Millions of CIOs are set to miss the July 14 deadline to migrate away from Windows Server 2003, despite the huge risks to their companies.
As of July 15 the operating system will no longer be supported by Microsoft -- meaning that security patches and other updates will no longer be made available to users running the software. Last year the company estimated that there were 24 million instances of Server 2003 running around the world.
Ed Shepley, a solutions architect at migration specialist Camwood, says that while most companies have migrated some of their servers away from Server 2003, only a minority have migrated all of their servers.
"We are not seeing companies making a strategic decision to stay with 2003, but most companies we are talking to are struggling to get the last applications off it," he says. "They thought that they had time to migrate everything but it has taken them longer than anticipated."
This tallies with the results of a survey from Spiceworks in March which found that 61 percent of businesses it questioned were still running at least one instance of Server 2003.
Nick East, CEO of managed IT service provider Zynstra, also expects that many of the companies he has been talking to will miss the deadline.
"I think a significant number of organizations have not and will not make the date," he says. "Probably 30-40 percent of SMBs will be running Server 2003 somewhere in their environment after July 14th."
Risk rising gradually
The most obvious problem with remaining on Server 2003 is the increased security risk. Companies that are involved in regulated industries or activities also run the risk of falling out of compliance if they run an unsupported operating system, but Camwood's Ed Shepley says that most of these companies have successfully migrated from Server 2003 already.
But unlike the Y2K problem, which had the potential to cause unpatched systems to fail on the first day of the year 2000, the security risk of running Windows 2003 is likely to slowly rise from a low base over time as more and more vulnerabilities are discovered and remain unpatched.
That means the security risk may not be as acute as some people are suggesting, says Shepley. "I don't think the risks can be mitigated, but the world won't end on deadline day," he says. "After all, we didn't see Windows XP infrastructure collapse immediately after support for that came to an end," he adds.
Rob Bamforth, a principal analyst at research house Quocirca, agrees that when support for Windows XP ended, it didn't result in a tsunami of attacks on machines running the operating system. But he believes running an unsupported server operating system is a greater security risk than running an unsupported client operating system.
"Once a server has been broken into, an intruder can move sideways to other systems on the network so there are potentially greater risks on a server platform than an end user platform," he warns.
But aside from security, there are plenty of other things to worry about if you are running an unsupported operating system like Server 2003. For example, most software vendors are only willing to validate and support their software on supported operating systems. That means that by staying on Server 2003 you won't get vendor support for the applications running on it, and you won't benefit from any feature enhancements or updates that may make it compatible with other software or services.
That can make it an expensive problem to fix if the application eventually becomes unusable. "The most expensive upgrade to make is the one that is done in a crisis," says Zynstra's Nick East. "If you have time to plan you can look at the options and get the best deal. But if you haven't migrated and you have an outage or a breach then you have to do things in a hurry. That means you have to compromise in terms of agility or technology and you will almost certainly have to spend more money."
The other side of this coin is that companies may be running an application that may not run or may not be supported on newer operating systems like Server 2008 or Server 2012. But Camwood's Shepley says that in his experience most vendors are willing to provide companies with free upgrades to versions of their products that support Server 2012. That's because their support and maintenance costs are lower when customers are running their products on the newest operating system, he says.
Of course, in some cases a newer version of the application may not be available. "If the vendor no longer exists then our recommendation would be to find a functional equivalent and migrate across," says Shepley. "Or as a stopgap measure you can use a solution like AppZero that wraps your app in a bubble and lets you move it to a new platform."
Quocirca's Bamforth says that a common reason that many companies will miss the July 14 deadline is that IT departments have difficulty getting resources allocated to them to do the migration. "Migrating off Server 2003 doesn't obviously add value to a business so it can be hard to make the case to senior management," he says.
Other reasons include the following:
- Underestimating the scale of the project -- including identifying less "visible" servers that may be providing services like DNS and domain control -- and therefore the time needed to complete it.
- Being too busy firefighting other more pressing IT problems to carry out the migration on time.
- Putting the migration off in order to do more exciting projects, or ones that other business departments are demanding and which appear to show bigger business benefits.
But Shepley points out that moving away from Server 2003 can be a significant opportunity for CIOs to cut IT costs and increase efficiency. That's because most Server 2003 boxes run a single application are therefore highly underutilized, he says. By running these applications on newer operating systems in virtual machines it should be possible to reduce the number of physical servers required significantly, and increase overall server utilization.
"Almost everyone we are working with is moving from physical Server 2003 boxes to Server 2012 running in virtual machines," he says.
And Zynstra's East adds that from a business perspective it rarely makes sense to use technology that is obsolete.
"Organizations can get considerable benefit from using a high tech infrastructure," he says. "There have been considerable advances in software since 2003, so if you are still using Server 2003 then your organization is not benefiting from them."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.