Yes, the hourglass is getting emptier by the day.  While we deal with thousands of customers across public and private sectors, representing every organizational category you can imagine, one theme remains constant:  No one seems concerned about the impact of July 14, 2015 on their organization.

For some organizations, the end of life – and more significantly, support – for Windows Server 2003 is an event that may mean significant challenges and difficulties.  Entities that must comply with regulatory requirements may find themselves in a very painful position later this year, especially as auditors invade their offices.

Let’s take a look at a couple of regulatory agencies, their positions on the use of an unsupported operating system in the infrastructure, and some of the options organizations may have to comply with in terms of requirements.

  • Payment Card Industry Data Security Standards (PCI DSS), requirement 6.1, states that all entities must “ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed.”
  • Health Insurance Portability and Accountability Act (HIPAA), section 164.308(a)(1)(ii)(B), states that covered entities must “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable appropriate level.”

So essentially, the inability to patch Windows Server 2003 after July 14, 2015 is going to violate most, if not all, of the compliance organization’s requirements.  The penalties can vary from outright rejection (e.g., the inability to accept credit card payments in a PCI environment) to severe fines for every month the organization is out of compliance.

Action Steps

What are you to do, especially if your organization is one of those that must comply with these requirements?  The choices are limited:

  • First, you can choose to entirely remove Windows Server 2003 from your environment, which would be the ideal and preferred choice.
  • Your next option is to have a solid plan for the removal and begin executing said plan at the time of an audit.  Even if you’re not finished, this might allow the auditors to grant you time to complete the removal without financial penalty.
  • The last choice is compensating controls.  A combination of whitelisting those systems able to connect with these servers, extensive auditing of system and security logs, employing careful firewalling of these systems from the rest of the infrastructure and implementing intrusion detection systems are all examples of some of the methods that can be used in this solution.  It’s also worth noting that compensating controls are almost always considered a short-term solution during the removal of the systems.

If yours is one of the unlucky organizations for which compliance requirements must be met, hopefully you have a removal process well underway.  If you do not, look to CDW to help. We can accelerate the discovery and categorization of the servers and applications, as well as the removal planning itself. That will help you craft an approach using tested practices while avoiding the pitfalls and ensuring success of this project.

The clock is ticking. Get started now!