With Windows 2003 support ending on July 14th 2015, IT departments should have already cleared out this old operating system from the estate. However, it’s coming to light that there is still a significant amount of Windows Server 2003 machines which will not be migrated by the deadline. This isn’t a matter of saving money, failing to act could put a firm at serious risk from aggressive and focused cyber attacks.You need to ask whether it is really worth the risk of having data stolen, embarrassment to the firm or a regulatory compliance breach. Legislation under the EU General Data Protection can charge fines of up to two per cent of annual turnover for a breach. It is not just data which is at risk; core systems such as email and case management could also be potentially breached and exploited by hackers or malicious code.

Understanding the threats

Some security vendors will claim that they can protect you whilst you still run 2003, but generally this is not the case. Because the weak link often comes in the form of a process or a person, your firewall protection will not be enough, nor will any staff and organisational protocols.  

The removal of Windows support will mean that any 2003 servers within the firm are at risk from a vast array of threats. If your server directly faces the internet simply relying on a firewall may be ineffective as malware and zero day threats will be targeting vulnerabilities which are not patched and the firewall may not know about. Furthermore, the lack of patches can make the server an easy access point for hackers into your systems. If the server is used to access the internet you also run the risk that a malicious code will penetrate the server and ultimately the Local Area Network (LAN) /Wide Area Network (WAN) it sits on. 

Another major risk comes from computers and other connected hardware in a LAN. Even if your PCs, laptops and other servers are not infected, they can still potentially pass on an infection to an unprotected Windows 2003 server. Similarly, as Stuxnet showed, USB storage devices can also carry threats when plugged in.

Over the coming months, the risks to Windows Server 2003 are likely to grow as hackers wait until the support ends to take action. Do not be lulled in to a false sense of security: the worst attacks will continue for six to nine months and will then begin to slowly taper off after the easy targets get hit.

Finding the solutions 

For those that have left it too late to switch from Windows Server 2003, there are several key things you can do to protect your environment. 

1. Ensure that the server is not directly connected to the internet by using a firewall device and keep it separate from the LAN via a Virtual Local Area Network (VLAN) at the least.

2. Don’t' allow any external devices to be plugged into it.

3. Plan to migrate services off the Windows 2003 server.

Plan, Plan, Plan

The most important thing you can do (should have done) before Windows 2003 support ends is to get a plan to have your services protected as soon as possible. This is likely to be a tricky and complicated task, so either planning needs to begin now or you should bring in a consultant quickly. 

When developing your plan there are number of factors that need to be taken into account. Below are the main considerations that would form the basis of a strong approach: 

1. Will your existing hardware support new operating systems and/or software?

2. Will other applications work on the new operating systems and/or software?

3. Will third party application vendors support their applications on a new platform?

4. How will you overcome compatibility issues?

5. Do your IT staff need training to roll-out and manage the new operating systems and/or software?

6. Will other employees need training to use the new operating systems and/or software?

7. How long will it take to test everything?

8. What resources are needed to roll the new operating systems and/or software out?

9. How long will it take to roll the new software out?

10. What do you need to budget for? For example, you can go for a fully managed cloud option, your own private cloud option, or simply replace servers and software in your own office.

In short, you’ll need to act now to safeguard your legal firm’s future. Do not leave it to the mercy of hackers who can leave you open to regulatory issues, major fines and also bad press in the news. Failing to take action now is like knowing the spare bedroom window won't close properly and doing nothing about it; chances are at that someone will come through it at some point.