Latest posts by Michael Pietroforte (see all)
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
- PowerShell remoting with SSH public key authentication - Thu, May 3 2018
What is wrong in your IT department? ^
Windows Server 2003 is a 12-year-old operating system. This is an eternity in the fast-moving IT world. If you are still running this stone-age operating system, the first thing you need to do is find out what went wrong in your IT department. You should have dumped this outdated operating system seven years ago when Windows 2008 came out. Take the opportunity to analyze the structure of your IT department and identify the reason you were unable to keep up with the pace of the rest of the IT world.
I know such pithy words are not really popular. I have been bashed for my article about the end of mainstream support of Windows 7. Honestly, I don’t care. In my view, it is highly irresponsible to run an operating system where security updates are no longer available. You endanger the entire Internet, not just your own organization.
These highly vulnerable systems are an easy target for hackers and allow them to disguise their pathways for attacks on more interesting systems. This is facilitated by the fact that IT departments with such old systems often don’t have the tools that would allow them to backtrack these attacks. Admins are then quite surprised when law enforcers confront them with the fact that half of their network is part of a botnet that caused significant damage in other organizations.
What is really disturbing is that 2.7 million servers will continue to run Windows Server 2003 after Microsoft ends support for the operating system. Some organizations, such as the US Navy, pay a lot of money to continue receiving updates. This is not just a waste of resources; it is also quite embarrassing for these organizations.
The most popular excuse ^
I suppose some organizations will simply wait for Windows Server 2016. But this is a dangerous game because it is unclear when the final release will be available. And then you will probably need some time for testing before you can move to the new version. In the end, it could mean that you have to run Windows Server 2003 for more than a year without getting security updates. I wouldn’t risk this.
However, the main argument IT departments put forward is that legacy applications don’t run on a newer Windows version. In my experience, this argument is almost always wrong. I was confronted with this problem countless times in my career. Whenever I got to the bottom of the claim that an OS upgrade was impossible because of a legacy application, it turned out to be wrong.
In the vast majority of cases, the claim originates in another department that swears that they still need this application and the corresponding vendor doesn’t support a newer Windows version. The first thing I would tell them is to dump this vendor as fast as possible. However, many IT departments buy this claim and use it as an excuse to leave the corresponding server untouched. In many cases, no serious investigations take place to find out whether alternatives are available.
I have even seen cases where users were aware of other applications, but they simply wanted to stick with what they know. If you confront them, they will find all kinds of excuses why the new and modern application is worse than what they have been using for the last ten years or so.
The next claim then is that the new application is too expensive. What people forget here is that software and hardware costs are more or less negligible when it comes to the overall TCO. What costs real money is the fact that these old operating systems and applications are difficult and therefore expensive to manage.
The IT management costs are often underestimated because the admins who manage these systems have to be paid anyway. However, the time they lose to manage these outdated systems will lack in other areas; the result is that the organization loses a lot of money just because some people want to stick with what they know. And I don’t even take into account the costs that await your organization if it gets sued because your servers have been used for hacker attacks.
The truth is that, if you are really dependent on applications that only run Windows Server 2003, something is profoundly wrong with your entire organization. Thus, after you have analyzed the problems in your IT department, the next step is to make your management aware of the more general problem.
Moving legacy applications to an unsupported OS ^
If you are in a position with no influence on these issues and your job is to deal with the problem in a technical way, you can try one of the following solutions.
The first thing I would do is test whether the application really won’t run on Windows Server 2012 R2. Just because a vendor says that only Windows Server 2003 is supported doesn’t mean that the application won’t run perfectly fine on a newer version. You can try to install the application in compatibility mode. Make sure that you try all options Windows has to offer here. If this fails on Windows Server 2012 R2, try Windows Server 2012 and then Windows Server 2008.
Sometimes the reason an application won’t run on a new Windows version is fairly trivial. A common problem is that the application requires administrator privileges and UAC gets in the way. Perhaps an old DLL is missing, or maybe the application depends on some weird fonts. Even the screen resolution can be a problem. Often only the setup program is incompatible because it is a 16-bit application. In these cases, you can try to copy the application folder and the registry entries to the new server. Use the free Sysinternals tool Process Monitor to analyze the file system and registry access of the application. Maybe you have to move some old DLLs to the new system.
It is hard to give general advice here because every application is different. I can only tell you that I have succeeded numerous times in installing legacy applications on unsupported operating systems just by being persistent enough. Check the log files of the application and the Windows event logs for hints. Search on the Internet. Others have often already succeeded. In the coming weeks and months, the forums will be full of threads with these issues. Thus, if you fail now, try it again in a few weeks.
Living with Windows Server 2003 ^
If everything fails and you really have to live with Windows Server 2003 for a while, make sure that you totally isolate the server. If possible, remove it from your Active Directory domain and use different administrator passwords. Make sure that no application other than the corresponding legacy application runs on the server.
Enable the Windows Firewall and only allow access from clients that need the legacy application. Consider using a modern third-party desktop firewall. It also makes sense to put those servers in an isolated network that is protected by a modern gateway firewall. You really need to treat these systems as time bombs, and you therefore have to ensure that they are totally isolated from the rest of your IT and, most importantly, from the rest of the Internet. Under no circumstances should a Windows Server 2003 system be accessible through the Internet.
Okay, now you can start bashing me. I am sure you have plenty of arguments why your case is different.