Slashdot Mirror
Ask Slashdot: Should We Expect Attacks When Windows 2003 Support Ends?
kooky45 writes: On July 14th 2015, Microsoft will stop supporting Windows 2003. If your company is anything like mine then they're in a panic to update Windowns 2003 systems that have been ignored for years. But what will happen to Windows 2003 systems still in use after the cut-off date? Company Security warns us that the world will end, but they said the same thing when Microsoft stopped supporting Windows XP -- and yet we survived. Did you experience an increase in successful attacks against XP shortly after its support ended, or expect to see one against Windows 2003 this time round?
No.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
If within your corporate firewall you are having targeted attacks ... you might want to look at that.
If you have machines you think could be especially vulnerable, you should probably be looking to harden them at least some.
And if you have apps which are running on legacy stuff, you should be looking to upgrade, or see what hardening you can put around them (like put it behind a proxy or something).
Just like before they go EOL, they're still your machines, and you're still ultimately responsible for them.
I suspect most companies have been trying to plan around this for a while. And if they haven't ... well, then someone isn't taking responsibility for such things and you have other problems.
It's not like this is coming out of the blue.
Lost at C:>. Found at C.
It's windows. You should expect it to be attacked in the highlands and the lowlands, near and far, to and fro, hither and yon... You should be expecting attacks right now, and you should also be expecting attacks after support ends.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I've put new openssl, bash and apache on old EOL distros recently, that the business owners don't have time to migrate yet. That's possible in the open source world
Granted, the summary clarifies that it's talking about an increase, but...
Should We Expect Attacks When Windows 2003 Support Ends?
You should expect attacks now.
systemd is Roko's Basilisk.
But what will happen to Windows 2003 systems still in use after the cut-off date? Company Security warns us that the world will end, but they said the same thing when Microsoft stopped supporting Windows XP
Well the world isn't going to end even if you get hacked and your company goes out of business, so we're already in the realm of exaggeration. I think your question fundamentally misunderstands the nature of the problem. The issue is not, "Once the deadline passes, everything will suddenly and spontaneously explode." A big part of the issue is risk-- if there are any undiscovered vulnerabilities, those vulnerabilities will not be patched. Unless hackers have already stockpiled undisclosed vulnerabilities, it'll take some time for them to be discovered, and some of them won't be very serious or dangerous. However, any vulnerabilities that hackers know may not be discovered if there's less scrutiny, and it won't be fixed. This means an increased risk. That risk can be mitigated by shutting those machines off from the Internet. If you're going to do web browsing, using a up to date 3rd-party browser will mitigate the risk, assuming major browser vendors will support Windows XP.
So how much of a risk, and how much of that risk can you mitigate? It's hard to say. You're trying to assess the risk of an unknown threat exploiting an unknown vulnerability over an unspecified period of time.
To some extent, we deal with that kind of a risk all of the time. But here's the big difference: It won't get fixed. It might not seem like that big of a deal, and you might think, "We'll burn that bridge when we get to it." However, a huge, major vulnerability could be discovered tomorrow that makes your server open for any random hacker to take control of, and there will be no fix coming.
Now think about that for a second. You have a company with servers running an unsupported operating system from more than 12 years ago. Obviously, they're slow to move. They're not free with their budget. Or maybe none of those things are the problem, but the real problem is that you have a huge legacy system that is impossible to upgrade, and so you've just been leaving it alone. Either way, there are reasons why upgrades have been so slow in coming. Do you think those problems are going to suddenly evaporate when there's a crisis? Do you think that company will make good decisions in a crisis, when their business-critical server is suddenly a free playground for hackers? Nope. They're likely to drag their feet and make wildly inappropriate decisions. When faced with a crisis, they'll make the same kind of bone-headed short-term decisions that got them into the mess in the first place.
And that's the real problem here. It's not really a question about whether 2003 will be severely hacked in the next 6 months. The real question is, is your company thinking ahead, preparing, and making sensible decisions. If they are, they will have had a plan and a budget for replacing these servers, both because the OS is losing support, and because it's a >10 year old server. If you don't replace a 10 year-old server because it's working, and you don't have to replace it, that might be a sensible decision. If you have a 10 year-old server and you are unprepared for the possibility that you'll have to replace it, then you're not a competent IT person.
block your 2003 machines from the network if you plan to keep them. That is what our security people will do.
The date for end of support for 2003 has been known for like 10 years so there has been enough time to prepare for it.
IT security is not about "what can we get away with". It is about being ready before the bad people strike. And they will. And you may not even notice.
What do you think the more likely explanation is ... the lazy tech people have said "oh, that'll be fine, what could possibly go wrong?" ... or that management has said "we have no money for such things, and we need to maximize executive bonuses this quarter"?
My experience, with anything legacy anywhere, is it's often business decisions which leave legacy stuff doing important stuff, and it's business decisions why nobody can replace it. In a few cases, the sheer magnitude of replacing the system could significantly strain the company because it's an incredibly expensive undertaking.
So, the people who expect to keep their jobs? Well, they're probably doing exactly what they've been told, and have already made this objection to management.
People who like to blame the technical people for this usually don't know what the hell they're talking about.
Lost at C:>. Found at C.
Nah - they'll just firewall the crap out of them and not allow Internet access... just like they do with aging Solaris 8.x and AIX 5.x boxen.
Seriously - there are probably untold hordes of NT 4 servers still grinding along out there.
Quo usque tandem abutere, Nimbus, patientia nostra?