Two thirds of UK companies will continue running Windows Server 2003, after Microsoft cuts the support for the service on 14 July, a recent report has shown.
The continued use of a program with no developer support leaves the user open to many risks, it says in the report called Windows Server 2003 (WS2K3) End-of-Life Survey, conducted by endpoint security specialist Bit9 + Carbon Black.
A total of 153 UK organisations were surveyed.
Out of that total, more than two-thirds of those organisations running Windows Server 2003 today will still be using it after the end of support deadline, and of those that are planning to upgrade, more than a third will miss the deadline by the time their project has been completed.
Just under a quarter of those still running WS2K3 after the end of support deadline have no plans to put any compensating controls in place – leaving them at serious risk of a security breach.
Servers, including domain controllers and web servers, are where most organisations’ critical information resides. So if organisations continue to run Windows Server 2003 without implementing appropriate compensating controls—such as application whitelisting—they will put customer records, trade secrets, and other highly valuable data at risk. Cyber criminals, hacktivists and nation-states prey on unprotected servers, leaving enterprises exposed to potentially catastrophic breaches that can lead to lawsuits, regulatory fines and loss of customer trust.
The worst part of it all is that once an exploit has been found, hackers can keep using it as no patch is being prepared, ever.
If these companies wish to keep their businesses up and successfully running, there are some things they can do.
For enterprises looking to address Windows Server 2003 end of life without upgrading, they should consider compensating controls to keep their systems secure and compliant after Microsoft support ends.
Effective compensating controls for organisations without an upgrade plan include: network isolation, application whitelisting, and continuous server monitoring.