This article originally appeared at The WHIR
Although it has been nearly a month since Windows Server 2003 extended support ended, 175 million websites have been found by Netcraft’s latest survey still being served by the obsolete system. Netcraft’s July Web Server Survey shows that over 600,000 web-facing computers, serving a fifth of all websites, are still running Windows Server 2003, and therefore exposed to elevated cybersecurity risk.
The last major update to Windows Server 2003 was Service Pack 2, released 8 years ago, and of computers still running it, 73 percent are served by Microsoft Internet Information Services 6.0, the version which shipped with Windows Server 2003. The Server header for another 1.7 million sites served from other operating systems also indicated Microsft IIS/6.0, and therefore more Windows Server 2003 machines in back-end use, further increasing the scope of risk.
Netcraft estimates that 609,000 computers, or just over 10 percent of all web-facing computers, are still running Windows Server 2003. Because software licenses are usually granted at a per-machine cost, the number of installations is the best indication of the total cost of migration to supported systems.
Of those computers, the majority (55 percent) are in the US and China, though the two countries make up only 42 percent of other web-facing computers. Alibaba subsidiary HiChina, which it acquired in 2009, operates roughly 12,000 instances of Windows Server 2003, while the company’s cloud division Aliyun hosts 7,500. Aliyun,which just boosted its relational database suite with an EnterpriseDB partnership, still offers Windows Server 2003 VMs.
Companies using Windows Server 2003 include bank Natwest, ANZ, and Grupo Bancolombia. Other companies such asLivePerson and ING Direct also serves sites via F5 BIG IP devices, so their Windows Server 2003 machines are not directly exposed to the internet.
While migration for some sites may happen slowly, any business subject to thePayment Card Industry Data Security Standard (PCI DSS) has automatically failed to comply with the standard by using Windows Server 2003 anywhere in its environment. PCI DSS requires all software to be up to date with vendor-supplied security patches.
A PCI compliance report released by Verizon in April showed that 80 percent of retailers failed interim PCI compliance assessment. Enterprises already fear data breaches in the cloud, so service providers still using server software with “2003” in the name are arguably putting the reputation of the technology at risk, and inarguably setting themselves up for a public relations disaster if (or more likely when) an effective vector for attacking the obsolete systems is developed by hackers.
A March Microsoft report referred to the migration market opportunity that the end of Windows Server 2003 support created for service providers. Microsoft also offers a Migration Planning Assistant hosted on Azure.