Vulnerabilities / Threats

10:30 AM
Dark Reading
Dark Reading
Products and Releases

Windows Server 2003 End-of-Life Survey Finds Nearly One in Three Companies Will Miss Deadline, Leaving Nearly 3 Million Servers Vulnerable to Breach

Poll of 500 U.S. and U.K. enterprises finds more than half do not know deadline date

WALTHAM, Mass.—March 25, 2015—Bit9® + Carbon Black®, the leader in endpoint threat prevention, detection and response, today announced the results of its “Windows Server 2003 (WS2K3) End-of-Life Survey,” which found that many companies have yet to migrate away from the server platform and remain woefully unprepared for the end of support from Microsoft.

An estimated 2.7 million servers—potentially containing hundreds of millions of files—will be unprotected after July 14, 2015, the end-of-life deadline, according to the survey Bit9 + Carbon Black conducted in February 2015.. Key findings from the survey—of IT leaders at 500 medium and large enterprises in the U.S. and U.K. with at least 500 employees--include:

-          Nearly one in three enterprises (30 percent) plan to continue to run WS2K3 after the July 14 deadline, leaving an estimated 2.7 million servers unprotected

-          More than half of enterprises (57 percent) do not know when the end of life deadline is

-          14 percent of enterprises do not yet have an upgrade plan for WS2K3

Click here to download the survey report

Servers, including domain controllers and Web servers, are where most organizations’ critical information resides. So if organizations continue to run Windows Server 2003 without implementing appropriate compensating controls—such as application whitelisting—they will put customer records, trade secrets, and other highly valuable data at risk. Cyber criminals, hacktivists and nation-states prey on unprotected servers, leaving enterprises exposed to potentially catastrophic breaches that can lead to lawsuits, regulatory fines and loss of customer trust.

“The Windows Server 2003 end-of-life deadline must not be taken lightly,” said Chris Strand, PCIP, senior director of compliance and governance for Bit9 + Carbon Black. “But based on the results of this survey, it appears that too many organizations are doing just that. With only about 100 days left until the end-of-life deadline, organizations yet to upgrade must immediately aim to get their WS2K3 systems into a compliant state to eliminate financial, and potential legal, penalties and avoid the brand damage associated with failed audits, data breaches, and noncompliance.”

With the critical role servers play at any enterprise, WS2K3 end of life presents an even greater risk than last year’s Windows XP end of life. Continued operation of unsecured WS2K3 systems can leave organizations exposed to “zero-day forever scenarios”—where new zero-day vulnerabilities are discovered and exploited by attackers and no publically available patch will ever be provided.

The results indicate that many IT managers are completely unprepared to meet the deadline, leaving their organizations scrambling to find compensating controls or risk being vulnerable to cyber attacks. The risks of running an operating system that can’t be patched are vast, including:

·         Breach and data compromise: since malware authors can get access to highly confidential information such as critical research and development plans, core business databases, consumer credit card/financial data or patient information.

·         Financial penalties: organizations can be fined for failure to pass compliance audits by being in a noncompliant state.

·         Loss of privileges: an organization can lose the right to process major credit card transactions and access to business-critical data.

·         Damage to corporate brand: often the most devastating consequence and can be difficult to remediate. According to the Nation Cyber Security Alliance, 60 percent of small and medium businesses that suffer a breach go out of business within six months.


What Organizations Can Do
For enterprises looking to address Windows Server 2003 end of life without upgrading, compensating controls should be considered to keep their systems secure and compliant after Microsoft support ends. Effective compensating controls for organizations without an upgrade plan include: network isolation, application whitelisting, and continuous server monitoring. The report explains each type of control.

Originally launched in 2003, Windows Server 2003 and its 2005 update, Windows Server 2003 R2, are relied upon by thousands of organizations for critical production workloads. There are approximately 9 million WS2K3 systems still in use.

About Bit9 + Carbon Black
Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable. More than 1,000 organizations worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services.

Bit9 and Carbon Black are registered trademarks of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.