Running a Legacy Server: How Things Can Get 'Super Bad'

Patch Tuesdays: a regular as clockwork event from Microsoft when necessary security updates are released for their products. They occur on the first Tuesday of every month, and typical Patch Tuesday fixes might be addressing a vulnerability in various versions of Windows, or a bug found in server software.

They are released to keep your software as watertight as possible against potential threats like hackers going after your data. Most typically patches are released via Microsoft, and are collected by individual Servers and PCs via the Windows Update Service. (TSG SystemCare which is a service we can provide for our customers is different – we quarantine and test the patches before releasing them in an efficient, controlled way via a central location).

Microsoft have tried to get away from the whole ‘patch’ brand (I guess it has the connotation of fixing a pair of jeans with a piece of material – it will work, but your jeans will never look the same again). They now refer to it as ‘Update Tuesday’ – but they seem to be the only ones.

Anyway, Patch Tuesday is no longer the predictable, by the book, monthly occurrence that it used to be. This is because a few Microsoft products have recently reached, or are about to reach, ‘end of life’ (or to put it another way, “You’re on your own with this version now”).

Plus, we all know that cyber crime continues to be on the rise – it’s organised, it’s become a business, and it’s a constant tug of war to maintain the advantage against them. Combine an out-of-support (but still heavily used) product with an opportunist hacker, and the potential for absolute chaos is very substantial.

Take February’s Patch Tuesday. There were nine security updates – three of these were critical, one of which I’ll go by The Register’s classification of ‘super bad’.

The ‘super bad’ fix is a flaw in the design of Windows which could lead to your entire PC being taken over by a hacker, should you connect it to an infected domain configured Windows system (domain configured is what most businesses have installed to allow multiple PCs to connect to a server).

When in control of your PC, the hacker could then steal data, or encrypt it and then hold it to ransom. They could fully exploit your admin rights to see anything you wouldn’t want anyone else to see. In fact, there’s a long list of what they could do once inside your PC.

It is now fixed, but not for everybody. Anybody who hasn’t upgraded from Windows Sever 2003 yet will want to lay some serious consideration to exploring their upgrade options much sooner rather than later. Here’s the official reasons from Microsoft as to why Server 2003 will remain unfixed from this ‘super bad’ vulnerability:

“The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003. To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component. The product of such a re-architecture effort would be sufficiently incompatible with Windows Server 2003 that there would be no assurance that applications designed to run on Windows Server 2003 would continue to operate on the updated system.”

So, despite the fact that Windows Server 2003 will still be supported until July 14th this year, the fix for this very serious Windows flaw isn’t, and will never be, available to those who are running it. So really it’s a taste of what to come if you haven’t upgraded by July.

For those of you who are still running Windows Server 2003, first of all, please look at your options for upgrading. If you really can’t, the advice is to “[only] use properly configured VPN solutions when connecting to untrusted networks” (From a Microsoft spokesperson speaking to The Register).

However, it goes deeper than that.  You will have to manage your entire IT environment – the ugliness of an unsupported server extends well beyond the room it sits in. You’ll need to make sure it’s isolated from your main network and firewalled. Crucially, there’s a big education point here for your users, making sure they’re accessing the network in a very secure fashion.

We’ve also all got to work together. You may think you’ve found a cunning plan to get around this whole Server 2003 thing by using another network to log on from. This might be the office next door, or the local café that has WiFi enabled.

Unfortunately not. If you’ve enabled remote access to your employees, and they use a network that happens to be using Server 2003, then they are putting your entire database at risk, probably unknowingly.

In fact the only way to guarantee security of these legacy 2003 server systems after the end of support date in July is to shut them down and unplug them!

Despite many peoples understanding, Virtualisation is not a solution to protecting your network from out of support Operating Systems.

If you really have no other option and need to continue to access these legacy servers, then talk to us about what options exist to minimize the risks after this date.