Windows Server 2003 Reaches End of Life In July

Several readers sent word that we're now less than six months away from the end of support for Windows Server 2003. Though the operating system's usage peaked in 2009, it still runs on millions of machines, and many IT departments are just now starting to look at replacements. Although Microsoft publishes support deadlines long in advance -- and has been beating the drum to dump Server 2003 for months -- it's not unusual for customers to hang on too long. Last year, as Windows XP neared its final days of support, there were still huge numbers of systems running the aged OS. Companies lined up to pay Microsoft for extended support contracts and PC sales stabilized in part because enterprises bought new replacement machines. Problems replacing Windows Server 2003 may appear similar at first glance, but they're not: Servers are critical to a business because of the applications that run on them, which may have to be rewritten or replaced.

[In many cases, legacy applications are the sole reason for the continued use of Server 2003.] Those applications may themselves be unsupported at this point, the company that built them may be out of business or the in-house development team may have been disbanded. Any of those scenarios would make it difficult or even impossible to update the applications' code to run on a newer version of Windows Server. Complicating any move is the fact that many of those applications are 32-bit -- and have been kept on Windows Server 2003 for that reason -- and while Windows Server 2012 R2 offers a compatibility mode to run such applications, it's not foolproof.

PosReady for Server 2003?

Does anyone know if I can use the PosReady registry hack that can be used on XP to get support updates until 2019 on Server 2003?

A reason to go with Open Source

[Black+Copter+Control]

It's a bit late for these businesses, but one of the pro's of Free and Open Source software is that you always have the right to get the source code and pay somebody else to support your operating system version when the official supplier pulls their support. That's something that Microoft makes very clear is illegal for Windows users to do.

Re:A reason to go with Open Source

[jones_supa]

That was exactly his point: you can hire another company to continue the maintenance. With Windows, there is no such option even if you were ready to throw cash on the table.

Re:A reason to go with Open Source

[jones_supa]

I guess you missed his/her point as well. With Windows you got free updates up until July this year. With Linux you would have had to finance that yourself. Installing Linux in 2003 and paying someone to make updates for you would most likely not have been cheaper.

Ah, yes. I missed the point indeed. :)

Re:A reason to go with Open Source

[Chrisq]

So, which Linux distro that I installed in 2003 still has active security updates today? Which one even had more than four years of support?

RHEL 4.0 which was available in 2003 and will be given extended support to the end of this month.

Re:A reason to go with Open Source

[DarkOx]

Fair enough, but there are some really key differences between the Linux world and that of Windows and even Unix.

You distribution tends to package like 90+ % of the software on the system. The left over 10% is whatever in house app the server is running or 3rd party app you bought. All the libraries it uses, and support software that it uses database engines, etc typically are in the distribution. So the integration details library versions supported version issues are all taken care of for you.

On Windows this absolutely not the case. Things like databases, libraries for document rendering, and just about anything else you can think of is maintained outside the OS distribution. So Windows is where you upgrade and discover UAC totally breaks the version of ${SOFTWARE PACKGE} you have installed or changes to winHTTP cause all the web service calls to fail etc. Even if they mostly are other first party applications like SQL Server or Office. Its also true that its harder to isolate things. If you install something to /opt or /usr/local on a Linux box and those are separate partitions you can have reasonable confidence that blowing away / won't and reloading it from distribution media will leave you with a working app where you left it. Good luck with that on Windows unless you designed the package yourself and avoided the registry and tens of other possible pitfalls.

So again speaking in the general case its easier to go from RHEL 6.x to RHEL 7.x with an in place upgrade, as is true for most other Linux distros; however you do it, let package manager figurout distupdage or re-install a fresh /.

In most of my travels I have not seen 10+ year old Linux versions in production unless its at the same kind of shop that also does not care to patch or be on a supported version of Windows. Even in shops that are good about patch management get their WSUS updates applied etc ( I want to be fair to MS here these rarely if ever break anything) there is still lots of legitimate fear around upgrading an application server between major Windows versions. So in lots of cases Windows boxes tend to stay on whatever release for either the life of the hardware or the life of the app whichever is shorter. Linux boxes tend to be upgraded more frequently.

End of support, not "end of life".

[Futurepower(R)]

Software does not have an "end of life". It continues to do what it always did.

"End of life" is a marketing term used so Microsoft can sell more copies of Windows, apparently. My understanding is that fixing newly discovered vulnerabilities in Windows XP or Windows Server 2003 would be fairly inexpensive.

I've explored the issues concerning Windows XP: Microsoft Windows XP "end of life": Conflict of interest.

Re:End of support, not "end of life".

[dissy]

My understanding is that fixing newly discovered vulnerabilities in Windows XP or Windows Server 2003 would be fairly inexpensive.

One more downside to being closed source - if Microsoft won't fix vulnerabilities, no one else can for any sane price.

At work I'm still migrating our last two 2003 servers, one migration nearing completion the end of this month, and the next not even started yet but expecting to take 9-12 months.

Exchange server was our primary risk because by its nature it has to handle SMTP, and while you can't poke that server directly from the Internet (a postfix relay server is the only one with direct internet exposed ports) but those emails still flow through it, and it sends outgoing mail directly so has to connect to other MTAs and everything involved with that like DNS queries... A pretty big risk footprint on that one, so no argument from me that it needs upgraded.

The last 2003 server however doesn't technically require being replaced, the risk is very small and mostly controlled for even then. It would likely run fine until enough hardware failures make keeping the server up cost prohibitive, which is really the biggest reason (though a fairly justified one) to upgrade.

The vulnerability risk footprint is limited to the LAN, and then only really to windows file sharing (that and SQL server are the only exposed services)
Not zero for sure, but taken alone not enough of a reason to justify the cost of an upgrade. Only everything taken together combined with a string of purchase approvals to upgrade everything else that demands it, is why it ultimately will be.

If only another big player could release continued security updates, or ideally more than one to help both competition on price and a choice of whom to trust for such a thing.
There is definitely a market for very long term support, which you have to look no further than IBM to see.

In fact many would trust IBM to fill such a role if they were to do so. Others may trust Google. I'm sure there are plenty of other examples as well.
But I don't see "long term windows support" being in many of those companies interests, nor see microsoft going along with such a plan even if they were.
Microsoft wants you to buy their latest shiney instead, Google would prefer you didn't use Windows at all, and IBM doesn't seem to be as big on the support thing these days even for their own products let alone microsofts.

All of those facts factor in to the cost of providing security updates, and does raise the bar quite a bit higher than it would appear at first glance.

Re:End of support, not "end of life".

[ledow]

End of life - when it's no longer secure (comments above on your statements to this effect... your concept of a "now fully secure" OS is just laughable - there have been OS in place since the 60's and ALL are either still receiving updates or - more likely - have known holes. Nobody has yet made anything "secure" at all).

End of life - when it no longer boots (UEFI vs BIOS, 32 vs 64bit, IDE vs SATA, no certified SAS drivers for the RAID controller so you can't run proper failover clusters, etc.) XP died at my last workplace when we were unable to get XP drivers for off-the-shelf components any more and had to pick-and-choose suppliers carefully, argue with BIOS manufacturers to retain compatibility, etc. Hell, try buying a PC that still has IDE and that's not that old.

End of life - when none of the software you use will still run on the old OS.

End of life - when you have to employ tech staff with out-of-date skills that they don't have the opportunity to update because of your policy, and then realise the next upgrade means new staff and having to fix the problem anyway.

End of life - when the software is a dead do-do that nobody wants to touch, let alone guarantee support for, let alone work on, let alone ensure compatibility with.

Sorry, but everything has an end-of-life. Sure, you could probably run a mom-n-pop shop on some old DOS accounting software. But that's not "IT", that's just "Computing".

If you want your business to interact with others, to not have to manually pass off information to your auditors, to be considered secure enough to pass PCI-DSS so you can take credit cards, etc. or even just to be used by users without specialist "backwards" training, then there is most certainly an end-of-life, and it correlates rather well with the MS end-of-life in this case.

I agree that computers "don't get slower", they are always the same speed as the day you bought them, that software "doesn't get worse", it's the same software as the day you bought it. I get the comparative nature of this. But that's NOT anything but anecdote in the real world, no matter how small an outfit you are.

When you can't log into your damn bank because it's said that IE6 is too old, your system is end-of-life. That's the end of it. Because to fix it, bodge it, fake it, or upgrade it costs more than just following the rest of the world in their lowest-accepted technology standard.

Re:End of support, not "end of life".

[dissy]

I agree with IBM to a point but Google doesn't have the best track record of supporting their products after they decide the product has reached the end of its life. In fact, they probably have one of the worst.

Sadly that is true.

In my previous post I was more thinking along the lines of trusting IBM/Google/etc to release updates that actually fix vulnerabilities instead of intentionally injecting new ones - more as in comparison to those shady sites out there hosting windows update msis for people using pirated windows without full access to legit update channels.

While I personally would trust Google in that sense, I do have to agree I can't say the same about them "sticking with it" for the long run.

Of course I don't really see them even starting this to worry about them closing down the beta a few months later ;P
But your point remains.

Remember Conficker?

[Dynamoo]

The problem isn't that Windows 2003 will stop working.. the problem is that it won't get patched. Now, servers are generally lower-risk than client PCs because they just tend to do a couple of things without users surfing for porn, reading email or downloading crap. And also the products *running* on those servers may well continue to get updates anyway.

But about once a year or so, there is a vulnerability in Windows that is exploitable over the network remotely without authentication, the sort of thing that Conficker used to spread on (i.e. MS08-067). Wormable vulnerabilities are the highest risk, and the time between the flaw being announced and an exploit being created can just be a matter of days.

So, eventually those Windows 2003 boxes are going to get pwned. It might be weeks or years after 2003 goes EOL, but eventually it will happen.

Re:MS FAIL

[thegarbz]

Ahhh you work for a vendor. That explains why the idea of a budget, or that IT is unable to upgrade something because of upper management may seem foreign to you.

But by all means, throw the front line workers in the IT group under the bus for something beyond their control.

Re:32bit vs 64bit

[Dynamoo]

Application compatibility in Windows 8.1 is pretty good (except for really ancient 16-bit apps).. but a server environment is different with products that are often much more complicated and with very difficult migration paths to a newer version. If one exists. Take for example database clusters with custom code written by people who no longer work for the organisation - migrating from those is extremely difficult.

But.. although it is a pain, but Microsoft's EOL was well-known many years in advance. People are moaning about the dropping of support, but it has been around for 12 years. For a migration path Windows 2012 R2 will be supported until 2023, Windows 2008 R2 until 2020

It's not simple to just go and upgrade

[Neo-Rio-101]

The reason why a lot of these businesses haven't upgraded is because it usually takes years to make this happen.
If you're a business who IT department or enterprise support vendor is running in full ITIL mode with a few ISO business standards thrown in for good measure, it really does take that long.

The amount of paperwork and busywork that needs to go into something as relatively simple as an OS upgrade is something to be marvelled at when you actually have to work in that environment. There are whole massive bureaucracies and months of meetings, followed by change review boards, and more change review boards and testing and more testing and backout plans, and risk registers, and more meetings, and then you have to wait for the next meeting to come along before going onto the next stage.... and and and......

So to all these people saying "just run open source" have never run a multimillion dollar business and relied on Windows to bring home the bacon. Much less have they ever considered being a large collossal IT support vendor that has to maintain SLAs and can get hit for penalities of millions of dollars if those SLAs are breached. These are not nimble organisations. They are not cowboys. They cover all possible failure scenarios and document everything from multiple support networks before they lay a single mouse click on the box.

Re:It's not simple to just go and upgrade

[DMJC]

So all those servers that are running the internet, and the VoIP servers that require 100% uptime and can be sued for any downtime by large call centres/organisations of people are being stupid by running Linux? Linux meets SLA's, it's idiot engineers who slap systems together without proper testing/maintenance who break SLAs and Windows doesn't save them, it just buys them a bit of time until the excuse that "Microsoft did it" stops buying customer patience.

Re:It's not simple to just go and upgrade

[drinkypoo]

So to all these people saying "just run open source" have never run a multimillion dollar business and relied on Windows to bring home the bacon.

Right, because that would be fucking stupid. If you're relying on Windows, you're relying on Microsoft, and if there is a tech company which has shown itself to be less reliable then Microsoft then it's Oracle and how do we feel about them?

Re: It's not simple to just go and upgrade

[Billly+Gates]

Yeah with SystemD. Gee where do we sign up?

Perpetual motion.

[ledow]

You wrote (or used) software that only works on Server 2003 / Windows XP / etc.

Then it's your own fault.

No doubt your replacement project will rely on .NET 4.5 or whatever and then when that stops being supported you'll have to do the same things all over again in a few years.

Or you could, you know, not use software that is tied to any particular manufacturer, technology, etc.

I'm just not sure what most places get out of being tied into MS technologies like this. Sure, if you're doing some heavy Office integration all the time with this, that, the other then you've tied yourself in, but where is that necessary compared to your software churning out some intermediate format and then just having the intermediate format converted to the one you need?

I don't get it, honestly, and supposedly "clever" IT businesses still fall for it every time.

Nobody is saying that software is immortal, but really it's blinkered to still be running stuff that's dependent on - what? ActiveX and IE6? Come on!

There's no excuse now. I get frustrated when I still see CCTV units for £50 sold with ActiveX components to do their web-view, when they have Android apps and all the rest working already. Stop it. Seriously. And that's at the cheap-junk end of the market.

If you can't abandon Server 2003 because of the applications you use, DON'T fall into the trap next time. Get yourself something that runs pretty independent of the OS already. There's very, very, very little that can't be done with web-based stuff (without requiring plugins) or just sheer open-ness at the intermediary layer so you can get someone in in ten years time to write a new "XML -> whatever" interface that bolts on to your existing system to replace the "XML -> Win64" interface you have now.

Seriously, people, stop it. If you're going to break the endless cycle of annual renewal of MS licences, you have to get off their locked-in development tools and technologies too. The same with Apple. But there is NOTHING stopping you making something that will work with Windows, Apple, Linux, Android, iPad, Windows Phone, etc. all in one hit now, and could be run FROM any of the above too if you needed it to.

Virtualised environments mean that someone handing you a VM with a Linux Guest OS as their entire product is not uncommon in my industry (Smoothwall, etc.), and it means you can run anything on anything nowadays.

If you're still on 2003, I judge you on so many levels, but the stupid decisions you may be about to make are COMPLETELY AVOIDABLE here, now, today before you make the same mistake again.

Re:Time for Wine

[pz]

Didn't work for us. We have an application that has been developed over about 10 years in VB6. No one has the budget -- either in finance or time -- to port. We looked at Wine as a plug-and-play replacement for XP and the application did not work correctly, 100%. The application is mission-critical, making anything less than 100% compatibility a non-starter. So we're stuck with XP until the next big grant comes in and we can afford to pay someone to port it to a more modern system.

Don't get me wrong, Wine is an impressive amount of work, and my hat is off to the brave folks who have put so much time and effort into it. It just isn't good enough for our needs, unfortunately.

Re:MS FAIL

[fisted]

You're kidding, right? Most companies actually run DOS 6.22; see Burger King, for instance. You can run 5 processes with access to the high memory area using EMM386.EXE for each Windows NT system. If you want something small that can maximise your high memory utilization, then there's no alternative. Windows NT, or XP on my server, no thx. And vista? Seriously what were you thinking?

Re:MS FAIL

Yes, Server 2012 is touch screen only. There are no classic tools. There is no remote desktop. You have to be in the same room as the server. You have to touch the screen with one hand and masturbate furiously with the other hand.

This makes me so happy

[kilodelta]

That I went in the direction of the Linux world and got the hell away from Windows in general.

Between licensing costs, patches that break key functionality, etc. who the hell wants to stay on Windoze?

I like the Linux update mechanisms between apt-get on Debian and Ubuntu to yum on RedHat and CentOS. And it's fairly easy to roll back an update too. As opposed to windows where even some of your config data gets hosed in the process.

And if you're worried about things like AD, Domains etc. just install SAMBA on a Linux box and couple auth to LDAP. Life gets lots easier.