January 2020 will mark Windows Server 2008 end of life, when Microsoft will close down support for the server operating...
system. Without patches to keep Windows Server 2008 alive, it will also mark the demise of 16-bit applications on Windows Server. Now that the clock is ticking for companies that need these apps to run the business, what are the options?
The overwhelming majority of the world's businesses are small and medium businesses (SMBs). These organizations don't typically have top-flight IT capabilities in house. They are often cash poor and are strongly affected by the vagaries of boom and bust economies. Also, it is unlikely for a third-party developer to step into this space and write new software if the market is tiny and poor.
Why 16-bit applications need to survive
Many companies bought industrial equipment -- especially the equipment bought in the 1980s and 1990s -- with the expectation of getting 20, 30 or even 50 years' worth of life from them. As operating systems aged and were replaced, the 16-bit applications that drove this equipment were migrated from generation to generation until, at last, Windows Server 2008 was the last Microsoft Server operating system to support 16-bit applications.
Companies -- especially SMBs -- cannot afford to throw out functional pieces of equipment because the operating system is no longer getting patches. For many, the businesses exist to get the owners to retirement, and they are not going to make multimillion dollar investments that are not likely to be paid off by the time retirement age rolls around.
This is the reality of business: it is driven by the needs of the individuals who own those businesses, not the desires of software vendors to achieve application or operating system churn.
What to do when applications don't need to talk to the hardware
If the 16-bit applications do not need to talk to hardware, things become easier. Applications can be virtualized and delivered remotely. This can greatly increase security; access to the virtualized instances can be locked down to only those workstations that need remote access.
In addition, if the 16-bit application requires access to the network or to the Internet then the defensive countermeasures -- firewalls, intrusion detection system and so on -- can also be virtualized and placed in the network path between the network and the 16-bit application with relative ease. Virtualization also makes automating backups and restores easier; keeping "known good" instances of applications becomes simpler.
The many ways to virtualize an application and deliver it are beyond the scope of this article, but it is possible to deliver a 16-bit application to a workstation over a network -- or the Internet -- without giving the 16-bit application access to the network or the Internet.
Access to the application and the application's access to networking are separate items; control over each can be quite granular. While proper exercise of these controls won't prevent all malware infections, they should keep the compromise of the 16-bit applications to a manageable level. Tighter controls may even drop the infection rates of the out-of-date operating systems used to host those applications below that of the more modern, but less-restricted operating systems.
Keeping 16-bit applications in service is a game of calculated risk, but all IT provisioning is a game of calculated risk. Just because an operating system is still receiving regular security updates does not mean it is invulnerable. Similarly, the best defended network can be compromised by malware. Even air-gapped computers have been successfully targeted by malicious actors as eventually someone has to get data on and off of the system.
Tactics to stay in production
Do not panic just because there is a looming end of support deadline. Start making rational calculations about what you do and don't need to maintain an acceptable risk profile for the network. Keep customer data away from systems that are most vulnerable. Segment and separate the network into risk zones and defend well the few bridge points between those zones.
Above all, always assume the network is already compromised and design your IT approaches to minimize the fallout. Ensure you can regularly restore systems to known good configurations. If you can adhere to these principles, then the business can survive the end of support for Windows Server 2008 with those 16-bit applications intact.
Why inertia slows migrations from Windows Server 2003
The risks associated with running end-of-life software
Dealing with server OS refreshes and software upgrades