News Stay informed about the latest enterprise technology news and product updates.

IT shops keep Windows Server 2003, despite risks

Enterprises don’t let Microsoft’s Support Lifecycle policies dictate their upgrade cycles. But unless they buy hotfix support for Windows Server 2003, it could lead to trouble.

More IT shops use Microsoft Windows Server 2003 today than the two newest versions of the operating system. But they are doing so at the expense of performance gains and could even face security risks now that the 7-year-old OS is in Extended Support.

Microsoft ended its mainstream support lifecycle for Windows Server 2003 Datacenter and Enterprise Editions on July 13, and extended support will retire July 14, 2015. In the Extended Support phase of Microsoft’s Lifecycle Policy, nonsecurity hotfix support requires that shops purchase an extended hotfix agreement within 90 days of mainstream support ending.

That means IT shops running Windows Server 2003 have until Oct. 13, 2010, to purchase an extended hot-fix agreement from Microsoft.

In addition, companies on Windows Server 2003 no longer have access to no-charge incident support, they can’t make warranty claims and Microsoft ignores feature requests during this phase.

On an old OS, even security fixes could take a back seat
IT pros tend to upgrade OSes on their own timetables, but holding on to Windows Server 2003 means running the risk of security issues, because fixing major problems in old products isn’t a priority for Microsoft -- especially when the currently shipping version is architecturally different, said Michael Cherry, an operating system analyst with Kirkland, Wash.-based Directions on Microsoft, an independent analyst firm.

In most cases, people are trying to skip Windows 2008, as it is associated with Vista.

Alan Silverman,
consultant, Atrion Networking Corp.

"The greater the changes, the less likely Microsoft will fix even security problems," Cherry said. "Looking at the degree of change in Windows Server 2008 and 2008 R2, it is becoming riskier to continue to run on Windows Server 2003."

For example, Microsoft won’t fix a security vulnerability in some versions of Exchange Server 2003 and 2007 that gives attackers a way to take control of an authenticated Outlook Web Access (OWA) session and then perform actions as if he were the legitimate OWA user, Cherry said.

"Microsoft will not patch this security bug, even though some versions of Exchange that contain the bug are still supported, because the fix would require architectural changes that might break other product features," Cherry said. "Instead, customers concerned about security must deploy a service pack or a new version of Exchange."

Another example is when Microsoft chose not to fix a TCP/IP vulnerability in Windows 2000 last year, when that OS was in Extended Support. Microsoft said fixing the problem would have involved redesigning the TCP/IP features of the OS and might have rendered applications incompatible with operating systems, Cherry said.

Cherry said migrating to newer versions of Windows is a good idea not only because of where Windows Server 2008 and 2008 R2 are in the support lifecycle, but because those OSes offer better reliability and performance than Windows Server 2003.

Windows Server 2003 remains dominant
Still, IT pros will run Windows Server 2003 as long as they can because it works and because they don't see any value in upgrading an OS when their applications remain the same, said Alan Silverman, an advanced systems consultant with the IT integrator Atrion Networking Corp., in Warwick, R.I.

In fact, in the 2010 Virtualization Decisions Survey released in September by, 83% of the 800 IT pros who responded said they are on Windows Server 2003, and 75% said they use that operating system for their mission-critical applications.

When companies do upgrade to a newer OS, it isn’t to get the shiny new features in the OS; it is always part of an application upgrade or a hardware refresh, Silverman said. Many shops move from Windows Server 2003 right to Windows Server 2008 R2 as part of a data center virtualization/consolidation project, an Exchange 2010 upgrade or a Windows 2008 R2 Active Directory upgrade, he added.

"In most cases, people are trying to skip Windows 2008, as it is associated with Vista," he said.

The Virtualization Decisions Survey data supports that observation. It shows just over 55% of IT pros run Windows Server 2008 in their shops while 65% use Windows Server 2008 R2. When it comes to mission-critical applications, about 57% run them on Windows Server 2008 R2 and about 43% rely on Windows Server 2008.

Let us know what you think about the story; email Bridget Botelho or follow @BridgetBotelho on Twitter.

Dig Deeper on Legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.