Windows Server 2008 end of life has finally passed its last incarnation. Some IT operations will still have servers running it though, since some industry- or workplace-specific applications don't work and play well on more recent Windows Server offerings. This means these shops are especially vulnerable to new security threats aimed at unsupported operating systems.
Microsoft isn't entirely abandoning those still dependent on Windows Server 2008. For three more years, users can continue to receive support by taking advantage of Microsoft's Extended Security Update program, which promises to supply "critical" and "important" security patches to those with active Software Assurance or subscription licenses. With a few restrictions, the program is also available to those still using SQL Server 2008, with patches limited to "critical" updates.
Extended Security Update is expensive, however, logging-in at "75% of the full license cost annually," according to Microsoft. That would represent a broad range of pricing, since licensing costs for any Windows Server version vary widely across different editions. When Windows Server 2008 R2 hit the market, for example, a license could be as inexpensive as $469 yearly for the Web Server edition, or as expensive as $3,999 for the Enterprise edition.
For those who want to consider support options beyond the Microsoft offering and want to keep their instance on-premises instead of lifting-and-shifting to the cloud, there is only one solution that fits the bill.
A Third-Party Solution
0Patch (as in "zero-patch," and not to be confused with Oracle's OPatch utility), is a service of Slovenia-based ACROS Security that typically supplies security fixes to companies running currently supported versions of Windows. The fixes either address critical zero-day exploits that haven't yet been addressed by the vendor, or patches to be used as a stopgap measure while vendor-supplied patches are being tested.
0Patch will keep some no longer supported software, including Windows Server 2008 as well as Windows 7, patched against security issues at a cost of a little over $25 annually per machine, with volume discounts starting at 20 computers.
ACROS CEO Mitja Kolsek told ITPro Today that while some of the patches might be based on vendor supplied patches, "We create a lot of patches ourselves."
"While having access to a vendor's patch is helpful in determining what the original developers thought was the best way of fixing the vulnerability, we often fix in a different way to minimize the code we change," he said. "Sometimes our fix is also better that the vendor's."
In addition, he said, the company has fixes for some security issues that have yet to be patched by Microsoft.
The company's reason for needing to "minimize" the changed code might be something that potential users might want to consider before signing up for the service. Any fix that 0Patch supplies is not in the form of a traditional patch, which replaces an entire changed file or application on the hard drive, but is a memory resident "micropatch" and is applied on the fly.
"0patch Agent is designed to inject a dynamic load library (DLL) into each running process so that it can then apply and un-apply micropatches in that process," 0Patch explains on its website. "While there are some processes that don't let themselves get injected this way, most processes will spend an additional 600-700 KB of memory each for hosting that DLL. On a typical Windows 10 system with [about] 100 running processes this means a memory consumption of 60-70 MB."
When asked if 0Patch's system presents a new security worry for users, Kolsek replied: "While we're trying hard to avoid that and utilize 20-plus years of experience in finding vulnerabilities, it's almost sure that there are vulnerabilities in our product, as are there in any other software product. We can also micropatch our own product, so fixing can be fast and deployment of the fix instant and unobtrusive for the user."
Cloud-Based Security Solutions for Windows Server 8 Service
For those unwilling to pay for Microsoft support or to rely on a third party's unique solution for continued security updates following Windows Server 2008 end of life, the only solutions involve moving to the cloud.
The easiest solution here is probably Microsoft, which will supply free security updates for three years to organizations that move their Windows Server 2008 workloads to its Azure cloud to run as a VM or managed instance.
A little more complex, but perhaps a more complete, long-term solution is being offered by Amazon Web Services with its End-of-Support Migration Program for Windows Server. With this program, users upload their unsupported workloads to the cloud and upgrade to a supported version of Windows Server in the process, using a compatibility layer to do things like redirecting APIs that have changed.
AWS says that the EMP technology is offered without cost, although users will have to pay a fee to have applications assessed and repackaged.
Other than these solutions, IT shops can face the final Windows Server 2008 end of life by upgrading to a newer version on their own, or they can continue to ride bareback and hope any security holes that surface don't lead to an attack by the black hats.
That last option is not recommended. As Rocky used to say to Bullwinkle, "That trick never works."