Even though they had years of warning, millions of businesses were left scrambling last year when Microsoft withdrew support for Windows XP, a massively popular operating system that still runs on almost twenty percent of the world’s PCs. But the problems caused by Windows XP’s end of support date might be nothing compared what happened when Windows Server 2003 reaches its end-of-life, on July 14 of this year.

Despite last week’s sounding of a 100-day warning bell by Microsoft, the total installed base of Windows Server 2003 is believed to be massive, according to the most recent data. A recent, Microsoft-sponsored survey of 1,300 business and IT professionals conducted by Spiceworks found that 61 percent of businesses are still running at least one instance of Windows 2003 Server within their networks. What with Hewlett-Packard Co. reporting last year that around 11 million systems were still running Windows Server 2003, it’s likely there are still millions of installations across both physical and virtualized infrastructures.

More surprising perhaps, is that according to David Mayer, practice director of Microsoft Solutions for Insight Enterprises, a $5.1 billion technology sales company that is also a Microsoft Licensing Solutions Provider, many of these installations are running in larger enterprises that are more likely to possess the resources needed to upgrade.

“You actually see more Server 2003 as a percentage within very large, higher-end customers than we do at the lower end,” Mayer said in an interview with Redmond Magazine last year. “The people who are actually in a better position to remediate the problem are the ones who have it. There are a lot of valid reasons — application dependency, where an industry-specific application hasn’t been updated, or an ISV went out of business, or some of it is that the thing works well and has been cheap to maintain and manage.”

The cost of compliance

Such revelations beg the question – how concerned should enterprises be that support for Server 2003 is about to end?

That depends, but in most cases there are legitimate concerns businesses need to be aware of. While The Register’s Tim Anderson helpfully points out that it’s probably okay to keep an old Server 2003 box running in the corner if its not connected to the network, the lack of official support and security upgrades will likely cause problems sooner or later.

The most pressing concern for organizations that deal with critical or sensitive data – such as in the financial and medical industries – is they could risk falling out of regulatory compliance if they’re running unsupported software. As The Register notes, regulators often use port scanning software to hunt for servers running out-of-date software, and should one be flagged for PCI DSS (Payment Card Industry Data Security Standard) compliance, organizations could be subject to heavy fines or even barred from processing credit card payments or handing sensitive data.

There’s good reason why regulators are so watchful. Unpatched systems quickly become vulnerable to all manner of exploits and malware attacks, as illustrated in this recent PC World article about how numerous European ATMs are now vulnerable because they’re still running on old Windows XP systems, citing one case in which attackers used malware to steal $1.32 million from vulnerable cash machines.

The story is consistent with previous reports about numerous retailer point-of-sale (POS) systems being vulnerable due to running unpatched software – such systems are a favored target of cybercriminals because they’re the one of the least resistent points in a network. And what with Windows Server 2003 systems often hosting Active Directory, user accounts and other sensitive data, the warning signs are there for all to see. Keeping the regulators happy could be the least of your concerns…

That’s not to say it’s impossible to protect an unpatched server. It isn’t, but doing so can be very expensive. Advanced firewalls, instrusion detection systems and network segmentation are the typical tools companies can deploy to protect legacy servers, but these don’t come cheap and probably won’t satisfy the regulators either. On the other hand, it will be possible to buy custom support, which Microsoft’s Alex Fu estimated in a recent TechNet post would cost $200,000 on average. Meanwhile, Insight Enterprises’ Mayer put the cost at around $1,500 per server, per year.

Migration challenges

The remaining instances of Windows Server 2003 are clearly an important problem, but the good news is most companies are aware of Server 2003’s looming end of support, and are doing something about it. According to the Spiceworks’ survey, 15 percent of respondents have already fully migrated from Server 2003, while another 48 percent have partially migrated, and 28 percent are planning to do so.

That still leaves eight percent of Spiceworks survey respondents who say they have no plans at all in place to migrate from Server 2003, but at least they’re worried about it. Of those who’re planning to keep Server 2003 running after end-of-life, 85 percent admitted they were concerned about security vulnerabilities, 72 percent said they were worried about software compatibility issues, and another 66 percent admitted to concerns about compliance.

Unfortunately, this may not be the case with the majority of Server 2003 users out there. Another survey by migration specialists AppZero revealed that 47 percent of businesses were not aware of the end-of-life date or did not yet have plans for remediation.

It’s not for a lack of effort on Microsoft’s part. The company has been crying out warnings about Server 2003’s expiration date, and has helpfully published its Server 2003 End of Service Website, which contains a ton of resources to help organizations plan their migration. Microsoft details a four-step migration process in a bid to keep things as simple as possible, which involves discovering, assessing and targeting software and workloads before choosing the best migration path.

Migrating certainly won’t be plain sailing, but if there’s any good to come out of this, it’s that doing so isn’t just a challenge, but also an opportunity.

“The thing we’re seeing with the organizations that we talk with is this is very much an inflection point in the design, management and architecture of their data center,” said Insight Enterprises’ Mayer to CIO.com. “Is this the point where they move to software as a service or infrastructure as a service? Do they fully virtualize?”

While other options exist (The Register provides a pretty solid rundown of the options available to users), for most businesses the choice will likely be between migrating to Windows Azure in the cloud, or Windows Server 2012 R2 in an on-premise deployment, Mayer said. He added that Windows Server 2012 R2 offers dozens of new capabilities, but will also likely require more powerful hardware.

In other words, migration won’t come cheap – but the expense of doing so will hopefully be offset by the benefits of being able to handle larger workloads with less hardware. advanced virtualization, and a general reduction in running costs.

Image credit: Snapographic_com via Pixabay.com; Geralt via Pixabay.com