If you must, here’s how to keep using Windows 2003 safely after its end-of-life in July 2015

It’s better to pack it up

Editor’s note

Microsoft ended support for the Windows 2003 server on July 14, 2015. Accordingly, GoDaddy has decommissioned servers running Windows 2003. Why? In the future, Windows 2003-based servers could have potentially become vulnerable to security risks as they are no longer supported by Microsoft. We decommissioned these servers in order to mitigate this risk. We migrated content from paid customers using those outdated servers to new servers running currently supported versions of Windows.

GoDaddy customers who were using Windows 2003 should note that these new servers do not support FrontPage Extensions and Access databases. Any websites that used those features now might function in a limited capacity or not at all, unless the site’s owner or administrator addressed any issues.

If you were on a free hosting plan with GoDaddy, we gave you a free year of web hosting with the Plesk control panel. If you’d like to learn more about your new hosting dashboard, read this guide to getting started with Plesk. There’s more detail on how GoDaddy supported this migration on our help site. Of course, if you have any questions or concerns, feel free to contact our support team.

End sign to represent end-of-life for Windows Server 2003

Stubborn, huh?

If you choose to keep using Windows 2003 despite the fact that Microsoft has ended support for this server, you’ll want to take steps to reduce your server’s vulnerability. Your Windows server won’t stop working, like a car that’s out of gas, but Microsoft will no longer supply security fixes for it. This means the installed base of sites still using the operating system will be more vulnerable to attacks with new exploits.

 Anyone running WS2003, either on-premises or in a hosting environment, should plan to migrate immediately to either a newer version of Windows Server or to another platform.

In other words, if a business isn’t well into the migration cycle, it’s going to be running uncovered for weeks or months even if the process is initiated today. While migration is somewhat straightforward for WS2003 being used to host websites, that’s not the case if the migration requires replacing applications, rewriting code, or even changing software architectures.

Short-term steps to maximize the safety of using WS2003

If there’s a need to keep running WS2003 during the migration, it’s important to protect that vulnerable server as much as possible. This means patching it, logging everything, isolating it, backing up often, and allowlisting it. This won’t provide the level of protection found on a newer Microsoft-supported operating system like the current Windows Server 2012 Release 2 (WS2012 R2), but these steps will make the business less vulnerable.

Patch It

It’s important to start with a version of WS2003 with as few vulnerabilities as possible. Make sure all security patches are in place and current. Windows Server Update Services is a patch management tool from Microsoft to help with patches. Plug Windows Server 2003 into the Search feature and a list of patches will be forthcoming.

Obviously, this needs to be done before Microsoft ends support in July. Pay special attention to the firewalls around the system and make sure they are up-to-date by installing the latest versions of the firewalls. Click here for more on how to turn on the built-in firewall.

Log It

Turn logging on and check the logs, regularly looking for signs of intrusion. Set alarms that will warn of possible security breaches. The faster a problem is spotted, the faster it can be fixed.

Isolate It

Since the most common infection vector is the Internet, one basic safety precaution is to limit Internet access to WS2003. Close any unused ports. At the same time, limit user access to the WS2003 server as much as possible. Eliminate all unnecessary users. Similarly, wall the server off as much as you can from the rest of the network.

 Limit Internet access to the server as much as possible to protect against WS2003 vulnerabilities.

Allowlist It

Only allow specifically permitted programs to run on the system. Anything else must be automatically blocked. Use a allowlisting program such as Bit9+Carbon Black to construct and maintain a server allowlist. Alternately, use Window’s built in Software Restriction Policy in Group Policy to construct an allowlist.

Backup It

Perform frequent backups of the entire system. This isn’t just a security measure: If the installation suffers a hardware or software failure of any kind, those backups will be your lifeline. Check often to make sure the backups are actually there and are recoverable. It’s also a good idea to increase the frequency of backups once support ends. Remember, in many cases a WS2003 system is running on old hardware.

Virtualize It

There may be archival reasons to keep WS2003 around. Perhaps there is data saved in applications that only WS2003 supports, or a website needs to continue to be live until it’s migration is complete. Since hosting services will no longer run WS2003 on their bare metal servers, one option to keeping WS2003 around is to virtualize it as a guest operating system running on a hosted WS2012 R2 server. The data is kept safe for as long as it’s needed and the website can still be accessed. This will also aid in isolating the server and help protect it.

Except for archival purposes, it’s best to think of these measures as stopgap fixes that will buy time. Eventually the cost of supporting it is going to become prohibitive and the rationale for updating will become overwhelming.

Anyone running a WS2003 server, whether on-premises or at a host, should be actively working on a migration plan. The time to move is now.

Image by: TheMuuj via Compfight cc

Rick Cook
Rick Cook, a technologist and writer in Phoenix, got his start in newspapers and was a reporter and editor on daily papers and wire services before moving to computer journalism. Since then he has written extensively about the web, web design and other forms of "new media."