Slashdot Mirror
Ask Slashdot: Should We Expect Attacks When Windows 2003 Support Ends?
kooky45 writes: On July 14th 2015, Microsoft will stop supporting Windows 2003. If your company is anything like mine then they're in a panic to update Windowns 2003 systems that have been ignored for years. But what will happen to Windows 2003 systems still in use after the cut-off date? Company Security warns us that the world will end, but they said the same thing when Microsoft stopped supporting Windows XP -- and yet we survived. Did you experience an increase in successful attacks against XP shortly after its support ended, or expect to see one against Windows 2003 this time round?
People will ditch Windows.
That was oblig. to get the ball rolling....
putting the 'B' in LGBTQ+
My company still has Windows 2000 servers in production. Not too worried about 2003.
No.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
For most of the people on this site, it's news that there is a product called Windows 2003. Many of them were probably in hs or middle school when it came out.
If within your corporate firewall you are having targeted attacks ... you might want to look at that.
If you have machines you think could be especially vulnerable, you should probably be looking to harden them at least some.
And if you have apps which are running on legacy stuff, you should be looking to upgrade, or see what hardening you can put around them (like put it behind a proxy or something).
Just like before they go EOL, they're still your machines, and you're still ultimately responsible for them.
I suspect most companies have been trying to plan around this for a while. And if they haven't ... well, then someone isn't taking responsibility for such things and you have other problems.
It's not like this is coming out of the blue.
Lost at C:>. Found at C.
Windows XP POSReady reg hack get's you to 2019
This is the year of the hacked windows server!
Isn't his a little like"Is another bus comng". The answer is always yes.
Do I expect attacks on any computer system ... yes.
Do I expect it on a Windows based system ... hell yes
Is water wet?
The question regarding noticing successful attacks is the wrong one. A successful attack is one you don't notice. Food for thought.
Please don't take anecdotes like "XP was fine, 2003 will be fine" as a shield. It's security by obscurity of the worst kind. All it takes is someone a little interested in your corporate network to find the holes once and you're screwed. XP was "fine" simply because it is run on low importance systems. Server 2003 generally isn't so, for pity's sake, update now - preferably with something that updates organically rather than in huge quantum leaps that force you to re-evaluate everything.
So no, you shouldn't expect attacks because you should be planning that migration *now*.
Nope. The end of the world bell was rung when XP Support ended, and nothing happened. I figure the same for 2003. We still have our main intranat site on 2003. The replacement plan is still 1-2 years in the works and requires a additional hire. It's internal only and doesn't face the outside world at all, so figure we're fine.
What do you think? Microsoft has magic ball that automatically shows every unknown exploit out there?
There are bugs that can be exploited in Windows 2003. Microsoft doesn't know about them all, they won't patch them all. The best and hardest to detect are kept in reserve for prime targets.
Once your support and security patches are gone, it's open season.
Anyone still using Windows 2003 when the license runs out will turn GAY. It's official.
You don't have to wait for that dearie
It's windows. You should expect it to be attacked in the highlands and the lowlands, near and far, to and fro, hither and yon... You should be expecting attacks right now, and you should also be expecting attacks after support ends.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If so, why do you expect to keep your job? Windows boxes that old should not be exposed to the world, especially if they are doing something important for the business.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
All Linux distros reach EOL as well.
xp
First, what kind of company doesn't have a budget set for lifetime for equipment?
Second, eol means more than just Windows Update. It me no liability insurance, Pci Compliance if you take credit cards, No drivers, etc.
Third, it means things like future versions of AD and software tools won't be compatible
Last XP had 2 big attacks where MS had to break EOL to fix one.
You are IT and are responsible for keeping your skill sets and employers equipment up to date.
http://saveie6.com/
I've put new openssl, bash and apache on old EOL distros recently, that the business owners don't have time to migrate yet. That's possible in the open source world
so your answer is yes. All platforms of Windows are (is?) always under attack. Any product that ships with NSA_KEYS has been compromised before it even hit the market. It will be attacked more, yet it's market share will decline and the OS will be less of a threat target. Only small businesses, criminals, and geeks will keep it running much longer, at least in any exposed mode. Most bigger corps have already transitioned to 2008/2012 for anything with a PAT/NATed port.
You won't see a huge influx of successful attacks right after support ends. I doubt people are sitting on 2003 vulnerabilities and not using them, just waiting for support to end. If they have them and they work, they would use them now when there are more targets and before someone else uses it and it gets patched. The issue will be when new cross platform vulnerabilities are found that work on 2003. Since those won't be patched, they will continue to remain vulnerable to them. But I don;t imagine there will be a bunch of attacks on 2003 just because ti leaves support.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Granted, the summary clarifies that it's talking about an increase, but...
Should We Expect Attacks When Windows 2003 Support Ends?
You should expect attacks now.
systemd is Roko's Basilisk.
But what will happen to Windows 2003 systems still in use after the cut-off date? Company Security warns us that the world will end, but they said the same thing when Microsoft stopped supporting Windows XP
Well the world isn't going to end even if you get hacked and your company goes out of business, so we're already in the realm of exaggeration. I think your question fundamentally misunderstands the nature of the problem. The issue is not, "Once the deadline passes, everything will suddenly and spontaneously explode." A big part of the issue is risk-- if there are any undiscovered vulnerabilities, those vulnerabilities will not be patched. Unless hackers have already stockpiled undisclosed vulnerabilities, it'll take some time for them to be discovered, and some of them won't be very serious or dangerous. However, any vulnerabilities that hackers know may not be discovered if there's less scrutiny, and it won't be fixed. This means an increased risk. That risk can be mitigated by shutting those machines off from the Internet. If you're going to do web browsing, using a up to date 3rd-party browser will mitigate the risk, assuming major browser vendors will support Windows XP.
So how much of a risk, and how much of that risk can you mitigate? It's hard to say. You're trying to assess the risk of an unknown threat exploiting an unknown vulnerability over an unspecified period of time.
To some extent, we deal with that kind of a risk all of the time. But here's the big difference: It won't get fixed. It might not seem like that big of a deal, and you might think, "We'll burn that bridge when we get to it." However, a huge, major vulnerability could be discovered tomorrow that makes your server open for any random hacker to take control of, and there will be no fix coming.
Now think about that for a second. You have a company with servers running an unsupported operating system from more than 12 years ago. Obviously, they're slow to move. They're not free with their budget. Or maybe none of those things are the problem, but the real problem is that you have a huge legacy system that is impossible to upgrade, and so you've just been leaving it alone. Either way, there are reasons why upgrades have been so slow in coming. Do you think those problems are going to suddenly evaporate when there's a crisis? Do you think that company will make good decisions in a crisis, when their business-critical server is suddenly a free playground for hackers? Nope. They're likely to drag their feet and make wildly inappropriate decisions. When faced with a crisis, they'll make the same kind of bone-headed short-term decisions that got them into the mess in the first place.
And that's the real problem here. It's not really a question about whether 2003 will be severely hacked in the next 6 months. The real question is, is your company thinking ahead, preparing, and making sensible decisions. If they are, they will have had a plan and a budget for replacing these servers, both because the OS is losing support, and because it's a >10 year old server. If you don't replace a 10 year-old server because it's working, and you don't have to replace it, that might be a sensible decision. If you have a 10 year-old server and you are unprepared for the possibility that you'll have to replace it, then you're not a competent IT person.
i bet there are loads of blackhats sitting on 0 day exploiits just waiting the end of support date , jsut maximising the longevity of their attack code , why bother being discovered when soon nobody is going to be watching anymore ?
block your 2003 machines from the network if you plan to keep them. That is what our security people will do.
The date for end of support for 2003 has been known for like 10 years so there has been enough time to prepare for it.
IT security is not about "what can we get away with". It is about being ready before the bad people strike. And they will. And you may not even notice.
Like XP, and NT and 2K before them, They've been in battle for over a decade, being attacked, patched, attacked, Service Packed. Not invulnerable because nothing is, but 2K3 is better than it was, that being said, having a Windows box exposed to the internet with no protection is flat out silly. Right tool, right job. Using a windows 2003 server to serve webpages on the internet is like using a 6 yr old to direct traffic. All the requisite parts are there, but the execution isn't the best.
~corporate tool, but employed~
While I'll give you that is technically true in some sense for individual releases of most distros, its actually not true for all of them because not all of them work on a cycle of individual separate releases.
This is irrelevant anyway though because the important point here is that you don't have to pay to upgrade when its Linux. Also, unlike Microsoft, Linux distros typically don't have partnerships with commercial hardware vendors who have vested interests in purposefully obsoleting hardware. While sometimes support for older/rarer hardware gets removed from Linux accidentally or for lack of testing resources, its largely true that you can still with little or no tweaking run even a current fresh release of most Linux distros on hardware from even earlier than the year 2000. I know this to be true because I frequently do it for fun. I'm sick. Help me please.
Stop cheaping out on your IT.
If you have a decent firewall and managed network you can make it secure if you have software that will not run on server 2008 or newer.
If your company is just being cheap bastards, then you deserve all the hacks, viruses, and spyware you get.
Most companies do not spend what they should on IT infrastructure or staff. It's not a luxury, it's a key part of your business. Business owners need to stop being drooling morons and spend the money.
Do not look at laser with remaining good eye.
But none of the Linux distro EOLs are going to be suddenly changed to become the same as the Windows 2003 EOL. And if you called Microsoft for Ubuntu 8.04 support, they never would have helped you anyway, whether you made the call in 2014 or even 2008.
You should be concerned about security REGARDLESS of whether or not any platform is in support. Security is a 7x24 job. Ignoring it simply because a platform is 'supported' is nothing less than a fail.
Anyone still using Windows 2003 when the license runs out will turn GAY. It's official.
Says the guy in the Power Rangers onesie!
Also expect them right now, just as you expected them in the future.
Security in't a goal or a milestone or a product or a checklist or that smug assurance of your smooth MBA wielding 'Cheif IT Security Officer' who doesn't even know how to plug in his mouse.
It's a process. The retirement (Or isolation/containment) of legacy software platforms is just one more task among thousands. Do it properly and risk will be minimized, breeches will be contained, and impact will be slight. Do it poorly and the weakest link in your chain will be your downfall.
Just like it always has been.
Debian/stable doesn't
Most of OS security vulnerabilities are irrelevant for the purposes of the server running specific internal apps. The server is going to be running behind a firewall that blocks everything but a couple of ports and sanitizes anything that comes through those. Employees are going to login with 2 factor authentication before being allowed access. And you are smart enough to not browse warez sites with Internet Explorer from server console right?
Of course if you run your network like Sony, you will probably get p0wned. The thing is that it's very unlikely that upgrading to latest Microsoft software is going to make any difference. Just think what will give you best value and employee productivity for the next 3 years and go with that.
Some people will continue to use it, despite the obvious, that Microsoft (certainly seems to have been,) deliberately and intentionally adding bugs and security holes to their software to force you to pay them money to upgrade. Some people will continue to use the buggy, security-hole ridden, outdated MS Garbageware until they get the fuck hacked out of them, then they'll pay through the nose and pretend they did something about security, to buy MS Windows 2016 or whatever it's called this week.
Others, the smarter ones, will have already bitten the bullet, and upgraded to a REAL operating system, freeing themselves from the tyranny of wretched software.
They'll have gone F/L-OSS. They'll have gone to GNU/Linux or one of the free BSD's.
It's a no-brainer, really. You get something that's better and free besides, or shell-out to Microsoft more and more money for the same thing, over and over and over again.
Or they'll switch to Apple/OS X, but only if they've got money to burn.
Why would anyone wait to exploit an OS more than a decade old? If there was an end of world attack, it would be used ASAP to affect as many systems as possible before they're shut down. No one would sit on an attack. Sure, in the future, some exploit may be developed, but the more time that passes, the less attractive W2003 would be for an attacker. They wouldn't spend man-years looking for buffer overflows in a 12+ year old OS.
Your biggest risk is the big one - a hidden bug that's been in Windows for decades that someone finds in a current version but has been there all along. New versions will get fixed, but W2003 won't.
is it worth the risk?
That's an easy one. It's all in the EULA, after all.
"Fire and brimstone coming down from the skies! Rivers and seas boiling! Forty years of darkness! Earthquakes, volcanoes! The dead rising from the grave! Human sacrifice, dogs and cats living together... mass hysteria!"
If a server is exposed online it's already being attacked, probably at random and not machine targeted. Whether the attack succeeds or how far in the attack gets is another matter and depends on firewall settings, honeypots, etc. .
Security is not tangible. It is a feeling. You should always be expecting attacks.
"Should We Expect Attacks When Windows 2003 Support Ends?"
There's a bit of lag between the time Microsoft EOL's a platform, and their interns are able to start turning out exploits to force you to "upgrade" to their next platform in order to keep their revenue stream intact, so you'll have at least a medium sized window before you should start expecting attacks.
As Microsoft gets better at producing exploits for their own operating systems before they announce an EOL event, expect things to improve, and the window to become narrower, to the point where they are able to release exploits the same day as the EOL date.
What is the point for attackers to continue attacking a Windows without support? They should all move along to newer versions,
and that includes ceasing the use of any already compromised machines.
-><- no
Just like it's possible to put 2003 behind a firewall and restrict internet access on "affected" machines.
Its almost like... both systems have problems and solutions that work.
Almost... that would be too convenient for koolaid drinkers (on either isle).
So there's a small subset of IT managers out there who get stuck with lousy budgets. I do a bunch of consulting and get into different businesses and some managers play a game:
Step 1: ask for a bunch of money as a capex expense to migrate servers. Let that request get denied.
Step 2: do it again the next year. Let it get denied again.
Step 3: wait until it's absolutely critical - show management articles on the pending doom that will happen - request a lot more money.
Step: Use all the extra money on all the extra IT projects they can't otherwise get approved easily.
I saw a large site that had a lot of XP workstations and the IT manager didn't push too hard to get Windows 7 licensing. Right before XP went out of maintenance he got a large expense approved to not only upgrade to Windows 7 but to actually replace all of the workstations. I saw the same thing with Windows 2000 and a company using that as an excuse to get into virtualization and purchase all that hardware.
----- obSig
So, is the implication here that Windows 2003 boxes are not, already, the subject of numerous attacks? Because, y'know, they definitely are and stuff. The main difference being that when they're out of support they won't have patches for all those attacks.
XP boxes are often somewhat protected, as they're usually behind a firewall. Alas, phishing, worms, viruses, and other malware float around on internal networks all the time. If you've worked in security ops and have decent network instrumentation you know that these boxes get infected all the time when they are not patched whether they're in support or not. So...when they're out of support...you do the math.
Any box on your network that is out of support is a risk because it represents an easy target for an attacker to gain a foothold on your network. It also represents a business risk because if whatever crucial piece of software the box is hosting, which absolutely cannot run on 08, shits the bed...there's no support. If the 03 box is hosting something that isn't critical, just turn it off. The fact that it needs to stay on is enough of a reason to get it on a supported OS.
That's what we're going to be doing with a few 2003 servers, all but one already running as VMs and that last one likely to be converted in the next month or two.
These are systems that need to be kept around for reference, old EMR or practice management systems where it wasn't feasible to export all data for import into a replacement system. Heck, in at least two cases I know of practices expressly deciding to not even migrate patient lists from an old billing/practice management system into a new EMR/PM system because the old system had data going back into the late '80s from physicians who'd been retired for 15 years on patients who'd not been seen in at least that long.
I fully expect that these systems will be kept around on life support until the expiration of the time period for which those records need to be kept. Records for any patients who have contact with offices now are exported (well, dumped into large PDFs) then imported to the new system, but in general I expect these systems to be alive for 10+ years from the date of switchover - fortunately we're not dealing with this at any places that see minors, and the number of disabled patients is small enough that their records (which may need to be kept permanently) can be PDFd and migrated.
Sure keeping the old system around is an expense, but it's still cheaper than going to the vendor of the abandoned EMR system for custom development of something to bulk-export records for thousands of patients - assuming that said vendor still exists. Paying tens of thousands of dollars for upgrades to disused systems just to get them on a more modern OS also isn't going to happen.
fencepost
just a little off
Relevant.
When support ends? Every place I've worked at since ~2008 has had their 2003 servers owned at one point or another. Why wait for the support to end? Check your boxes NOW. You may be surprised at what you find. Server 2012 is not excluded either, just last week my (Fortune 1000) company had one join a botnet and start shipping sensitive data off. Luckily it was caught at the firewall and reimaged immediately, but if you don't audit your infrastructure, you're gonna regret it.