In January 2015, Microsoft released a patch to fix an issue in the Network Location Awareness (NLA) service. That vulnerability affects all versions of Windows Server, but a fix was not provided for the Windows Server 2003 platform. As stated in the bulletin, “The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003.” What they are really saying is that Windows Server 2003 is so different from modern systems, they simply cannot fix the NLA service issue on that platform. As a result, Windows Server 2003 remains vulnerable to what Microsoft deems an important-class issue.
This inability to patch highlights the differences in operating system (OS) architectures between modern OSes and an OS now over eleven years old. While this patch alone should not push enterprises to move away from the OS, the impending end of support for this OS should have businesses thinking about what comes next for their remaining Windows Server 2003 deployments.
HPSR knows that security folks understand the dangers of clinging to operating systems and applications that are out of support – and we also know that they sometimes need to make the case to others in the organizations.
To that end, we’ve put together a short (five-page) white paper covering what end-of-support for Windows Server 2003 means and doesn’t mean. We detail the substantial differences in defense-in-depth protections between Windows Server 2003 and an OS released when Friends was still on the air and not on Netflix. Finally, we walk through the options for life after end-of-support – including reconsidering your company’s Microsoft relationship, or doing nothing at all. If you are still running Windows Server 2003, you have some decisions to make soon; we’re here to help.
I am a senior security content developer with Hewlett Packard Enterprise Security Research. In this role, I write and edit security analysis and supporting content from researchers. I am also responsible for providing insight into the threat landscape; competitive intelligence to the research team; and providing guidance on the social media roadmap. Part of my role includes speaking publicly and promoting the research and technology of HPE Enterprise Security Products .