On Jan. 14, 2020, mainstream support for Windows Server 2008 and Windows Server 2008 R2 will be ended. If you do nothing, your servers will no longer receive regular security updates from Microsoft after this date.

Why is this of concern? Most companies must comply with many different regulatory requirements. Regulatory agencies often have mandates in place to protect all systems from known vulnerabilities and have current vendor-supplied security patches installed.

Let’s look at a couple common ones:

  • Payment Card Industry Data Security Standard (PCI DSS) requirement 6.2 states: “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.”
  • Health Insurance Portability and Accountability Act (HIPAA) section 164.308 (a)(1)(ii)(B) states: “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

After Jan. 14, 2020, on-premises Windows 2008 and Windows Server 2008 R2 will no longer be patched and will violate most of the compliance regulations with varying penalties. Are you willing to take that risk?

Simple Is Not Always Easy

So, what are your options to get your systems to a level of security that will be supported after Jan. 14, 2020?

The traditional answer is to upgrade to a newer version of Windows Server. This answer may be simple, but the ability to execute is not always so easy. If it were, you would not be thinking about it, since all your systems would be running the latest and greatest version of Windows Server.

If you are reading this, you are probably looking for the easy button. Unfortunately, there isn’t one solution, but you do have options. Your final solution will probably be some combination of the options available.

Applying the 5 R’s

In 2011, Gartner suggested its “5 R’s” for migration of applications to the cloud, and those are still viable alternatives for dealing with Windows Server 2008 end of support even if you are not looking at moving to the cloud completely. Let’s take a closer look at the recommendations.

  1. Rehost: Redeploying servers to a different host would not normally help for an operating system end-of-support event. However, with Windows Server 2008 this is a viable option. Microsoft recently announced that if you migrate your Windows Server 2008 with SP2 or Windows Server 2008 R2 with SP1 servers to Azure, you will get three years of Extended Security Updates at no additional charge. With this scenario, you will still have to deal with the applications running on these servers, but you will now have until January 14, 2023, before worrying about security updates.
  2. Refactor: For most organizations, refactoring means that you will need to rewrite the applications and move them to a supported Platform as a Service (PaaS) or Software as a Service (SaaS) cloud infrastructure, which will remove the operating system from the equation. For many people, this is the nirvana state because it will remove the operating system server dependency for future operating system end-of-support cycles.
  3. Revise: This option allows you to reconfigure/upgrade your existing applications, so they are cloud ready. Once they have been updated, they may still need to be rehosted or refactored as needed. For most end-of-support events, this isn’t a viable option. You might as well just rehost the server and then refactor later.
  4. Rebuild: For some applications rebuilding may be the same as refactoring, but with a slight twist. Rebuilding throws away the existing application and re-architects it from scratch. This may be an option for applications that can be rebuilt using “cloud-first” methodologies. This can also apply to situations where the existing application is rebuilt on a newer supported operating system. This will be common choice for organizations that want to keep their servers on-premises. This is your “upgrade” option discussed earlier.
  5. Replace: Replacing the application completely is the final option. If your current application does not have an upgrade option (i.e., 32-bit legacy apps), this may eventually be your only viable choice for those applications. As you are looking at this option you will also want to investigate replacing the on-premises application with a SaaS version of the application. For 32-bit applications, you can buy some time by rehosting those 32-bit servers to Azure. As discussed in the rehosting section, this will buy you an additional three years of extended server support.

Determining the Right R

How do you know which option is right for your Windows Server 2008 servers and related applications?

First and foremost, you must know what you have in your environment that will be impacted by the end-of-support deadline. Hopefully you have a good inventory. If not, you will need to run an assessment tool to get a baseline of those systems. The assessment tool needs to provide more than just basic information about the server. It must be able to provide a full list of applications running on those servers and show what other systems are dependent on each server/application.

Once you have a good assessment inventory of your environment, it is time to start applying some human intelligence to the data. This will often take multiple passes at the data to fully understand and categorize the servers into their proper “buckets” for rehosting, refactoring, revising, rebuilding or replacing.

During this phase, both the IT and business owners will need to be involved to determine the correct plan for each server/application combination. Along with putting them in their 5 R’s buckets, you will want to assign an initial level of complexity. Some applications may have a semi-easy plan for moving to a new operating system such as Active Directory Domain Services versus an application where the developers are no longer available to help. The complexity will be important to determine the level of effort it will take to migrate/upgrade the application.

Building Your Migration Plan

Now that you have the server/application put into its initial buckets you can start building the migration plan for each server/application. You will want to make sure both IT and business owners are in full agreement on the plan. For organizations with a lot of end-of-support server/applications, you will need to get agreements from both IT and business owners for the prioritization of the different applications to be resolved. This stage may take some strong negotiating skills to coordinate the full plan.

Now that the plan is created, it is time to execute! You have until Jan. 14, 2020. Sounds easy, right?

CDW can help you throughout this process. Contact your account team to learn more about CDW’s assessment and migration offers.

Learn more about CDW’s partnership with Microsoft.