Even though the deadline for Microsoft Windows Server 2003 end of life has firmly passed, a new survey from NetCraft, a provider of Internet security services, finds that more than 600,000 web-facing systems, which host millions of websites, are still running Windows Server 2003.
Clearly, all those servers represent a continuing opportunity for IT service providers, but migration might not happen in large numbers until that first big security breach involving Windows Server 2003 actually gets discovered.
Who's still running Windows Server 2003?
All told, NetCraft reports there are more than 175 million websites being served up by an instance of Windows Server 2003. The majority of those sites (73 percent) are served by Microsoft Internet Information Services 6.0, which is the web server software that came with Windows Server 2003.
In fact, NetCraft estimates that Windows Server 2003 accounts for about a fifth of all the websites it surveyed, with China (169,000) and the United States (166,000) accounting for 55 percent of the world's Windows Server 2003 instances. In China, more than 24,000 of these servers are hosted by Alibaba Group. Nearly half of these are hosted by HiChina, which was acquired by Alibaba in 2009, and 7,500 are hosted at Aliyun, the cloud hosting unit of Alibaba.
What are the consequences?
The degree to which all these instances of Windows Server 2003 represent a security threat is naturally going to vary widely. Most of them are running applications that many organizations would not consider to be particularly valuable. That said, those Web-facing servers could provide a gateway through which hackers could compromise other systems. In fact, by definition, NetCraft notes that Windows Server 2003 systems are out of compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Of course, some of the owners of those systems may have agreed to pay for ongoing support. But the vast majority seem to be part of the legions of systems that for one reason or another organizations have not upgraded. At this juncture, it’s pretty clear that after the end of life (EOL) deadline of July 14 came and went, there are still millions of instances of Windows Server 2003 running. Those systems represent an opportunity for IT services providers that comes in multiple forms.
How to upgrade server platforms
Customers can either replace the applications running on those systems altogether or upgrade to Windows Server 2008 or 2012 running on premise or in the cloud. In the former case, it’s often simpler to replace outdated applications with a modern software-as-a-service (SaaS) application than it is to upgrade the server platform. However, when customers do choose to upgrade, more often than not moving that application into the cloud is going to be the path of least resistance.
Naturally, many IT organizations will be tempted to simply redeploy those instances of Microsoft Windows Server 2003 as a guest operating system running on top of a virtual machine. While that might be a little more secure than doing nothing, Microsoft has strongly cautioned customers that this approach does not address any of the primary issues created by continuing to rely on an unpatched operating system.
In summary, it’s clear that Microsoft’s effort to drive upgrades of Windows Server 2003 was far less than a complete success. The good news is that from an IT services perspective upgrading or replacing those systems should continue to drive new business opportunities for years to come — especially if one of these obsolute systems winds up being at the root of a major security breach, which seems all but inevitable.