News Releases3 min read

Windows Server 2003 End-of-Life Survey Finds Nearly One in Three Companies Will Miss Deadline, Leaving Nearly 3 Million Servers Vulnerable to Breach

Poll of 500 U.S. and U.K. enterprises finds more than half do not know deadline date

WALTHAM, Mass.—March 25, 2015—Bit9® + Carbon Black®, the leader in endpoint threat prevention, detection and response, today announced the results of its “Windows Server 2003 (WS2K3) End-of-Life Survey,” which found that many companies have yet to migrate away from the server platform and remain woefully unprepared for the end of support from Microsoft.

An estimated 2.7 million servers—potentially containing hundreds of millions of files—will be unprotected after July 14, 2015, the end-of-life deadline, according to the survey Bit9 + Carbon Black conducted in February 2015. Key findings from the survey—of IT leaders at 500 medium and large enterprises in the U.S. and U.K. with at least 500 employees–include:

– Nearly one in three enterprises (30 percent) plan to continue to run WS2K3 after the July 14 deadline, leaving an estimated 2.7 million servers unprotected

– More than half of enterprises (57 percent) do not know when the end of life deadline is

– 14 percent of enterprises do not yet have an upgrade plan for WS2K3

Servers, including domain controllers and Web servers, are where most organizations’ critical information resides. So if organizations continue to run Windows Server 2003 without implementing appropriate compensating controls—such as application allowlisting—they will put customer records, trade secrets, and other highly valuable data at risk. Cyber criminals, hacktivists and nation-states prey on unprotected servers, leaving enterprises exposed to potentially catastrophic breaches that can lead to lawsuits, regulatory fines and loss of customer trust.

“The Windows Server 2003 end-of-life deadline must not be taken lightly,” said Chris Strand, PCIP, senior director of compliance and governance for Bit9 + Carbon Black. “But based on the results of this survey, it appears that too many organizations are doing just that. With only about 100 days left until the end-of-life deadline, organizations yet to upgrade must immediately aim to get their WS2K3 systems into a compliant state to eliminate financial, and potential legal, penalties and avoid the brand damage associated with failed audits, data breaches, and noncompliance.”

With the critical role servers play at any enterprise, WS2K3 end of life presents an even greater risk than last year’s Windows XP end of life. Continued operation of unsecured WS2K3 systems can leave organizations exposed to “zero-day forever scenarios”—where new zero-day vulnerabilities are discovered and exploited by attackers and no publically available patch will ever be provided.

The results indicate that many IT managers are completely unprepared to meet the deadline, leaving their organizations scrambling to find compensating controls or risk being vulnerable to cyber attacks. The risks of running an operating system that can’t be patched are vast, including:

• Breach and data compromise: since malware authors can get access to highly confidential information such as critical research and development plans, core business databases, consumer credit card/financial data or patient information.

• Financial penalties: organizations can be fined for failure to pass compliance audits by being in a noncompliant state.

• Loss of privileges: an organization can lose the right to process major credit card transactions and access to business-critical data.

• Damage to corporate brand: often the most devastating consequence and can be difficult to remediate. According to the Nation Cyber Security Alliance, 60 percent of small and medium businesses that suffer a breach go out of business within six months.

What Organizations Can Do
For enterprises looking to address Windows Server 2003 end of life without upgrading, compensating controls should be considered to keep their systems secure and compliant after Microsoft support ends. Effective compensating controls for organizations without an upgrade plan include: network isolation, application allowlisting, and continuous server monitoring. The report explains each type of control.

Originally launched in 2003, Windows Server 2003 and its 2005 update, Windows Server 2003 R2, are relied upon by thousands of organizations for critical production workloads. There are approximately 9 million WS2K3 systems still in use.

About Bit9 + Carbon Black

Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable. More than 1,000 organizations worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services.

Bit9 and Carbon Black are registered trademarks of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.