Make Migration From Windows Server 2003 a Priority, Before Support ...

This research note is restricted to the personal use of [email protected] G00263819

Make Migration From Windows Server 2003 a Priority, Before Support Ends in July 2015 Published: 18 June 2014

Analyst(s): Carl Claunch

Support for Windows Server 2003 will end in July 2015. Production systems should be migrated to a supported operating system before that date, as risk to the enterprise rapidly increases after that date.

Impacts ■

IT operations teams will find that systems including business-critical applications could be compromised, enabling data theft and unauthorized transactions as well as hosting attacks against other systems inside the data center.

■

IT operations teams will find erroneous operation of applications and other software products may occur, linked to defects in Windows Server 2003 that no longer can be corrected, thus leading to extended or permanent loss of those application functions.

■

Continuing to employ Windows Server 2003 may cause some organizations to not be able to meet regulatory and compliance requirements.

■

Business leaders may not be aware of the risks they will face if Windows Server 2003 systems are not migrated, leaving IT leaders at fault for the incomplete disclosure if problems later arise.

Recommendations IT operations teams should: ■

Build a clear, explicit and complete position paper that outlines the risks of continuing to run Windows Server 2003, impacts, limits on restoration and extended nature of certain outages, targeted at business leaders.

■

Provide the risk document to key business leaders as soon as possible, then negotiate with them to gain support for actions and costs that will be required to complete a Windows Server 2003 migration before July 2015.

■

Make the migration effort a suitably high priority to gain approval and funding for the project such that it can be completed before support ends.

This research note is restricted to the personal use of [email protected]

This research note is restricted to the personal use of [email protected]

Analysis Microsoft extended support for Windows Server 2003 and Windows Server 2003 R2 is scheduled to 1

end on 14 July 2015. After that date, they will not provide patches to fix security exposures nor corrections to repair any late-discovered defects in the code. Users who continue to use these operating systems (OSs) on servers in their organization face a number of negative impacts. There may not be much debate over the advisability of migrating all servers to a newer, supported OS, but for many IT organizations the priority for this task relative to all potential activities is too low. At this point in time, Windows Server 2012 R2 is the destination to which these older servers will be migrated. A migration of a large pool of servers to a new OS is a long and resource-intensive effort, one that must be started soon if the project is to be completed before July 2015. By analyzing the impacts of operating production systems running under Windows Server 2003, it should become clear that completing a migration before mid-2015 needs to be a high priority. Mitigation activities are possible if the migration is not done, but these activities merely lessen the risks and impacts. "Managing the Risks of Running Windows Server 2003 After July 2015" discusses how best to address the situation if migration is not possible, but that is a poor second to the best decision, which is to ensure Windows Server 2003 is not in use after July 2015. Except for a few customers who choose to buy a custom support agreement, which is typically a seven-digit expenditure and only buys a finite extension in support of a later completion of an active migration, when the extended support for Windows Server 2003 ends in July 2015, Microsoft offers no commitment to make fixes or other support for this product available. Security exposures that may be identified after that date likely will not be closed by issuance of a security patch, rendering these systems permanently vulnerable to attack. You can't count on receiving repairs for code defects in Windows Server 2003 either, regardless of the severity of outages that may be triggered by that defect. Sellers of other products that may be used on systems running Windows Server 2003 are likely to withdraw their support for defects or security exposures in their own products, since they will have lost the assurance of patches and support from Microsoft if changes to the operating system are needed. Thus, the end of extended support for the OS can lead to the end of support for other products when they are run atop Windows Server 2003, although those other products may continue to be supported if used on newer versions of Windows Server. Clients should engage their independent software vendors to ensure that all relevant facts are at hand.

Page 2 of 7

Gartner, Inc. | G00263819 This research note is restricted to the personal use of [email protected]

This research note is restricted to the personal use of [email protected]

Figure 1. Impacts and Top Recommendations for Migration From Windows Server 2003 Impacts Systems could be compromised, enabling data theft and unauthorized transactions as well as hosting attacks against other systems inside the data center. Erroneous operation of applications and other software products may occur, linked to defects in Windows Server 2003, thus leading to extended or permanent loss of those application functions. Continuing to employ Windows Server 2003 may cause some organizations to not be able to meet regulatory and compliance requirements. Business leaders may not be aware of the risks they will face if Windows Server 2003 systems are not migrated, leaving IT leaders at fault for the incomplete disclosure if problems later arise.

Top Recommendations

• Make the migration effort a suitably high

priority to gain approval and funding for the project such that it can be completed before support ends.

• Provide business leaders with an outline of the risks of continuing to run Windows Server 2003, impacts, limits on restoration and extended nature of certain outages.

• Provide the outline to key business leaders

as soon as possible, then negotiate to gain support for actions and costs required to complete a Windows Server 2003 migration before July 2015.

• Make the migration effort a suitably high

priority to gain approval and funding for the project such that it can be completed before support ends.

Source: Gartner (June 2014)

Impacts and Recommendations IT operations teams will find that systems including business-critical applications could be compromised, enabling data theft and unauthorized transactions as well as hosting attacks against other systems inside the data center Security vulnerabilities could arise for which no protection is possible. Attackers who exploit these openings could gain control of systems based on Windows Server 2003. They can use the compromised system to launch attacks from within the data center against other, newer systems to capture and relay data from the network to the attacker outside and introduce false transactions or tamper with legitimate business activities. If such an attack were to take place, it may be impossible or impractical to stop it from succeeding and from being repeated, since the code vulnerability inside the OS will not be patched. Business functions dependent upon the system running under Windows Server 2003 may be unexpectedly subject to complete loss of access to the functionality of the system if it has to be shut down due to compromise. Alternatively, lack of viable alternatives for the business function may dictate that the

Page 3 of 7

Gartner, Inc. | G00263819 This research note is restricted to the personal use of [email protected]

This research note is restricted to the personal use of [email protected]

system remain in operation despite compromises, thus endangering other systems that are not based on Windows Server 2003. Recommendation: ■

Make the migration effort a suitably high priority to gain approval and funding for the project such that it can be completed before support ends.

IT operations teams will find erroneous operation of applications and other software products may occur, linked to defects in Windows Server 2003 that no longer can be corrected, thus leading to extended or permanent loss of those application functions Applications may have worked correctly for many years, yet be vulnerable to defects that remained latent. Minor changes in external conditions can trigger defects and cause a malfunction. This might be related to other activities on the server, growing workload volumes or combinations of input data, such as business transactions, that had not previously occurred. If the defect requires a change to the Windows Server 2003 code to stop the malfunction of the application, lack of support implies that this malfunction may be permanent. Depending on the scope of the malfunction, the business organization may be able to overcome the loss of function through minor changes in their processes, but there is an equal chance that a malfunction could leave the organization unable to address a significant portion of their business activities. If alternative software were easy to adopt, it is likely that these systems would have been successfully migrated away from Windows Server 2003 before the support deadline. Therefore, the loss of application function might exist for many months while an unplanned emergency migration is attempted. Recommendations: ■

Build a clear, explicit and complete position paper that outlines the risks of continuing to run Windows Server 2003, impacts, limits on restoration and extended nature of certain outages, targeted at business leaders.

■

Provide the risk document to key business leaders as soon as possible, then negotiate with them to gain support for actions and costs that will be required to complete a Windows Server 2003 migration before July 2015.

Continuing to employ Windows Server 2003 may cause some organizations to not be able to meet regulatory and compliance requirements Those organizations that are subject to key system requirements and must run on supported products cannot meet those requirements if they operate servers under Windows Server 2003 after 14 July 2015. Overt obligations are easily identified; however, the organization may discover more subtle burdens that they will not meet if migration is not completed.

Page 4 of 7

Gartner, Inc. | G00263819 This research note is restricted to the personal use of [email protected]

This research note is restricted to the personal use of [email protected]

Impacts and losses caused to other organizations or customers due to issues that arise from unsupported operation, such as an extended inability to meet contractual commitments due to inoperable applications, may appear negligent even if not explicitly demanded for compliance reasons. Recommendations: ■

Build a clear, explicit and complete position paper that outlines the risks of continuing to run Windows Server 2003, impacts, limits on restoration and extended nature of certain outages, targeted at business leaders.

■

Provide the risk document to key business leaders as soon as possible, then negotiate with them to gain support for actions and costs that will be required to complete a Windows Server 2003 migration before July 2015.

Business leaders may not be aware of the risks they will face if Windows Server 2003 systems are not migrated, leaving IT leaders at fault for the incomplete disclosure if problems later arise In many situations where the priority and timing of a Windows Server migration is being debated within a company, business groups may be resisting the migration due to downtime incurred as part of the migration project, imposed charges the users will face to cover the costs, and other implications of change such as end user training requirements. Often, the business leaders who are familiar with the costs of a migration project are not as aware of the scenarios that may occur after support ends. IT leaders need to make the risks clear to business leaders in an extraordinarily explicit way, ensuring they realize that continuing to rely on IT systems running under Windows Server 2003 could expose them, without advance warning, to withdrawal of access. Further, the IT organization will not have the means to restore access in all cases, leading to the possibility that lack of access could endure for months or more until a replacement application can be introduced. Without an unusually direct and complete description of the potential outages, business leaders may wrongly conclude that IT leaders will have the means to deal with any security or functionality problems when they arise. Therefore, lack of support is simply an inconvenience to the IT group but does not compromise the ability to restore normal operations with "a little additional effort." Facing business leaders who are dealing with a prolonged inability to conduct normal business operations, IT leaders may be held to high standards for a proactive disclosure of the risks the entire company undertook as it depended upon Windows Server-2003 based systems postsupport. At best, such a situation would be a black eye on the image of the IT group and its leaders, with more dire alternatives possible. Recommendation: ■

Make the migration effort a suitably high priority to gain approval and funding for the project such that it can be completed before support ends.

Page 5 of 7

Gartner, Inc. | G00263819 This research note is restricted to the personal use of [email protected]

This research note is restricted to the personal use of [email protected]

Gartner Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Managing the Risks of Running Windows Server 2003 After July 2015" Evidence 1 The

support termination date pertains to all members of the Windows Server 2003 family, including Windows Server 2003 R2 and Windows Small Business Server 2003.

Page 6 of 7

Gartner, Inc. | G00263819 This research note is restricted to the personal use of [email protected]

This research note is restricted to the personal use of [email protected]

GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM

For a complete list of worldwide locations, visit http://www.gartner.com/technology/about.jsp

© 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity.”

Page 7 of 7

Gartner, Inc. | G00263819 This research note is restricted to the personal use of [email protected]