Friday, April 24, 2015

Should we upgrade from Windows Server 2003?

The hype is all over the need to upgrade from Windows Server 2003.  But is that more hype than reality?  I'm probably in the small minority of security professionals who thinks so.  Sure you won't be able to get patches for Server 2003 after July - but how big a deal is this?  Does it signal death for companies that can't upgrade?  I think not.

"You can't get patches anymore" isn't a business case to upgrade from Server 2003.  If you want a business unit to upgrade, you have to make a business case.  Do they have software that won't run on Server 2008 or later?  What about some application that is really tied to the OS installation?  If that application supports a critical business process, can you really afford the risk to upgrade? Certainly not hastily. 

Note: If you have regulatory requirements for upgrading, then ignore all the "business" arguments I'm making here.  You need to upgrade.

Sure, not patching presents a risk.  But hastily migrating to a new platform also has risks. In infosec, we are best served ignoring the hype and supporting the business in helping them create realistic risk models.  If you haven't started your migration plans yet, rushing to get the migration complete before July is probably going to introduce more risk than it will mitigate.

Does that mean you should do nothing?  No, not at all.  If you have Windows 2003 servers that you won't upgrade and aren't getting patches, you should consider additional risk mitigation strategies.  What would these entail?  I'd start by recommending enhanced logging.  Of course more logs mean more analysis work.  If you don't have a SIEM, get one to help you now.  I recommend an AlienVault deployment for a quick fix - if you don't have resources to upgrade from server 2003, you don't have resources to deploy a complex SIEM product.  You would want something that you can have up and running in no time and something that's cost effective.  AlienVault fits the bill for both.

Beyond logging, what else is there?  You'll want to restrict the functions that the server performs.  Maybe you can't move that database or web application that's heavily tied to your 2003 server, but there's no excuse to be hosting SMB file shares from the same server.  Those should be relatively trivial to move to a newer server.  Just like anything else, you should seek to minimize your attack surface by minimizing the number of services offered.  But when you can't patch the OS the services are running on, that makes the case for minimizing your attack surface becomes much stronger.

Lest you think that staying on server 2003 forever is an option, let me dissuade you further.  There will be vulnerabilities in the apps that you run on the server.  And those apps will be easier to exploit on server 2003 than they will be running on a more modern version of Windows.  Newer versions of Windows support kernel ASLR and other exploit mitigation technologies not present in Windows Server 2003.  So before you think that server 2003 might be a permanent solution, consider that like a leech sucking blood from your arm, it makes everything running on it a bit weaker.

So is the impending death of server 2003 hype or reality?  Actually a little of both.  You should be making plans to get off of server 2003, but if you haven't made plans yet, your networks won't fall tomorrow if you don't do so immediately.