In America and many parts of the world, we see that it's human nature to want the latest and greatest version of things. Be it automobiles, cell phones, clothes -- you name it -- there's always something newer and shinier that we want to get our hands on. Dealing with the Windows Server operating system in the enterprise is no different. Time and again, I see IT managers wanting to get the latest Windows Server versions because it has more features and, presumably, because it's more secure. One less thing to worry about, right? Well, not so fast. Upgrading the server OS doesn't automatically fix all the security problems.
If security is the overall goal with the Windows Server systems, it could be argued that you could run Windows 2003 Server and be just fine. As with most things in IT and security, it's all in the implementation. I still see plenty of Windows Server 2003-based systems in the enterprise and, surprisingly, they are not necessarily the most vulnerable systems. Many times, I've seen the latest version of Windows Server OS running on networks with numerous security vulnerabilities: missing patches, open network shares, weak password policies and various other domain-wide misconfigurations. A new Windows Server edition is not going to correct these issues.
Granted, the latest Windows Server version is going to be more secure than its predecessor. It's just the way the world of Windows works. What's more important than the version of Windows Server you're running are the security policies and practices. I've seen organizations with impressive setups, in terms of security, from data-loss prevention tools to security information and event management products to cloud access security broker security tools -- but they were no more secure than anyone else. It all comes down to the philosophy about security. Getting back to my earlier point, you could run 10-year-old versions of Windows and have a more secure, locked-down environment than those with newer Windows Server versions that look and feel secure but they're not because they're not treating security in the right ways.
If the goal is to have super secure systems on Windows Server that are being monitored, have data locked down in all the right ways, and work in an overall environment that is not only resilient to attacks but is also adequately prepared for incident response scenarios, then it's relatively simple. Look no further than what's been proven to work in Windows Server 2008 and Windows Server 2012.
There's a saying that if there's a big enough why then the how will look after itself. Upgrading to the newest Windows Server version is the easy part. What's most important is how you view information risks, how you acknowledge vulnerabilities on a periodic and consistent basis, and how you go out of your way to do what's right to keep things locked down. Whether it's Windows Server 2003 or Windows Server 2016, it's really all the same as long as the philosophy about security remains consistent.
Where a server's local security policy needs changing
How to lock down Windows Server 2012
Free Windows security tools for administrators