

But by all means, throw the front line workers in the IT group under the bus for something beyond their control.

I was once told that 25 percent of my salary was devoted to "being wrong".

Re:MS FAIL

My company has been deploying 2008R2 for, well, as long as it has been available.

While it's true that 2008 was "Vista Server" and was pretty limited and crappy, 2008R2 is more like "Windows 7 Server". In fact, it's exactly that.

Only in the last couple of months have we bothered to put 2012R2 on some of the development and testing servers.

And on another note: Being one of the guys that deals with setting that stuff up, I can honestly say that the tile interface isn't as bad as everyone whines about. Sure, it's different. But that's it. It's just different. It's not going to kick your dog and piss in your cornflakes or anything like that. There's nothing you can do with any other version of Windows that you can't do with the ones with the tile interface.

Re:MS FAIL

[NatasRevol]

Agreed. But that doesn't make it the default that organizations have been using.

Re:MS FAIL

[NatasRevol]

BTW, are the admin tools metrofied to work only in fullscreen and only to have few lines of text on it since the "more texts just confuses the stupid user, less is more, duh."

No, they're exactly the same as w2k8.

Re:MS FAIL

[jbolden]

Helping the front line IT workers get the tools they need to do their job is not "throwing them under the bus". Establishing that using X constitutes negligence and thus if something goes wrong the company's liability will skyrocket helps them it doesn't hurt them.

Re:MS FAIL

[Pope+Hagbard]

No, your true vendor wouldn't care about something being EOL'd and thus would never bother updating their product to work with something more modern than Windows XP SP2 and IE6.

Re:MS FAIL

His point still rings valid. Nobody deploys fresh Server 2003 instances of anything anymore unless it is part of a recovery operation of pre-existing legacy services. Software vendors are picky about their environments they are willing to support; when one of our clients comes to us to set them up with a compliant system, it is almost always Server 2008 R2 at a minimum anymore (although we try to press for Server 2012 if its supported). Sometimes that means investment in new infrastructure, or just creating a new VM guest on their hypervisor and buying an appropriate OS license.

This has more to do with planning for the future and little to do with support of old services.

Re:MS FAIL

"With W2008 and newer, there are zero activation cracks that don't get patched, so people who pirate are pretty much stuck with W2003 if they want security updates."
--------

Wow way to expose yourself as wildly uninformed about the topic of activation cracks\workarounds for the windows server OS's or even Office for that matter. Google\Bing Daz's Windows Loader, KMSpico, or Microsoft Toolkit, one of those three (there are others as well) will work for someone 99.5% of the time without any issues what so ever, especially when it comes to security updates or passing a validation check.

Re:MS FAIL

[afidel]

We're fairly similar, our counts are 100x 2003 boxes (almost all ready to be retired, only about 20% really have to have projects in the next 6 months to move their functions to new boxes), 304x 2008/2008R2, and 31x 2012/2012R2. Almost all of the 2012 boxes are MS stack functions, most third party vendors either don't have it certified or only on the edition released in the last few months. We actually just started our first LOB app install on 2012R2 yesterday =)

Re:MS FAIL

[Fetko]

If you're deploying a new server, you shouldn't be deploying a Windows 2003 server, and that's been the case for a few years. Whether you have the budget to deploy a new server is a different question.

It's not just a budget constraint problem. If you have multiple servers in a farm for an application that is currently running 2003, you don't want to add a new variable into that with a new OS. You'll need to update your existing servers first.

Re:MS FAIL

Considering my job is to deploy server on mass, I can tell you that the 2012R2 interface has hindered workflow for no point other than to bring it inline with the customer/user side of things. Powershell and RSAT are get for remote access but the GUI when required is just an extra bar that wasn't required.

Re:MS FAIL

[cusco]

Place I used to contract had a knee-high pile of Compaq 386 laptops in the radio system engineers' office. When I offered to surplus them and get them out of the way they almost attacked me. They had a half million dollar radio tower that used a bleeding-edge control system when it was first installed. The manufacturer got bought out and the new owner didn't support the thing any more. The control system software would ONLY run on a 386 running DOS 3, nothing else, and that pile of laptops were their backup tower controllers. The last time I was there I noticed the pile was gone so they must have upgraded the tower.

There are a lot of expensive legacy systems that rely on outdated operating systems to function. I personally have encountered MRI machines, an access control system, metal lathes, a sawmill, and a factory floor automation system that will not run on anything higher than NT 4.0, a company isn't going to throw away a multimillion dollar automated lathe just because the OS is outdated (or at least they shouldn't). The security model in Server 2008 broke a lot of software, for companies that aren't on the continual upgrade treadmill Server 2003 is going to be around for quite some time.

Re:MS FAIL

Can you show the court, can you point out where the bad man touched the screen?

Re:MS FAIL

[nine-times]

It's not just a budget constraint problem. If you have multiple servers in a farm for an application that is currently running 2003, you don't want to add a new variable into that with a new OS. You'll need to update your existing servers first.

That's debatable, and depends on the context. I think generally, if you have a server farm, you would want to add a new variable by adding new servers. You'd add new servers, migrate the old services to them, and then decommission the old servers-- re-purposing them if they're still good, tossing them if they aren't. And if you run a server farm, you probably should have started doing that to move from 2003 to 2008R2 a few years ago. At this point, you should be planning your migration from 2008R2 to 2012R2, or whatever comes next.

The point is, IT departments should always be planning for and budgeting for the next upgrade. The idea of migrating from a 12 year-old OS to a newer version shouldn't be catching anyone by surprise. If they can't do it because there's no budget for it, then the person doing the budgeting doesn't understand IT needs.

Re:MS FAIL

[danomac]

Well, at least it has PowerShell. Heck, now it's only 23 characters to change a directory? Who wants to go back??

ChangeDirectory -Please <Directory>

Re:MS FAIL

[cycler]

WHY should the default be that everything (that is working) still MUST be upgraded?
Why be a member in this hamsterwheel?

THAT is the question people should ask them selves.....

Cheers, /C

Re:MS FAIL

Updates.
If future security and bug fixes important to you then you need to keep running the hamster wheel.

If you're willing to go it alone without future support then stick on your old system.

Re:MS FAIL

[nine-times]

I know it seems like a simple question, but the answer is a bit complicated.

First, the easy part: hardware. You'll want to upgrade/replace hardware for a few different reasons, one being improved performance or new features. Also, inevitably, all hardware eventually breaks, so you'll need to replace it eventually or just cope with its loss. Often, if you're dealing with important hardware, you want to replace it before it actually breaks.

I know, you're thinking, "Why?! That's stupid. If performance is fine and it's still working, why replace it?" Well, in short, it comes down to warranty/support issues. First, if you have a brand new server, the chances of some hardware component failing is a bit more slim than a 12 year-old server. There hasn't been any wear and tear on it yet, so outside of a straight-up manufacturing fault, you'll probably be fine for a while.

But if it does fail, you often have some kind of warranty in place with an appropriate response time. So if I have a brand new Dell server, I can have a warranty with Dell that says if a some hardware component fails, I have a replacement part in my hands in under 4 hours. With a 12 year-old Dell, Dell might not even carry a replacement part anymore. I have to call up and find out, and I'm going to pay for whatever limited support that I get.

So if you have a computer, and you're thinking, "Well if it goes offline and takes a few days or a week to get it running again, that's fine," then by all means, run it until it breaks. If you don't want downtime, plan to replace the hardware every 3-7 years. For a lot of businesses, the potential loss in productivity of an outage is not worth the money saved by not replacing hardware.

Beyond all that, keep in mind that I'm saying "plan to replace hardware every 3-7 years". That doesn't mean that you must absolutely replace all hardware on that timetable, but you should sure as hell budget for hardware replacements. If you're running a business and you have an old out-of-warranty business-critical server that you can't afford to replace if it breaks, then you're in a bad place.

Software is less obvious and potentially harder to explain, but the easiest part of the explanation is, again, regarding "support". Windows 7 and Windows 8 have security patches coming when a new exploit is discovered. Windows XP doesn't. Why doesn't Microsoft just continue to support XP? I'm no fan of Microsoft, but I'd suggest that the reason isn't some kind of nefarious manipulation. It's simply that they don't want to keep supporting all the quirks and bugs of an application that was built over a decade ago, filled with legacy code and bad decisions.

But aside from the simple issue of "security patches", there's a more subtle issue that people don't talk much about, but every IT guy has in the back of his head: there's all kinds of crap being built for Windows 8 and Windows 2012 right now. If someone is writing new drivers, they're going to write drivers for the new OS. If someone is testing their new software version, they're testing against the new OS. If Microsoft developers are looking at a piece of code and thinking, "This is kind of buggy and unreliable, but fixing it would mean overhauling a lot of code..." then those improvements are going to be in the new OS.

So if you want things to be reliable and work well, you generally don't want to be on the bleeding edge (where things aren't tested well yet), but you also don't want to fall too far behind (where nobody is bothering to test anymore). And you know this too, I'm sure. If you're running Linux, you probably don't want to be running production servers on the kernel released yesterday, but you also probably don't want to be running them on the kernel release 12 years ago.

There are more reasons than these, but these reasons are good enough.

Re:MS FAIL

[terjeber]

Sorry, if your IT department still has a significant amount of 2003 servers, they should be fired. You should be on 2008R2 by now.

A reason to go with Open Source

[Black+Copter+Control]

It's a bit late for these businesses, but one of the pro's of Free and Open Source software is that you always have the right to get the source code and pay somebody else to support your operating system version when the official supplier pulls their support. That's something that Microoft makes very clear is illegal for Windows users to do.

Re:A reason to go with Open Source

So, which Linux distro that I installed in 2003 still has active security updates today? Which one even had more than four years of support? Today it's not big deal. I can install CentOS for free and get updates for ten years, but if I installed Linux back then I would have had to personally finance the security patches for at least half the deployment time.

Re:A reason to go with Open Source

[jones_supa]

That was exactly his point: you can hire another company to continue the maintenance. With Windows, there is no such option even if you were ready to throw cash on the table.

Re:A reason to go with Open Source

[fuzzyfuzzyfungus]

So, which Linux distro that I installed in 2003 still has active security updates today? Which one even had more than four years of support? Today it's not big deal. I can install CentOS for free and get updates for ten years, but if I installed Linux back then I would have had to personally finance the security patches for at least half the deployment time.

I suspect that it's a matter of scale: If your use simply isn't all that big, or migration sucks; but isn't too terribly costly, the right to get support from anyone willing to offer it is mostly theoretical. Unless you, while personally small, are part of a larger market that wants the same thing, it just won't be economic to pay the necessary people to write the software and then deploy a handful of copies. The cost/unit will be insane.

If your use is much larger, though, or migration is a bowel-looseningly expensive labyrinth of pain, or both, the cost of getting the OS updated is the same; and now appears much more reasonable. In practice, the vendor may still be the best person to buy it from(given their familiarity with the product, your existing relationship, etc.); but the fact that you could buy elsewhere acts as an upper limit on the the price, since, while the vendor can likely command a premium, they cannot exert veto power over other market entrants in order to achieve a price calibrated closely to your maximum willingness to pay.

It's just the nature of software: Trivial duplication costs, fairly high production costs(alarmingly high if you really want it done right). Access is educational, can allow you to make comparatively small fixes for yourself, and similar, if you have the skill; but as a purely financial matter it matters most when you are working on a scale where "Actually, it'd be cheaper to fix the OS than it would be to port our applications to the new OS" is a statement of fact, not a negotiating tactic. With VMs (mostly) obviating driver maintenance issues(you still need to fix the old ones if they have vulnerabilities or other issues; but the fact that Linux 2.4x doesn't support a server you buy three years from now is a problem that can be solved with a thin layer of hypervisor, rather than horrific backporting) it becomes more practical to consider doing security fixes for the supporting OS until it's time for the entire system to die, rather than trying to port the application from hell just because the vendor doesn't love your OS anymore.

Re:A reason to go with Open Source

[kthreadd]

That was exactly his point: you can hire another company to continue the maintenance.

I guess you missed his/her point as well. With Windows you got free updates up until July this year. With Linux you would have had to finance that yourself. Installing Linux in 2003 and paying someone to make updates for you would most likely not have been cheaper.

With Windows, there is no such option even if you were ready to throw cash on the table.

Yep, absolutely. You're screwed once MS stops their support. In their defense though, it is quite good that they provided updates for 12 years.

Re:A reason to go with Open Source

[jones_supa]

I guess you missed his/her point as well. With Windows you got free updates up until July this year. With Linux you would have had to finance that yourself. Installing Linux in 2003 and paying someone to make updates for you would most likely not have been cheaper.

Ah, yes. I missed the point indeed. :)

Re:A reason to go with Open Source

[Chrisq]

So, which Linux distro that I installed in 2003 still has active security updates today? Which one even had more than four years of support?

RHEL 4.0 which was available in 2003 and will be given extended support to the end of this month.

Re:A reason to go with Open Source

RHEL 4 was released two years later in 2005, and the updates are not free. They charge quite a lot per year for them, even more during extended support I think.

Re:A reason to go with Open Source

[DarkOx]

Fair enough, but there are some really key differences between the Linux world and that of Windows and even Unix.

You distribution tends to package like 90+ % of the software on the system. The left over 10% is whatever in house app the server is running or 3rd party app you bought. All the libraries it uses, and support software that it uses database engines, etc typically are in the distribution. So the integration details library versions supported version issues are all taken care of for you.

On Windows this absolutely not the case. Things like databases, libraries for document rendering, and just about anything else you can think of is maintained outside the OS distribution. So Windows is where you upgrade and discover UAC totally breaks the version of ${SOFTWARE PACKGE} you have installed or changes to winHTTP cause all the web service calls to fail etc. Even if they mostly are other first party applications like SQL Server or Office. Its also true that its harder to isolate things. If you install something to /opt or /usr/local on a Linux box and those are separate partitions you can have reasonable confidence that blowing away / won't and reloading it from distribution media will leave you with a working app where you left it. Good luck with that on Windows unless you designed the package yourself and avoided the registry and tens of other possible pitfalls.

So again speaking in the general case its easier to go from RHEL 6.x to RHEL 7.x with an in place upgrade, as is true for most other Linux distros; however you do it, let package manager figurout distupdage or re-install a fresh /.

In most of my travels I have not seen 10+ year old Linux versions in production unless its at the same kind of shop that also does not care to patch or be on a supported version of Windows. Even in shops that are good about patch management get their WSUS updates applied etc ( I want to be fair to MS here these rarely if ever break anything) there is still lots of legitimate fear around upgrading an application server between major Windows versions. So in lots of cases Windows boxes tend to stay on whatever release for either the life of the hardware or the life of the app whichever is shorter. Linux boxes tend to be upgraded more frequently.

Re:A reason to go with Open Source

CentOS then. Same lifecycle as RHEL. Updates free.

Re:A reason to go with Open Source

[JackieBrown]

It's a different scenario since there have been many updates and versions to choose from in the past 11 years versus (based on the comments here) only one real upgrade choice for windows - and even with that, most people tend to wait a while to upgrade just for MS to get the kinks out.

Re:A reason to go with Open Source

CentOS 4 has not been supported for many years and they don't offer extended support like Red Hat does. They only care about CentOS 5 and later which was released four years after Windows Server 2003.

Re:A reason to go with Open Source

[Penguinisto]

Yep, absolutely. You're screwed once MS stops their support. In their defense though, it is quite good that they provided updates for 12 years.

Microsoft never had a choice in that matter. Back in the bad old days, you could get near-eternal support for Solaris (back to when it was called "SunOS" for the longest time), HPUX, AIX...

Shit, man - there are still people using AIX 5.1 out there, and still getting support for it.

Re:A reason to go with Open Source

[cusco]

The climate control system in the building that I'm sitting in uses some Linux version that's close to a decade old, if not older. Don't know what they're going to do when the current "server" (a desktop PC shoved under the maintenance guy's desk) dies. There are a lot of these out there, I know of an access control system running Win 95 in 2008, which hadn't been rebooted in over eight years because they weren't sure whether the machine would come back up and they had no way of getting the data off it. That box finally died a couple of years ago and they had to spend a week recreating everything from scratch, and replacing $18,000 of installed hardware that wouldn't work with the newer versions.

Re: A reason to go with Open Source

That is because when Linux software is updated there are usually features added, bugs fixed, and backdoors sealed up... M$ is exactly the opposite: they tend to remove/paywall features, introduce new bugs and create new backdoors when the upgrade.

In place dist-upgrade might also contribute to Linux being " more up to date".

Re:A reason to go with Open Source

[LWATCDR]

If there is a FOSS project that does the job. And if you can get support, and if they do not decide to just kill the project.
I love FOSS but it is does not solve all problems.
For example you will not find a 3d cad system that matches SolidWorks or ProE that is FOSS.

Re: A reason to go with Open Source

[tandavanadesan]

Gp must have read the wrong line, it's RHEL 3 that was released in 2003 and is still in support until the end of the month. RHEL4 has a few years to go.

Re:A reason to go with Open Source

Which one needs security updates today?

Re:A reason to go with Open Source

[DarkOx]

That is a valid point. There is a lot Linux in the embedded and 'quasi-embedded' space that does never get updated.

That is a little different than what we normally think of as application servers that IT would be responsible for migrating. In the 'quasi-embedded' like the climate system you describe where there is basically a PC attached to some machinery you are correct. The opsticle to upgrading these things has little to do with Linux or Windows though, and everything to do with the machinery vendors unwillingness to QA or support anything other than their original configurations. You see the same situation happen with Windows boxen all the time as well just walk around any hospital or machine shop floor and you will see all sorts of DOS/Win9x/XP - pre SP2 about. Its not Microsoft's fault really nor any Linux distro maintainers where this happens.

As to the embedded space, routers, switches, headless controllers, PLCs. The amount of out data Linux out there with potentially major flaws is terrifying.

End of support, not "end of life".

[Futurepower(R)]

Software does not have an "end of life". It continues to do what it always did.

"End of life" is a marketing term used so Microsoft can sell more copies of Windows, apparently. My understanding is that fixing newly discovered vulnerabilities in Windows XP or Windows Server 2003 would be fairly inexpensive.

I've explored the issues concerning Windows XP: Microsoft Windows XP "end of life": Conflict of interest.

Re:End of support, not "end of life".

[bloodhawk]

Software end of life usually comes in the form of old hardware dying and no one willing to invest money to write drivers for old software so yeah it does have an end of life, fixing new vulnerabilities is NOT inexpensive either. The human resources of having adequately trained and available devs, support engineers and testers alone runs into the millions.

Re:End of support, not "end of life".

[dissy]

My understanding is that fixing newly discovered vulnerabilities in Windows XP or Windows Server 2003 would be fairly inexpensive.

One more downside to being closed source - if Microsoft won't fix vulnerabilities, no one else can for any sane price.

At work I'm still migrating our last two 2003 servers, one migration nearing completion the end of this month, and the next not even started yet but expecting to take 9-12 months.

Exchange server was our primary risk because by its nature it has to handle SMTP, and while you can't poke that server directly from the Internet (a postfix relay server is the only one with direct internet exposed ports) but those emails still flow through it, and it sends outgoing mail directly so has to connect to other MTAs and everything involved with that like DNS queries... A pretty big risk footprint on that one, so no argument from me that it needs upgraded.

The last 2003 server however doesn't technically require being replaced, the risk is very small and mostly controlled for even then. It would likely run fine until enough hardware failures make keeping the server up cost prohibitive, which is really the biggest reason (though a fairly justified one) to upgrade.

The vulnerability risk footprint is limited to the LAN, and then only really to windows file sharing (that and SQL server are the only exposed services)
Not zero for sure, but taken alone not enough of a reason to justify the cost of an upgrade. Only everything taken together combined with a string of purchase approvals to upgrade everything else that demands it, is why it ultimately will be.

If only another big player could release continued security updates, or ideally more than one to help both competition on price and a choice of whom to trust for such a thing.
There is definitely a market for very long term support, which you have to look no further than IBM to see.

In fact many would trust IBM to fill such a role if they were to do so. Others may trust Google. I'm sure there are plenty of other examples as well.
But I don't see "long term windows support" being in many of those companies interests, nor see microsoft going along with such a plan even if they were.
Microsoft wants you to buy their latest shiney instead, Google would prefer you didn't use Windows at all, and IBM doesn't seem to be as big on the support thing these days even for their own products let alone microsofts.

All of those facts factor in to the cost of providing security updates, and does raise the bar quite a bit higher than it would appear at first glance.

Re:End of support, not "end of life".

From the article you linked [futurepower.net]:

The final result: After the defects in Windows XP are fixed, there won't be any more defects. Microsoft has provided thousands of fixes for Windows XP. Eventually all will be found and fixed, and Windows XP will be completely secure.

I about lost it when I read this. It was humorous when you were talking about getting all users in a company to use noscript/flashblock/ghostery which wouldnt happen, you would have constant complaints that xyz page does not work; however, when I hit that line I realized that you really had no clue what you were talking about. All of the bugs will never be found.

Re:End of support, not "end of life".

For Microsoft software, the end of support usually denotes the end of life.

Re:End of support, not "end of life".

[ledow]

End of life - when it's no longer secure (comments above on your statements to this effect... your concept of a "now fully secure" OS is just laughable - there have been OS in place since the 60's and ALL are either still receiving updates or - more likely - have known holes. Nobody has yet made anything "secure" at all).

End of life - when it no longer boots (UEFI vs BIOS, 32 vs 64bit, IDE vs SATA, no certified SAS drivers for the RAID controller so you can't run proper failover clusters, etc.) XP died at my last workplace when we were unable to get XP drivers for off-the-shelf components any more and had to pick-and-choose suppliers carefully, argue with BIOS manufacturers to retain compatibility, etc. Hell, try buying a PC that still has IDE and that's not that old.

End of life - when none of the software you use will still run on the old OS.

End of life - when you have to employ tech staff with out-of-date skills that they don't have the opportunity to update because of your policy, and then realise the next upgrade means new staff and having to fix the problem anyway.

End of life - when the software is a dead do-do that nobody wants to touch, let alone guarantee support for, let alone work on, let alone ensure compatibility with.

Sorry, but everything has an end-of-life. Sure, you could probably run a mom-n-pop shop on some old DOS accounting software. But that's not "IT", that's just "Computing".

If you want your business to interact with others, to not have to manually pass off information to your auditors, to be considered secure enough to pass PCI-DSS so you can take credit cards, etc. or even just to be used by users without specialist "backwards" training, then there is most certainly an end-of-life, and it correlates rather well with the MS end-of-life in this case.

I agree that computers "don't get slower", they are always the same speed as the day you bought them, that software "doesn't get worse", it's the same software as the day you bought it. I get the comparative nature of this. But that's NOT anything but anecdote in the real world, no matter how small an outfit you are.

When you can't log into your damn bank because it's said that IE6 is too old, your system is end-of-life. That's the end of it. Because to fix it, bodge it, fake it, or upgrade it costs more than just following the rest of the world in their lowest-accepted technology standard.

Re:End of support, not "end of life".

If a bug is never found, hence never exploited, does it matter?

Re:End of support, not "end of life".

The vulnerability risk footprint is limited to the LAN, and then only really to windows file sharing (that and SQL server are the only exposed services) Not zero for sure, but taken alone not enough of a reason to justify the cost of an upgrade.

Tell that to Target and Home Depot regarding the POS systems, which were not connected to the Internet, but were still attacked.

Just because something is "inside" doesn't mean you can ignore its security.

Re:End of support, not "end of life".

[JackieBrown]

There is definitely a market for very long term support, which you have to look no further than IBM to see.

In fact many would trust IBM to fill such a role if they were to do so. Others may trust Google. I'm sure there are plenty of other examples as well.

I agree with IBM to a point but Google doesn't have the best track record of supporting their products after they decide the product has reached the end of its life. In fact, they probably have one of the worst.

Re:End of support, not "end of life".

[Windowser]

When you can't log into your damn bank because it's said that IE6 is too old, your system is end-of-life. That's the end of it. Because to fix it, bodge it, fake it, or upgrade it costs more than just following the rest of the world in their lowest-accepted technology standard.

You can just install another browser that is more secure than ANY version of IE anyway, like Firefox or Chrome
Even better, install a secure OS : https://www.debian.org/distrib...

Re:End of support, not "end of life".

[dissy]

Just because something is "inside" doesn't mean you can ignore its security.

I'm curious, which one of "low risk", "risk limited to lan", or "not zero risk for sure" did you interpret as me saying there was no risk and thus security is being ignored?

Or was it just the statement that it actually is being upgraded that sounded like " being ignored"?

I of course was light on details, since they don't really matter here, but I feel I spelled out most of the points in my risk analysis process such that "ignore" is a pretty unfitting adjective for what I actually said.

Re:End of support, not "end of life".

[dissy]

I agree with IBM to a point but Google doesn't have the best track record of supporting their products after they decide the product has reached the end of its life. In fact, they probably have one of the worst.

Sadly that is true.

In my previous post I was more thinking along the lines of trusting IBM/Google/etc to release updates that actually fix vulnerabilities instead of intentionally injecting new ones - more as in comparison to those shady sites out there hosting windows update msis for people using pirated windows without full access to legit update channels.

While I personally would trust Google in that sense, I do have to agree I can't say the same about them "sticking with it" for the long run.

Of course I don't really see them even starting this to worry about them closing down the beta a few months later ;P
But your point remains.

Re:End of support, not "end of life".

[PlusFiveTroll]

Never is a long time. Next, you are a poor risk assessor. If a bug exist, but is not found by you that does not mean it has not been used or exploited by someone else.

Re:End of support, not "end of life".

[Ol+Olsoc]

"End of life" is a marketing term used so Microsoft can sell more copies of Windows, apparently. My understanding is that fixing newly discovered vulnerabilities in Windows XP or Windows Server 2003 would be fairly inexpensive.

Yup, exactly.

Imagine if you would, you have an air conditioner on top of your building. Costs a million or so dollars. Then you get a call from the company you bought it from telling you you need to buy a new air conditioner. You ask why, and they tell you its at "end of life for support". Despite it working fine, and showing no reason it wouldn't work for years to come, they want you to spend a couple mil for the new air conditioner, which only does the exact same thing the old one did.

You of course would stand a pretty good chance of telling them to slag off. I sure would.

Whereas you or I might think in terms of latest and greatest, the bean counters look at possibly replacing an entire computing ecosystem that is working, and replacing it with another, to get nothing more than they already had. Its a hard sell.

I see a lot of places still running in the XP ecosystem. I can think of a lot of reasons they should update, but then I'm not the one shelling out the money to replace working computers.

Re:End of support, not "end of life".

[PlusFiveTroll]

>I agree that computers "don't get slower", they are always the same speed as the day you bought them, that software "doesn't get worse", it's the same software as the day you bought it. I get the comparative nature of this.

This is true, but at the same time growth in data sets can make this not true too. Start out with a customer database that has a limited number of fields and it works great, everything hot fits in cache, most of the database fits in memory. Then as the years go buy you need to store more information. You add more columns, for things like email, websites, whatever else you can think of. All of the sudden your it doesn't fit in cache and you get a dramatic slowdown. You decide to live with it rather then spend $10,000+ to upgrade. You add many more customers, now the data doesn't fit in memory and you're going to disk and swap. I see this happen in real life quite often with large companies that take 10+ seconds to look up customer records.

Software doesn't change, but data does. And the data makes or breaks the system.

Re:End of support, not "end of life".

[afidel]

Imagine if you would, you have an air conditioner on top of your building. Costs a million or so dollars. Then you get a call from the company you bought it from telling you you need to buy a new air conditioner. You ask why, and they tell you its at "end of life for support"

Happens all the time, if you can't get a new compressor or control board and there are none available on the secondary market you have to scramble to find a correctly sized replacement and get a crane in to do the swap to the newer unit. We had that happen with our 15 year old building here at our HQ, luckily our roof units were installed in redundant pairs so it was without the mad scramble for a replacement unit, but we had to replace a relatively young AC unit because parts were no longer available from the manufacturer.

Re:End of support, not "end of life".

[Just+Some+Guy]

Our Exchange server was also safely being a Postfix "firewall", but we also configured it as a smarthost so that Exchange never had to contact the Internet directly. You might see if that's an option for your setup.

Re:End of support, not "end of life".

[Ol+Olsoc]

Happens all the time, if you can't get a new compressor or control board and there are none available on the secondary market you have to scramble to find a correctly sized replacement and get a crane in to do the swap to the newer unit.

But I am talking about a perfectly functional unit. Imagine if you had to spend all that money every few years to replace units with no problems. That isn't even maintenance, it is planned obsolescence that the late 50's automobile industry couldn't match. At least those cars were falling apart (purposefully) This tactic bears a strong resemblance to extortion.

Re:End of support, not "end of life".

[afidel]

There is NO software vendor that offers longer support than MS for free, not one. There are only a handful of products that even offer a supported lifetime longer than 10 years which is the MS standard, and of those the longest other than IBM's mainframe OS is 12 years. This isn't about extortion, it's about the realities of the software industry and the inability of companies to profitably support the very longest of long tails.

Just like with the AC unit, the vendor isn't telling you you may no longer use the product, they're merely telling you they will no longer offer support for it, if XP continues to work for you, then that's fine keep running it, but it won't be updated by MS just like the manufacturer will no longer offer warranty extensions or out of warranty repair parts (although for at least 3 more years MS will support 2003 if you sign a custom agreement and pay them high 6 to mid 7 figure annual support contracts). I've seen CNC machines running MSDOS in the early 2000's, many many years after MS stopped supporting the OS, so it's not like the software just dies at the EOS date.

Re:End of support, not "end of life".

Then it needs to get a life.

Re:End of support, not "end of life".

[drinkypoo]

Happens all the time, if you can't get a new compressor or control board and there are none available on the secondary market you have to scramble to find a correctly sized replacement and get a crane in to do the swap to the newer unit.

I don't understand why losing a compressor necessitates replacing a whole unit in a commercial context. Why can't you just get another compressor with the same displacement and swap that sucker in there?

Re:End of support, not "end of life".

If the operating system has a security bug, that's a problem so your comparison is your "imagine" scenario is pointless. You can keep using 2003, you just don't get support. Basically you're just an idiot.

Re:End of support, not "end of life".

[Ol+Olsoc]

If the operating system has a security bug, that's a problem so your comparison is your "imagine" scenario is pointless. You can keep using 2003, you just don't get support. Basically you're just an idiot.

And so are the others who have spent multiple millions on presently functioning networks, and now have to spend multiple millions more to get their new networks to do - the same thing their old networks did.

Issues like virus vulnerability are details. These new OS's - I'm assuming they are completely secure?

And if you don't get this, you have a lot of chutzpah calling me an idiot.

Bullshit.

That was exactly his point: you can hire another company to continue the maintenance.

Exactly what company are you going to hire to perform security audits and patch an ungodly number of packages for a Linux distribution from 2003?

MythicalUniCorp?

Because I hear they're still patching Windows 3.11 for Workgroups. How? Doesn't matter. If you can imagine it, it must be true!

Re:Bullshit.

[jones_supa]

The message from "Black Copter Control" above contains a hyperlink with an example of such deal.

Remember Conficker?

[Dynamoo]

The problem isn't that Windows 2003 will stop working.. the problem is that it won't get patched. Now, servers are generally lower-risk than client PCs because they just tend to do a couple of things without users surfing for porn, reading email or downloading crap. And also the products *running* on those servers may well continue to get updates anyway.

But about once a year or so, there is a vulnerability in Windows that is exploitable over the network remotely without authentication, the sort of thing that Conficker used to spread on (i.e. MS08-067). Wormable vulnerabilities are the highest risk, and the time between the flaw being announced and an exploit being created can just be a matter of days.

So, eventually those Windows 2003 boxes are going to get pwned. It might be weeks or years after 2003 goes EOL, but eventually it will happen.

Rewrite?

"But if you have to rewrite apps, that's not going to happen in time,"
Challenge accepted

Re: Rewrite?

Exactly. Jobs. Unemployment = BS.

32bit vs 64bit

[thegarbz]

Can someone please clue me in as to why this is a problem? I mean we run 32bit software on Windows 8.1 so why should this be any different on the server? I was under the impression that the compatibility issues only really existed for drivers and that backwards compatibility was an issue (64bit apps on 32bit OS) but that forward compatibility is assured.

The hangers on for the Windows XP era had a lot more to do with Internet Explorer and the clusterfuck of web services which depended on it at the time. Is there a legitimate difference on the application level as well that makes this upgrade impossible? I'm not buying what the summary is suggesting.

Re:32bit vs 64bit

Running 64 bit programs on a 32 bit OS is technically not a problem. Both Apple OS X and IBM AIX does this. It's just a matter of the operating system supporting it.

Re:32bit vs 64bit

[Dynamoo]

Application compatibility in Windows 8.1 is pretty good (except for really ancient 16-bit apps).. but a server environment is different with products that are often much more complicated and with very difficult migration paths to a newer version. If one exists. Take for example database clusters with custom code written by people who no longer work for the organisation - migrating from those is extremely difficult.

But.. although it is a pain, but Microsoft's EOL was well-known many years in advance. People are moaning about the dropping of support, but it has been around for 12 years. For a migration path Windows 2012 R2 will be supported until 2023, Windows 2008 R2 until 2020

Re:32bit vs 64bit

OS X does this by having 32bit and 64bit binaries in the app bundle. It does not ever run the 64bit binary under the 32bit kernel. iOS behaves the same.

Also on the OS X side (not iOS), they also haven't shipped a 32bit kernel in quite awhile.

Re:32bit vs 64bit

[crunchy_one]

Yes, OS X prefers the 64-bit binary, but will happily run the 32-bit binary if that's all there is.

Re:32bit vs 64bit

[kthreadd]

Actually he/she is right. OS X does support running 64 bit binaries on a 32-bit kernel. OS X didn't even have a 64 bit kernel until 10.6 and it wasn't until 10.7 when OS X started to boot into the 64 bit kernel by default, but you could still run 64 bit programs just fine back to 10.2 just as long as you had a 64 bit CPU.

Re:32bit vs 64bit

It does not ever run the 64bit binary under the 32bit kernel.

According to John Siracusa this is not the case, and he's usually right when it comes to OS X. From his Snow Leopard review:

Finally, this is worth repeating: please keep in mind that you do not need to run the 64-bit kernel in order to run 64-bit applications or install more than 4GB of RAM in your Mac. Applications run just fine in 64-bit mode on top of the 32-bit kernel, and even in earlier versions of Mac OS X it's been possible to install and take advantage of much more than 4GB of RAM.

Re:32bit vs 64bit

I defy you to take an arbitrary piece of commercial software which was certified on Windows 2003 and install it on 8.1.

The installer might mark an explicit dependency on an OS, or just simply refuse to install on another one.

It's very difficult to write software which installs using Microsoft's approved mechanisms which will work on an OS which was created years after the software.

We're in the middle of dealing with EOL Windows 2003 servers ... and the software we need it for simply won't play nicely on a modern OS ... and the software is business critical.

Unfortunately, sometimes management makes decisions which ties the hands of the technical people ... who then find themselves with no way forward, and no way back.

Re: 32bit vs 64bit

[Billly+Gates]

Doesn't help if server 2003 sole purpose is to run IE 6.

MS forced it off the desktops with EOL for XP through what some would say extortion.

Server 2003 has IE 6 and with citrix can run due to quirks mode hacks to get it to display at all. So now what? Upgrading is not acceptable. You positively absolutely can never upgrade apps that are the business process which store data in a proprietary format

Re:32bit vs 64bit

[PlusFiveTroll]

Some of the time older programs work, and other times they don't. Take some ancient version of Advantage database server, or a whole pile of proprietary DBs. Installing older versions on newer Windows is almost certain to break. Many have copy protection schemes that make assumptions on how Windows operates.

It's not simple to just go and upgrade

[Neo-Rio-101]

The reason why a lot of these businesses haven't upgraded is because it usually takes years to make this happen.
If you're a business who IT department or enterprise support vendor is running in full ITIL mode with a few ISO business standards thrown in for good measure, it really does take that long.

The amount of paperwork and busywork that needs to go into something as relatively simple as an OS upgrade is something to be marvelled at when you actually have to work in that environment. There are whole massive bureaucracies and months of meetings, followed by change review boards, and more change review boards and testing and more testing and backout plans, and risk registers, and more meetings, and then you have to wait for the next meeting to come along before going onto the next stage.... and and and......

So to all these people saying "just run open source" have never run a multimillion dollar business and relied on Windows to bring home the bacon. Much less have they ever considered being a large collossal IT support vendor that has to maintain SLAs and can get hit for penalities of millions of dollars if those SLAs are breached. These are not nimble organisations. They are not cowboys. They cover all possible failure scenarios and document everything from multiple support networks before they lay a single mouse click on the box.

Re:It's not simple to just go and upgrade

which will teach them to go open source next time.

Re:It's not simple to just go and upgrade

Everything should always use Linux, even when Linux is not the right tool for the job. Always.

Re:It's not simple to just go and upgrade

[DMJC]

So all those servers that are running the internet, and the VoIP servers that require 100% uptime and can be sued for any downtime by large call centres/organisations of people are being stupid by running Linux? Linux meets SLA's, it's idiot engineers who slap systems together without proper testing/maintenance who break SLAs and Windows doesn't save them, it just buys them a bit of time until the excuse that "Microsoft did it" stops buying customer patience.

Re:It's not simple to just go and upgrade

Right. Because open source guarantees them more than 12 years worth of updates, of course.

Re:It's not simple to just go and upgrade

which will teach them to go open source next time.

That doesn't solve the problem, because most of the time the processes are the same, regardless of the stack.
It takes just as many meetings to roll out a LAMP upgrade (or whatever) as it does for a Windows stack.

Re:It's not simple to just go and upgrade

[drinkypoo]

So to all these people saying "just run open source" have never run a multimillion dollar business and relied on Windows to bring home the bacon.

Right, because that would be fucking stupid. If you're relying on Windows, you're relying on Microsoft, and if there is a tech company which has shown itself to be less reliable then Microsoft then it's Oracle and how do we feel about them?

Re:It's not simple to just go and upgrade

[Blaskowicz]

no, that may teach them to go with a mainframe, for the better or the worse.

Re:It's not simple to just go and upgrade

Linux meets SLAs? No, services meet SLAs.

Re:It's not simple to just go and upgrade

The problem is that there are no real 'upgradde' (sic) paths. My old business ran Small Business Server 2003, that provided many services for a small business on a single, easy to manage platform. Everything that has been trotted out since then was more expensive and required more boxes to essentially do the same or less. More hardware, software, license fees, support headaches, multi-platform complexities... And now MS wants all this 'in the cloud' so EOL for the whole concept. Unfortunately, not all small businesses live in places where there is affordable local fibre or equivalent high reliability, high thruput, low cost pipes. This is all non-trivial code so there will be bugs. And the ongoing process of fixing old bugs seems as effective as always in creating new ones. But overall it just did its job with relatively little whining or petulant demands for attention.

Unlike marketing concepts, software does not have an end of life (look at the mainframe world...). But support organizations do. And when software evolution is intentionally disruptive its even worse. But this was a nice collection of functions for a small business and nothing I have seen since comes close. I am sure that I am not the only one who feels abandoned by MS. But since the business is closed and I am retired it no longer matters.

Re:It's not simple to just go and upgrade

[H0p313ss]

You've had seven years to plan your upgrade to 2008, how many more do you need?

Re:It's not simple to just go and upgrade

[jbolden]

Linux system reliability because it is so cheap is based on overlap and redundancy. That actually turns out to be a better strategy than moderately more reliable. It isn't as good a strategy as much more reliable and overlap like you have with a mainframe. But once you start going multisite Linux beats out the mainframe.

So in short, it isn't that simple.

Re: It's not simple to just go and upgrade

[Billly+Gates]

Yeah with SystemD. Gee where do we sign up?

Re:It's not simple to just go and upgrade

[drinkypoo]

It isn't as good a strategy as much more reliable and overlap like you have with a mainframe. But once you start going multisite Linux beats out the mainframe.

Well, you can have mainframes in multiple locations, but that's an awful lot of money. Thing is, if you aren't multisite, you can't reasonably guarantee uptime. Bad things happen to good sites.

Re:It's not simple to just go and upgrade

[jbolden]

I agree which is why multisite makes sense. Mainframes can be multisite as well but they aren't designed as well for multisite operations. Too many things assume low latency and more reliable networks than WANs can provide.

Time for Wine

Wine emulates 32-bit Server 2003 fairly well. Hell, Visual C++ 6 works perfectly. For all your legacy crap, it's time for Wine.

Re:Time for Wine

[OzPeter]

Wine emulates 32-bit Server 2003 fairly well. Hell, Visual C++ 6 works perfectly. For all your legacy crap, it's time for Wine.

You do know that that the name Wine is one of those fancy-pants self-referential recursive bacronyms, don't you? You know .. "Wine Is Not an [fill in the blank]"

Re:Time for Wine

As you know. Wine is a not an emulator. It's a compatibility layer like Windows-On-Whatever.

Re:Time for Wine

Or, the alternative reason for the name: WINdows Emilator.

See, depending on your point of view it is, or is not, an emulator.

Re:Time for Wine

Who is Emil?

Re:Time for Wine

[pz]

Didn't work for us. We have an application that has been developed over about 10 years in VB6. No one has the budget -- either in finance or time -- to port. We looked at Wine as a plug-and-play replacement for XP and the application did not work correctly, 100%. The application is mission-critical, making anything less than 100% compatibility a non-starter. So we're stuck with XP until the next big grant comes in and we can afford to pay someone to port it to a more modern system.

Don't get me wrong, Wine is an impressive amount of work, and my hat is off to the brave folks who have put so much time and effort into it. It just isn't good enough for our needs, unfortunately.

Re:Time for Wine

[ledow]

Wine is great. As a supporter of Crossover Office, etc. it can be a great product. For personal use.

I'm not sure I'd ever use it for anything commercial - the risks of a crash at an inopportune (and, by definition, unusual) moment are quite high. You have no way of testing every codepath and it'll be those codepaths that you only do once a year or in special circumstances that will matter. And those will tend to be your important ones that can cause damage if the behaviour isn't exactly as expected.

I ran Office on Crossover for many years, for compatibility with my employer's systems. I have run any number of utilities, functions, games, and other software through Wine and its derivatives. But I'm not sure I'd ever use it as part of a supported deployment.

It's not because it's open-source, or free, or anything else - I happily deploy MySQL, etc. on networks that I support. But Wine is just too complex and the parts where it's incomplete may well only affect your application and no others. And finding those problems and patching them to fix it requires not just programming skill, but deep knowledge of Windows and deep knowledge of the application in question.

Wine is fabulous. But not for work. Sorry. I've deployed OpenOffice/LibreOffice to entire schools when we had Microsoft Office paid for already, but equally I've decommissioned Linux thin-clients that weren't fit for purpose. And Wine is not one of the things I'd use except for where it really doesn't matter.

And, sorry, but if something's running on Windows Server, it matters. (Equally, however, I would not allow it to have lingered on 2003 this long anyhow, for the same reasons - it matters).

Re: Time for Wine

[Billly+Gates]

Funny I moved them to server 2003 with Citrix for access. Problem solved ... until now.

I am leaning towards keeping the VMs off the Web so users can use them forever.

Really you or your boss should be fired for running XP. If you do credit card processing you are breaking the law too.

Re:Time for Wine

Yes, and just like LAME (Lame is not An MP3 Encoder) it's a poorly suited name. LAME's name was acceptable in its initial stages, but it certainly isn't true anymore and thus it's a stupid name. WINE is in fact an emulator. Emulators are not, despite the wide-held misconceptions to the contrary, only for hardware architectures. This has a lot to do with Alexandre Julliard's ego and not wanting his project to be associated with emulators that were, at the time, very shoddy. He's a bit of a douche in that regard.

Re: Time for Wine

[cusco]

Well, not breaking the law, but breaking the PCI contract. Even then, it's only if you're doing CC processing on that machine or some transaction related to the processing. The receptionist could be using Win95 for all the PCI cares, as long as she can't touch the financial system.

Re: Time for Wine

[pz]

Really? Fired? Funny, 'cause I'm the boss. If we had an application running under Windows 95, _and it worked_, there would be absolutely zero reason to do anything with that machine when there are other, more important, ways to spend our time. Granted, that hypothetical machine would not be on the net, 'cause we aren't stupid.

The real machines we have running XP, run our experiments (and they have never been on the net for other reasons); until such time as the boxes die, they will continue to run our software, and continue to run it under XP. And then, they will be replaced with the identical backup hardware we have, giving us enough time to get a grant funded to have someone port the code to a more modern system. Until then, we have science to do. Computers, in my lab, are like any other tool that is to be used to collect data and advance knowledge -- pens, screwdrivers, oscilloscopes, whiteboards -- and are not an end unto themselves.

MS FAIL

You're stupid! Windows 2000 is still the default server platform that most companies deploy. WS 2003 is not even close in comparison. If you want something small that can maximize utilization especially in a virtualization environment, then there's no alternative. Vista on my server, no thx. And the new tablet-version, seriously what were you thinking?

Planned obsolescence

So you are coerced to cough out more money for Microsoft's newer software.

Which in turn keeps the MSFT shareholders happy.

That's capitalism for you. A constant treadmill of consumption.

Re:Planned obsolescence

Actually you're not coerced at all. You can continue to use Server 2003 forever and pay no additional money. However any security flaws that might exist will be your own problem.

Re:Planned obsolescence

As the other poster said, there is no coercion at all. You are free to not use Microsoft in the first place, and you are free to switch away from them at any time.

Besides, When you use Linux, you help the Republicans.

Perpetual motion.

[ledow]

You wrote (or used) software that only works on Server 2003 / Windows XP / etc.

Then it's your own fault.

No doubt your replacement project will rely on .NET 4.5 or whatever and then when that stops being supported you'll have to do the same things all over again in a few years.

Or you could, you know, not use software that is tied to any particular manufacturer, technology, etc.

I'm just not sure what most places get out of being tied into MS technologies like this. Sure, if you're doing some heavy Office integration all the time with this, that, the other then you've tied yourself in, but where is that necessary compared to your software churning out some intermediate format and then just having the intermediate format converted to the one you need?

I don't get it, honestly, and supposedly "clever" IT businesses still fall for it every time.

Nobody is saying that software is immortal, but really it's blinkered to still be running stuff that's dependent on - what? ActiveX and IE6? Come on!

There's no excuse now. I get frustrated when I still see CCTV units for £50 sold with ActiveX components to do their web-view, when they have Android apps and all the rest working already. Stop it. Seriously. And that's at the cheap-junk end of the market.

If you can't abandon Server 2003 because of the applications you use, DON'T fall into the trap next time. Get yourself something that runs pretty independent of the OS already. There's very, very, very little that can't be done with web-based stuff (without requiring plugins) or just sheer open-ness at the intermediary layer so you can get someone in in ten years time to write a new "XML -> whatever" interface that bolts on to your existing system to replace the "XML -> Win64" interface you have now.

Seriously, people, stop it. If you're going to break the endless cycle of annual renewal of MS licences, you have to get off their locked-in development tools and technologies too. The same with Apple. But there is NOTHING stopping you making something that will work with Windows, Apple, Linux, Android, iPad, Windows Phone, etc. all in one hit now, and could be run FROM any of the above too if you needed it to.

Virtualised environments mean that someone handing you a VM with a Linux Guest OS as their entire product is not uncommon in my industry (Smoothwall, etc.), and it means you can run anything on anything nowadays.

If you're still on 2003, I judge you on so many levels, but the stupid decisions you may be about to make are COMPLETELY AVOIDABLE here, now, today before you make the same mistake again.

Re:Perpetual motion.

It's not as easy as you think.

Most of the time, the barrier is not technology or lack of knowledge of the IT dept.

Often times IT is seen as nothing more than a cost center with no value added to the company, and people try to minimize it to the bare minimum.

Which leads to not having the funds (and time) to build something from scratch, not having the time (and funds) to retrain personnel to use said new systems, not having the authority to simply impose the new tools and letting those 60+ year old secretaries adjust or die off.....

And lets not even get in the mess of business ties (and kickbacks) certain people get for buying M$.....

Not all places are like that, but the far greater majority.

Re: Perpetual motion.

[Billly+Gates]

IE 6 is the deface standard for corporate America for 10 years. What else should it run on? Name one standard compliant browser with more than 5% market share for the first part of last decade?

Thsee apps related people to save money. They go down then people do not get paid, supplies do not get ordered, contacts can't be signed, etc. They CAN'T be replaced. They have business logic that is custom with macros tailored just to the business. It must always stay the same and never change. What is wrong with you all?

Re: Perpetual motion.

[armanox]

With that kind of logic, Windows is not the OS to be running. Maybe try Solaris, IBM i, or IBM AIX, all of which have much longer support cycles (SGI IRIX did too, but finally ended in 2014.)

Re:Perpetual motion.

[michaelmalak]

The mindset in 2003 was different:

1. Network security was not as high profile. The term "Patch Tuesday" was only just invented in 2003.

2. The industry had not yet experienced a painful Microsoft EOL. Windows NT 4.0 was not EOL'd until Dec. 31, 2004.

So please stop judging with hindsight.

Re:Perpetual motion.

[cusco]

Right, the hospital that spent a gazillion dollars on an MRI machine should just throw it away because the control software runs on XP and Win7's security model breaks it. Get out in the real world and see what end users have to work with.

Re:Perpetual motion.

[ledow]

When that machine is on its own and doing fuck-all? No.

When that machine is needed to join onto, say the UK NHS backbone and thus present a Windows XP machine into the midst of everyone's medical records? Yes.

Want to know why I think this? The doctor that lives with me and works in labs with JUST THIS KIND OF THING is always pushing for them to be thrown out for not just security reasons (i.e. they can't join to the backbone because of shit like this), but because they become rapidly unusable, have to be serviced and re-imaged all the time, have to be kept on separate networks, meaning they have to transfer files on intermediary drives all the time (meaning virus transfer possibilities), and they also CANNOT BUY THE DAMN PARTS for them because nobody can stick the £200 of (in her case) genetics software back on because the company will charge £10,000 to give you a new IDE hard drive with it on instead.

This is EXACTLY the sort of shit that should be binned, and replaced with a government- or lab-specified standard interface and rolling contract to update/support as necessary rather than literally paying through the nose for ingrained suppliers to send hospitals old shit from junkyards to keep old Windows 98 software running that should have been binned decades ago because it doesn't even support long filenames and every patient is GENE0001.DAT, GENE0002.DAT and a FUCKING GENETICIST has to piss about moving them one by one into the proper NHS backbone under the right patient name manually because nobody else is allowed to certify that that data belongs to that exact patient (because it tells them shit like if they have cancer, etc. and one fuck one means the lab gets the blame, not the technician).

So, fuck yes. Join the real world.

Re:Perpetual motion.

[cusco]

Good rant. We'll have to agree to disagree on this one.

Re:Perpetual motion.

Certainly took you a long time to make your pointless.

"End of Life" is natural for most software

[squash_me_quickly]

It is utterly unreasonable to expect a software supplier to provide free updates for software "in perpetuity".

Microsoft is a business, they make money from selling new software. If you don't like that they make their software obsolete, ask them to make change their business plan.

Software could be sold with free updates until a "replacement" is released, and then one pays for an "update subscription".

This way one could have chosen whether one upgraded to "Windows Server 2008", or pays a yearly fee for updates "in perpetuity".

Nothing is impossible....

Nothing in IT is impossible to accomplish.

However there is such a thing called cost.

The equivalent of impossible in IT is prohibitively expensive.

Software can be recoded, even if it was originally coded 50 years ago. The cost however of reverse engineering it is what keeps them from doing so.

This makes me so happy

[kilodelta]

That I went in the direction of the Linux world and got the hell away from Windows in general.

Between licensing costs, patches that break key functionality, etc. who the hell wants to stay on Windoze?

I like the Linux update mechanisms between apt-get on Debian and Ubuntu to yum on RedHat and CentOS. And it's fairly easy to roll back an update too. As opposed to windows where even some of your config data gets hosed in the process.

And if you're worried about things like AD, Domains etc. just install SAMBA on a Linux box and couple auth to LDAP. Life gets lots easier.

Re: This makes me so happy

[Billly+Gates]

Right because 10 year old linux apps are 100% compatible due to the standard Linux ABI ... oh wait

For this reason we do not run Linux at work.

So firewall it already

[davidwr]

If you simply can't live without your Win2003 server and don't plan on paying MS for additional support, make sure you:

* Move everything that can be moved off of that server onto a vendor- or reliable-third-party-supported solution.

* Make and test backups frequently. Make sure you have a way of bringing the server back if your hardware dies or server room goes up in flames/earthquake/flood/whatever.

* Put a vendor- or reliable-3rd-paty-supported hardware* firewall between it and the networks that it is attached to. Make sure the firewall(s) block all in-and-outbound traffic that isn't absolutely necessary.

*"Hardware firewall" could be just a PC or server providing firewall services, it doesn't have to be a box that was designed to be a firewall. If you are running Win2003 server in a VM, your hypervisor/host-OS can act as a firewall. Make sure it is supported by the vendor or a reliable 3rd-party though.

Come to think of it, this is good a good "starting point" even if you are using vendor-supported equipment and software throughout your enterprise. The difference is that if everything is supported, you can probably get away with putting multiple functions including your in-house-custom-apps in one server and (for small-load-situations) enjoy the cost- and speed benefits that come with doing it this way.

Re:So firewall it already

[drinkypoo]

The problem is that leaves you vulnerable to trojans on the local network which might be able to get user-level access on some newer machine and parlay that into a connection to your win2003 machine and get admin there.

Re:So firewall it already

[petermgreen]

The tricky situation comes if you've built your application on top of windows network functionality rather than directly on top of TCP/IP. That can make it very difficult to lock things down with a firewall because the high risk ports and the ports your application relies on can be one and the same.

Rights without responsibility

MS should release the copy rights on this OS. They want to retain the rights to the code, but do not wish to live up to any responsibility of that right, since it would cost them money. Worse: it merely wouldn't make them as much money.

The quid pro quo of copy rights were that we'd be able to learn from it and use the copyrighted work ourselves in future.

However, there's no way to get the source code before Microsoft sees to it that every and all copies of the source code is deleted and unusable.

Yet we STILL have to give them the rights that they do not wish to pay for????

The MINIMUM they should be doing is releasing the code.

To head off "They're using some of that code in their latest OS!", HOW THE HELL DO WE KNOW??? That's closed source too! And those getting a new OS are paying for code they already paid for with the obsoleted OS. And this makes the copyright expiry of the NEW OS fragmented. Some of it should be opened years before other bits (if they every get made to live up to the bargain we all signed up for...).

Moreover, SO WHAT? It doesn't open up the code for the new OS by opening up an OS that has some of the same source code lines as it has. So why is it an issue?

Answer: it isn't. It's a "LOOK! SQUIRRELS!!!" cry of those who want rights without having any responsibility.

If MS want to keep the code rights, they should be REQUIRED to support it. They won't let anyone else do it.

The Linux ABI *is* standard

What you have heard about, but never understood, since it made a nice "talking point" against linux, hence was all you needed or wanted, the ***KERNEL*** ABI is NOT standardised.

I can still run Heretic and Rune on modern Linux.

Fallout1 and 2 won't work at all on Win7, even with compatibility with 95 or 98 applied.

Re:The Linux ABI *is* standard

[drinkypoo]

I can still run Heretic and Rune on modern Linux.

With the proper special libraries, once you do enough setup diddling.

Fallout1 and 2 won't work at all on Win7, even with compatibility with 95 or 98 applied.

You think that's bad, civ2 won't work in XP Mode, which is actually using a virtual machine. Just, you know, the crappiest one there is.

COBOL

[Tablizer]

This is why COBOL and mainframes continue to live on. Applications on them are often 30 or more years old and continue to work.

Companies don't like to pay loads of money for line-of-business apps only to have to pay loads again 12 years later to revamp it for the latest-and-greatest server/language/OS, especially for something with little or no UI.

Microsoft is keeping COBOL and mainframes alive and well.

OS is cheap. Migration is expensive

[Fencepost]

I work with a few places that still have 1-2 2003 servers around, and for some of them we'll probably be locking them off from any external access and doing a few other things to restrict them while still keeping them around (possibly mostly powered down except by request). That's because they're legacy systems still running old software that someone occasionally needs to refer back to - primarily old diagnostic imaging or practice management/EMR systems which are long out of support.

I have a few places that are 1-3 doctors, 3-6 staff, and they have an old system that they need to go back and refer to every week or two for things that didn't get migrated when they changed EMRs. Migrating everything out of that old system into something like PDFs for attachment to the current system would be cost-prohibitive; paying for migration ("Sure, we'll be happy to upgrade you to our new version, it'll be just like you're switching back to us, shouldn't be more than $30k or so") is the same. We long ago VM'd almost all of these systems along with upgrading/replacing where feasible, so there's not really an added hardware maintenance cost for keeping the VMs around.

And before people say "you should have migrated everything," the last migration we did, the new vendor wanted and would accept a very specific set of fields - all on a single (large) Excel sheet. Everything migrated was practice management data - demographics, insurance, etc. NOTHING clinical was migrated (possibly for liability reasons - what happens if your import of the peanut allergy info fails because of something stupid). For clinical data, the staff at the practice still goes into the old system, generates a set of reports into PDFs, then attaches those PDFs to the new electronic chart as if the customer was coming from another practice. Migrating all the patients makes no sense, this is a specialist practice where a significant percentage of patients are seen for a year or less, then are not seen again for years if ever.

Just classic folk out there

I think some folk spotted the real problem, and the normal circlejerk of Linux hurr-durr SGI hurr-durr (really? Irix?). Then open-sourcing windows - really? They're a company too. Screw that. Millions of hours of work in that now, to support systems and companies all over the planet and the diverse tech calls / feature requests they've got to make stuff work. For better or worse, it does the job well enough most of the time, just like OSX or RHEL or VMWare or Riverbed. They've invested billions in R&D and people, who some people just want to sponge off - "... we'd be able to learn from it and use the copyrighted work ourselves..." - really? Get off your arse and go make a company as successful as Microsoft. Some people have done it. Even making a successful phone app can make you a millionaire, but not many do. It's a dog eat dog world.

To the person saying that the default VM guest is Server 2003 - ESX 1.5 was the version out when Server 2003 got released, no hyperV or OVM at that time. So well done, you're using a (to paraphrase) "lightweight, efficient OS" that wasn't even designed for virtualisation. You're completely relying on the drivers at the hypervisor layer to fix whatever incompatibilities occur from hardware. And likely the teams at Microsoft and VMWare (making an assumption about your hypervisor) to keep talking to one another, shaking their heads, trying to figure out timing from the clock up through the stack and not to bork Server 2003 when underneath it's a DL380 G9 (or BL460c G8) and not the original DL380 G3 from when you put that system in around 2004 (or a decade ago). And got physical to virtual migrated some time in 2011 or 2012 rather than a clean install. Which admittedly removed the physical risk (hopefully) but nothing else.

Software wise - I don't know what to say when people say "but why do we need to upgrade (or patch?!)" and then "I do apt-get and upgrade mah OS so easy". So I would say to those still on the "I can't touch these boxes" - at least try it. By now, if you're anything towards responsible you've done an assessment saying "I made a new server, loaded the application and it borked completely", or "looked ok, maybe we can move it to a new box and do a full test".

For all the people complaining that it's an "annual" tax by Microsoft, I disagree. I think the air conditioner analogy above is good, and at home washing machines might give you the same grief. If you're a business, you might buy a car / ute / truck. It has all sorts of uses, and you might customise it, you might not. If you do, yay you. You might have done it yourself, you might have paid someone else to do it according to your wishes or what they recommended based on their similar experiences and feedback from other people needing something special. But anyway, your accountant tells you to depreciate that sucker, and at the end of 5 years, you basically bin it. You get another, and thus the accounting cycle starts again. You might have learned things from using the vanilla car or the modified one. You might want to get something better than a car if you were after a truck all along. You probably suffered using your car that got cut down and ended up with a roof rack and towing a trailer in that cycle. It was a learning experience.

After too long in IT, I'm still mystified why IT people don't do more to say to their business "you know what, this Model T of an IT system we've got, it's getting a bit old. The mechanics (developers/administrators) for it are hard to find. No-one understands it. It could eventually break down leaving you on the side of the road at a really bad time for you. Maybe if we looked at what it did, what it does now, and what we'd like it to do, we could plan what might do the job better. We could tell you how much that would cost and you, the business, could make an informed decision about what to do". Even a victorian era analogue system will need take down, repair, replacement (think a steam train). Why do you think your system is any better? Your server is a colle

2003 Upgrade Issues

The biggest problem I have is there is no upgrade path from 2003 32 Bit to 2008 R2 which is 64 Bit. So each server is a fresh install. Fortunately, file servers that are virtual can have their disks reused. But you still have to define shares, etc. The other major issue is legacy applications that do not support 2008 or greater. There is a huge undertaking to get that stuff migrated to something else.

20 Windows XP computers: No problems.

[Futurepower(R)]

What I said may be imperfectly expressed. However, we have about 20 Windows XP computers operated by people who are not intense about cooperating. Those computers are guarded only by Malwarebytes and the fact that are all limited users, and we've had no problems.

The point I was trying to make is that, if there is enough attention given, software can be free of vulnerabilities.

A lot of corporate work is routine.

[Futurepower(R)]

"... no longer secure..."

OpenBSD is secure because it was examined carefully for vulnerabilities. Microsoft makes more money if there are vulnerabilities, and if its older products are considered likely to be insecure.

"... when it no longer boots..."

We have corporate users who do the same thing every day on computers installed in 2004. They don't want change.

"... when none of the software you use will still run on the old OS"

Yes, you and I. But some corporate users do specialized corporate work on software that ran under DOS. It does what they want. There is little call for change.

"... when you have to employ tech staff with out-of-date skills..."

The Windows command line windows are mostly just the old DOS. There is nothing out-of-date.

"... when the software is a dead do-do that nobody wants to touch..."

Lots of people do lots of things that have remained stable for decades.

"Sorry, but everything has an end-of-life."

I talked to a guy who makes a lot of money per hour maintaining Cobol programs on old mainframes. Yes, end of life. But possibly decades from now.

"When you can't log into your damn bank because it's said that IE6 is too old..."

The browsers are updated frequently, of course. And computers connected only to an internal network have no outside internet vulnerabilities, if there are no DVD drives. I talked to a woman who worked at Tektronix who could not send an email from her work computer because there was no outside access.

Should employees be allowed to explore the internet during lunch breaks? Sure, on a separate network in the lunch room.

I have the latest hardware and software, a 24-port gigabit switch, and multiple 3 Terabyte RAID drives. But that's because I make a lot more techological demands than the average person.

I don't feel conflict of interest. Unfortunately, conflict of interest is a big factor in the lives of many people who are involved with computer technology. Their minds are persuaded by what would make them more money.

Microsoft is being paid for updates.

[Futurepower(R)]

"... runs into the millions."

Yes, but Microsoft is taking in millions from "Enterprise" users. See the sub-heading "Large customers are paying huge amounts" in Microsoft Windows XP "end of life": Conflict of interest.

difficult and maybe expensive but not impossible

[davidwr]

If you have hardware firewalls that do deep-packet inspection and reject all traffic that doesn't match whitelisted traffic, AND your whitelist is detailed enough so that in practice it rejects all unwanted traffic, you should be okay.

So, unless the traffic of your specific can't-migrate-to-a-supported-OS application is too expensive to distinguish from unwanted traffic, you should be able to firewall a server so well that the fact that the OS is unsupported and otherwise vulnerable to attack is no longer a "must fix now" issue.

That doesn't mean it isn't an issue, and I would still recommend finding some way to phase it out, but it just means you won't have to fully decommission your Windows 2003 server this year or even this decade.

Followup

[davidwr]

The same type of "deep inspection" firewall trick can and probably should be at least CONSIDERED for ANY mission-critical machine that is deemed "too risky" to put on the same network with "unacceptably high risk of becoming contagious" machines. In some cases it may even make sense to apply this technique to machines that ARE running supported OSes and which are BELIEVED to be very well protected all by themselves.

For example, if you are running an in-house web site to provide selected employees with a web interface to the corporate back-end data center, it may make sense to put a dedicated security box between the data server and the web server and another dedicated security box between the web server and the company's "office" network. This way if some employee's machine gets infected, the web server is less likely to become compromised, and if the web server is compromised it is less likely to compromise the back-end data server. Also, the security devices can watch for suspicious activity, such as out-of-the-ordinary traffic patterns from the "office" network to the web server or out-of-the-ordinary data requests from the web server to the data server and raise alarms where warranted.

I'm sure by now you are worried about "what if the security boxes get hacked." That is a concern. There are ways of making the security boxes be pass-through boxes which are invisible/non-addressable to the office network, the web server, and to the back-end data center, which would mean that the only ways to deliberately "hack" them would be through a different network connection entirely (such as the connection to a dedicated, otherwise-non-network-connected computer in your security officer's office) or by sending carefully manipulated traffic through them that was designed to "break the XYZ-brand security box that someone told you might be there" or "break the security box that your traffic-analysis pre-hack investigation made you suspect was there."

If you don't care about STOPPING bad traffic but just want to raise alarms, a traffic-splitter that feeds a copy of all traffic to your security boxes will do the job and it will be all but completely invisible to the networks they are monitoring (a splitter will not be completely invisible, but it can be made to look like a non-addressable/dumb repeater, switch or hub from the point of view of the networks it is connected to - the only hint of its existence to someone without physical access to measure voltage levels may be a very slight increase in latency).