Slashdot Mirror
Ask Slashdot: Should We Expect Attacks When Windows 2003 Support Ends?
kooky45 writes: On July 14th 2015, Microsoft will stop supporting Windows 2003. If your company is anything like mine then they're in a panic to update Windowns 2003 systems that have been ignored for years. But what will happen to Windows 2003 systems still in use after the cut-off date? Company Security warns us that the world will end, but they said the same thing when Microsoft stopped supporting Windows XP -- and yet we survived. Did you experience an increase in successful attacks against XP shortly after its support ended, or expect to see one against Windows 2003 this time round?
People will ditch Windows.
That was oblig. to get the ball rolling....
putting the 'B' in LGBTQ+
No.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
If within your corporate firewall you are having targeted attacks ... you might want to look at that.
If you have machines you think could be especially vulnerable, you should probably be looking to harden them at least some.
And if you have apps which are running on legacy stuff, you should be looking to upgrade, or see what hardening you can put around them (like put it behind a proxy or something).
Just like before they go EOL, they're still your machines, and you're still ultimately responsible for them.
I suspect most companies have been trying to plan around this for a while. And if they haven't ... well, then someone isn't taking responsibility for such things and you have other problems.
It's not like this is coming out of the blue.
Lost at C:>. Found at C.
It's windows. You should expect it to be attacked in the highlands and the lowlands, near and far, to and fro, hither and yon... You should be expecting attacks right now, and you should also be expecting attacks after support ends.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If so, why do you expect to keep your job? Windows boxes that old should not be exposed to the world, especially if they are doing something important for the business.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
First, what kind of company doesn't have a budget set for lifetime for equipment?
Second, eol means more than just Windows Update. It me no liability insurance, Pci Compliance if you take credit cards, No drivers, etc.
Third, it means things like future versions of AD and software tools won't be compatible
Last XP had 2 big attacks where MS had to break EOL to fix one.
You are IT and are responsible for keeping your skill sets and employers equipment up to date.
http://saveie6.com/
I've put new openssl, bash and apache on old EOL distros recently, that the business owners don't have time to migrate yet. That's possible in the open source world
You won't see a huge influx of successful attacks right after support ends. I doubt people are sitting on 2003 vulnerabilities and not using them, just waiting for support to end. If they have them and they work, they would use them now when there are more targets and before someone else uses it and it gets patched. The issue will be when new cross platform vulnerabilities are found that work on 2003. Since those won't be patched, they will continue to remain vulnerable to them. But I don;t imagine there will be a bunch of attacks on 2003 just because ti leaves support.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
most of the win 2003 servers are file and print servers, not directly hooked to internet, for small and medium business. if company has proper malware scanning, backups and archives it's probably not big a deal as you stress puppies make it
Granted, the summary clarifies that it's talking about an increase, but...
Should We Expect Attacks When Windows 2003 Support Ends?
You should expect attacks now.
systemd is Roko's Basilisk.
But what will happen to Windows 2003 systems still in use after the cut-off date? Company Security warns us that the world will end, but they said the same thing when Microsoft stopped supporting Windows XP
Well the world isn't going to end even if you get hacked and your company goes out of business, so we're already in the realm of exaggeration. I think your question fundamentally misunderstands the nature of the problem. The issue is not, "Once the deadline passes, everything will suddenly and spontaneously explode." A big part of the issue is risk-- if there are any undiscovered vulnerabilities, those vulnerabilities will not be patched. Unless hackers have already stockpiled undisclosed vulnerabilities, it'll take some time for them to be discovered, and some of them won't be very serious or dangerous. However, any vulnerabilities that hackers know may not be discovered if there's less scrutiny, and it won't be fixed. This means an increased risk. That risk can be mitigated by shutting those machines off from the Internet. If you're going to do web browsing, using a up to date 3rd-party browser will mitigate the risk, assuming major browser vendors will support Windows XP.
So how much of a risk, and how much of that risk can you mitigate? It's hard to say. You're trying to assess the risk of an unknown threat exploiting an unknown vulnerability over an unspecified period of time.
To some extent, we deal with that kind of a risk all of the time. But here's the big difference: It won't get fixed. It might not seem like that big of a deal, and you might think, "We'll burn that bridge when we get to it." However, a huge, major vulnerability could be discovered tomorrow that makes your server open for any random hacker to take control of, and there will be no fix coming.
Now think about that for a second. You have a company with servers running an unsupported operating system from more than 12 years ago. Obviously, they're slow to move. They're not free with their budget. Or maybe none of those things are the problem, but the real problem is that you have a huge legacy system that is impossible to upgrade, and so you've just been leaving it alone. Either way, there are reasons why upgrades have been so slow in coming. Do you think those problems are going to suddenly evaporate when there's a crisis? Do you think that company will make good decisions in a crisis, when their business-critical server is suddenly a free playground for hackers? Nope. They're likely to drag their feet and make wildly inappropriate decisions. When faced with a crisis, they'll make the same kind of bone-headed short-term decisions that got them into the mess in the first place.
And that's the real problem here. It's not really a question about whether 2003 will be severely hacked in the next 6 months. The real question is, is your company thinking ahead, preparing, and making sensible decisions. If they are, they will have had a plan and a budget for replacing these servers, both because the OS is losing support, and because it's a >10 year old server. If you don't replace a 10 year-old server because it's working, and you don't have to replace it, that might be a sensible decision. If you have a 10 year-old server and you are unprepared for the possibility that you'll have to replace it, then you're not a competent IT person.
block your 2003 machines from the network if you plan to keep them. That is what our security people will do.
The date for end of support for 2003 has been known for like 10 years so there has been enough time to prepare for it.
IT security is not about "what can we get away with". It is about being ready before the bad people strike. And they will. And you may not even notice.
Like XP, and NT and 2K before them, They've been in battle for over a decade, being attacked, patched, attacked, Service Packed. Not invulnerable because nothing is, but 2K3 is better than it was, that being said, having a Windows box exposed to the internet with no protection is flat out silly. Right tool, right job. Using a windows 2003 server to serve webpages on the internet is like using a 6 yr old to direct traffic. All the requisite parts are there, but the execution isn't the best.
~corporate tool, but employed~
I got a Windows 98SE system that still works fine. I just don't let it go outside.
Get free satoshi (Bitcoin) and Dogecoins
Rather than respond to each comment I find this easier. My general thought process is there are bigger problems to worry about. I still have one 2003 system on my network, and 3 XP systems. All are secured to the point where they're as locked down as they can be. I'm less concerned with them, than users with brand new fully patched Windows 7 systems that managed to still get malware and viruses on their system, despite a locked down firewall that has virus and security filtering on, a virus and spam filtering email service, antivirus and antimalware on their local system, and adblock installed in their browser. Those are the threats that cause problems. We got hit with a variant of CryptoLocker in late February on a user with a fully patched Windows 7 system. It managed to take out about 100gb of data, that we luckily had backups of so we lost nothing. These are the threats I'm worried about, not what some old past service date server that is attached to nothing and does not have connectivity to anything of value.
That may be true of Reddit or other more current sites but not Slashdot. The only people on Slashdot are the older crowd that use it out of shear habit. Why would new users come here to read last weeks news today?
"Should We Expect Attacks When Windows 2003 Support Ends?"
There's a bit of lag between the time Microsoft EOL's a platform, and their interns are able to start turning out exploits to force you to "upgrade" to their next platform in order to keep their revenue stream intact, so you'll have at least a medium sized window before you should start expecting attacks.
As Microsoft gets better at producing exploits for their own operating systems before they announce an EOL event, expect things to improve, and the window to become narrower, to the point where they are able to release exploits the same day as the EOL date.