We’ve had several blog posts listing reasons to replace your Windows 2003 servers as soon as possible. Server 2003 will be targeted by the most malicious hackers because no patches are coming from Microsoft.
I’m sure you’ve been working diligently on migrating and upgrading, but there are probably a few systems that just aren’t easy to separate from Server 2003. Usually, they have some 16-bit code or include deep API’s into the Windows kernel that just won’t let it go.
Here are some ideas:
- Move to a cloud-based, SaaS offering instead. Even though that old Fax application is paid for and running, it’s now a security hole because of the Server 2003 base. New applications offer extended features and are better tailored to modern, access-anywhere work styles. We’ve talked to several customers stuck on an old Exchange 2003 or 2007 server because of an old fax system. Two birds with one stone! Move email to an Office 365-hosted Exchange and upgrade your fax capability at the same time. You’ll have fewer servers to manage – a win-win-win!
- Try a bigger hammer. To aid the move of an old application to Server 2012 or Server 2008, there are some tools that can help. The Microsoft Application Compatibility Toolkit or Citrix AppDNA may give remediation hints that you didn’t think of. Sometimes it’s just an older version of ASP.NET libraries.
- “Containerize” the application. Although it may cost a little more, technologies like AppZero can wrap the old, Server 2003-dependent application in a portable container that may run on a new version of the OS. You still haven’t modernized the application, but at least it’s not running on a vulnerable OS base.
If you still can’t get rid of that Windows Server 2003 operating system, then guard it diligently. Use a comprehensive server management system, like Microsoft Systems Center Operations Manager, to aggregate and report in real-time. Watch for any failed admin logins or attempts to access services that aren’t directly application-related. Isolate the Server 2003 systems behind another firewall, keep an up-to-date antimalware system and use NIST or other lock-down standards to harden the system. Finally, assign a senior administrator the responsibility of watching these servers until they can be removed from your production networks.