Is the end of support for Windows Server 2003 a cause for panic?
As with ‘Y2K’ at the end of the millennium, clear, logical planning is key to guarding against the worst-case scenario.
Unless you have been living under a rock or have an impressive gift for auto-filtering what information enters your brain, you will be aware that as of July 15thextended support will no longer be available for Windows Server 2003. Of course, this translates into a seemingly nightmare scenario whereby your IT dept will no longer receive patches or security updates to fix bugs or performance issues, meaning your applications and business will be at risk. Any new threats to your systems won’t be tackled and they will become a security risk as well as a big headache on the compliance front.
Countless blogs and articles have been produced warning of the looming deadline and the huge risk a company will take by not being fully prepared for it. Some companies, like during the Y2K ‘scare’, have tried to take advantage of this by indulging in a little scaremongering, conjuring up all manner of disastrous scenarios in the hope that they can take a sizeable bite out of your IT budget.
While some will argue that the disasters predicted by the Y2K situation didn't materialise due to the extensive work undertaken by governments, companies and organisations to guard against it, others believe that the problem wasn't that serious in the first instance and that there would have been only a few minor mistakes which could have been “fixed on failure”. I have only a few hundred words to play around with here so that’s a debate I’m not touching but while you are certain to run into problems if you don’t prepare adequately for July 15th, is the importance of the deadline being over-egged a little?
The question to ask is, if your business is still running Windows 2003 on July 15th what will happen? Will your servers be instantly exposed to new security holes? Will your already stretched budget be further devoured by a huge increase in maintenance costs? Is your entire IT environment at risk of collapse? Well, in short the answer is no. Just as with the Y2K bug when no planes fell out of the sky and the financial system was not moved back to year zero, the end-of-support date for Windows 2003 is not an indication that the four horseman of the apocalypse are coming riding over the hill just yet. However, a failure to successfully plan for the post-support future will bring your organisation serious problems - not might but will - and it’s just that you won’t get a huge smack in the face on July 16th but you will some day and if you’re not prepared for it then it could be a knockout blow for you and your organisation.
The absolute key ingredient to avoid this is to have a clear, phased plan in place, to communicate this to all relevant stakeholders and then to execute it according to the last, tiny detail. First up, as always, is to analyse and categorise all your servers. Infrastructure servers running Windows Server 2003 must remain in the control of IT and they can be remediated more easily. However, if this can’t be completed before the deadline then it is of paramount importance that they be isolated from external connectivity.
Your application servers can then be broken down into two types; those which are ‘owned’ by business units will not be the primary responsibility of IT (although IT will need to engage in provision of new servers and support the business unit in transition) but it will be down to the business owners to engage with vendors to find a solution. Then those applications with no support vendors – because the vendor no longer exists or production of that particular application has stopped – will also fall under the remit of business owners. IT can’t fix these; it will be a business decision as to what to replace them with. Of course, IT will play a full role in this but it will be the business that will be responsible for and driving these decisions.
While any infrastructure servers running on Windows 2003 will have to be tackled and dealt with before support deadline day, the future of your application servers is less immediately critical; what happens to these can be phased over a six-month period. Although support will have ended for these, the simple fact is they will be no more insecure than they were the day before the deadline. Once they are patched to the last available patch, they are then pretty secure for the foreseeable future; the fact that the vast majority of patches are out-of-date as it stands and that there are fewer attacks on Windows 2003 means July 15th isn't a potential end-of-days moment for your organisation. An absolute must however, is for your organisation to engage with vendors to formulate a plan for migration.
Once you, your application business owners and vendors have agreed upon a destination for each application and workload, and a migration plan, it is essential to then engage with your business leaders to outline the plan and the timescale involved. Once the plan is clear, feasible and has an acceptable completion date then although there will be a risk involved, the auditors and/or business leaders will generally agree to allow the risk so long as the proposed timescale is strictly adhered to. A failure to fully placate these parties could result in a significant loss of business while penalties from being non-compliant could increase your costs.
So while the deadline for end-of-support for Windows Server 2003 isn't a do-or-die scenario, failure to adequately plan for the weeks and months afterwards will result in all manner of problems for your department and your business. As with the Y2K scare, the promotion of the deadline is probably being overhyped in some quarters, but you will fail to properly prepare for it at your peril.
To ensure you are best placed to deal with the the end of Windows Server 2003, contact our Consulting team today on 01 240 2287 or email info@sureskills.com.