nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Half of Windows Server 2003 fans will miss July's security cut-off

Please, sir, can we have a Custom Support Agreement?

By Gavin Clarke, 30 Jun 2015

More than half of companies are now expected to miss the deadline to quit Windows Server 2003 before Microsoft’s 14 July end-of-extended-support cut-off point.

Many will seek security cover through Microsoft Custom Support Agreements (CSAs) charged at $600 per server, or reckon on having in place their own plans for coping.

Firms in the normally risk-averse financial services sector feature highly among those who will shoot past the July date. Many of these — nearly half — will sign CSAs.

The findings come courtesy of Microsoft consultant and SI partner Avanade, which surveyed 100 companies on their state of Windows Server 2003 migrations.

Avanade in November estimates just a fifth would miss the July date.

It's just two weeks until Windows Server 2003 — released 12 years ago — slips out of extended support and Microsoft no longer releases security fixes.

That means, no new patches from engineers at Redmond to cover new vulnerabilities or hacks discovered or written.

Avanade said 51 per cent will run past the 14 July cut-off date. Twenty seven per cent will miss it by more than three months, and 24 per cent by more than a year.

A fifth in each of the categories of financial services, retail, distribution and transport, and of “other commercial” all accepted the risk, but are OK with it.

Manufacturing seemed less sure – eight per cent are comfortable with the risk.

The reason for companies' apparently relaxed attitude is split. Forty per cent of financial services firms planned on signing a CSA with Microsoft, compared with 28 per cent in manufacturing, 24 per cent in retail, distribution and transport, and 20 per cent in “other” commercial.

CSAs will see Microsoft continue to deliver new patches for customers who take out a deal. But CSAs are not an option for all: they're only available for Microsoft Premier customers, for a fee of $600 per machine — and only “as a last resort option to help bridge the gap during large and complex migrations,” a Microsoft spokesperson told The Reg.

Microsoft offered CSAs to Windows XP hold-outs after the end of extended support in April 2014, but it's being less generous with Windows Server 2003.

Windows XP CSAs could run year-on-year for up to three years, doubling in price each year - but Windows Server 2003 CSAs are limited, according to Avanade.

Paul Veitch, Avanade head of application development and UK cloud lead, said the fact Microsoft had offered CSAs for Windows XP after telling people there’d be no additional support, and that they simply had to migrate, had given the wrong impression, essentially that Microsoft had been holding out and then that crumbled.

Unnaturally long life

CSAs have helped contribute to the prolonged existence of Windows XP in business. The same won’t happen on Windows Server 2003, said Veitch.

“I’ve spoken to Microsoft and it has said it will not cave like it did on Windows XP,” Veitch said.

Those not taking out CSAs reckoned they had a “plan” to cope, so are managing the risk of continuing to run Windows Server 2003 without security updates.

Manufacturing came top here, at 64 per cent, followed by retail, distribution and transport on 52 per cent, “other commercial” on 52 per cent, and then financial services on 36 per cent.

When it comes to the question of why so many will miss the July cut-off and why numbers have jumped so dramatically, the answer seems to be application compatibility and moving some a core of thorny and complex apps.

Paul DeGroot, Microsoft licensing consultant with Pica Communications, said a CSA costs less for some than moving or rebuilding such apps, so a Microsoft agreement can be justified because it helps buy time.

“I have heard a lot of dread about CSAs for Windows Server 2003,” DeGroot told The Reg. “For the most part, no one is casual about the risks. In most cases their hands are tied by application compatibility issues that are either difficult to remedy or potentially more expensive than custom support.”

DeGroot is conducting a survey on price of CSAs, here.

Custom-built and customised apps are the real sticking point: that is, Windows Server 2003 apps are old and might not run on later server operating systems, and apps where the customers lack the source code to move them or where the application's vendor is no longer in business, or the author has left the firm.

In many cases, if you can’t port the app the answer is to try and find somebody who can replicate its functionality with a new app instead.

If you can't migrate "the only solution is to find someone to study the app and duplicate its functionality. That could take many months and cost $100,000 for just one skilled developer", added DeGroot.

DeGroot noted, too, there’s less pressure get off Windows Server 2003 than for Windows XP because the security exposure is less severe.

As a desktop operating system, Windows XP was exposed to direct attack over the web through Internet Explorer and via Office.

But if a sysadmin never used a Windows Server 2003 server console to browse the web or view an Office document then 80 per cent of security updates deemed “critical” were unnecessary, DeGroot said. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing