Digital Forensics & Incident Response Strategic Services Advanced Testing Services G2G Marketplace Managed Security Services
September 17, 2019
Is your organization seeing 2020?

Why 2020 may impact you more that you expect

Companies all over the world face the challenges of hardware and software getting outdated, obsolete or flat out failing. For many of them, effectively managing the risks associated with the end of life for aging servers can be a pivotal decision affecting the organizations bottom line for several quarters if not years. Combine the cost of new hardware, software, and licenses with the potential costs of downtime, implementation of the changes, and even the loss of other dependent or specialized systems, and you start to get an idea of just how central these systems are to a company’s business.

In January of 2020, Microsoft will end the extended support for Windows Server 2008. This marks the end of a well known and extensively implemented platform, or at least the end of patches and security updates. [https://support.microsoft.com/en-us/help/4456235/end-of-support-for-windows-server-2008-and-windows-server-2008-r2]

What it this means from a Risk Management viewpoint

For any of my clients I would recommend an annual review of existing infrastructure to identify any potential risks from several factors including:

  • Aging server hardware or hard disk drives which can increase the risk of failures and downtime
  • Applications or Operating Systems (OS) that are out of support or beyond the intended lifecycle
  • Proprietary software or hardware that relies on very specific drivers or operating systems to function properly
  • Aging backup volumes that may not have been examined or tested for extended periods

This review can offer valuable insight on where risks may be found, but it only offers half the story. In order to create a plan of action, you have to dig deeper. Each of these areas can have their own challenges and these can vary greatly depending on business needs and structure. Given the 2020 deadline, I am going to focus on Windows Server 2008 platform in this article.

Working the problem

For those with open budgets and very common configurations, the answer is likely to upgrade the server to 2012r2, 2016 or even 2019 (released in Oct. 2018). For them, the answer is straight forward and no further action is required. In my experience, organizations rarely have configurations this simple in all areas of the infrastructure.

Common challenges:

  • OS specific applications with no upgrade options or none that can meet budget requirements.
  • OS specific hardware or drivers with no upgrade options or none that can meet budget requirements.
    • This is very common in manufacturing and industrial engineering sectors.
  • Hardware limitations of the server hardware.
    • Windows Server 2012 and newer are not available in 32-bit version which means some legacy hardware will not run it.
  • Timelines too short to justify new hardware or OS.
    • A common cause is when a server was to be migrated before the deadline and fell behind, so you need to keep it in place for a few more months.

Common solutions:

  • Remove it – Depending on the role the server plays in your organization, you may be able to simply offload the work to another system and decommission the server entirely. Common for legacy systems acting as non-primary domain controllers or non-primary web or file servers.
  • Replace it – If the hardware is already a holdover from a 32-bit era and the return on investment (ROI) of the server is already in the black for your organization, then it may make the most sense to replace the server, hardware and all.
  • Upgrade it –In some cases, the solution may be a matter of upgrading the OS to a Windows Server 2012 R2 platform. I would recommend caution here as it can be problematic for some apps, specialty devices, and other connectivity to upgrade in place.
  • Hide it (take it offline) –If you are looking at Q1 of 2020 with dread because you have millions of dollars in manufacturing equipment that simply will not talk to anything but your current hardware and software, you are not alone. In the past I have assisted clients in establishing an offline or “dark” network specifically to improve security around specialty equipment that required interaction with the infrastructure but relied on insecure or outdated communication protocols to do their work.
  • Virtualize it – The Microsoft recommended solution for legacy apps that require Windows Server 2008 is to migrate them to the cloud using Azure and leverage the available cloud security tools to pick up the slack where the legacy system leaves off. This is a good solution in many circumstances, but it should not be treated as a one size fits all solution.
  • Guard it (online but with extra security) – Let’s say you are faced with a unique set of challenges where a system cannot be removed, replaced, upgraded, hidden, or virtualized, and for business reasons cannot be otherwise eliminated. What can you do? In this very specific circumstance, I would recommend calling in a professional resource (hire them directly or contract with a respected organization) to architect a security solution for the server.

Are you ready for 2020?

I would encourage anyone charged with managing or protecting an organizations infrastructure to take a careful look at the assets under your care. Think critically about what might happen if a drive or a network card failed over the weekend. Would your company recover quickly? Would anyone even get an alert there was a problem or would the news come from a user emailing their supervisor that they cannot access a quarterly report they need for their next meeting? If the answer is not a happy comfortable one, the best thing you can do is open the conversation with your leadership and raise awareness within your team. If you are the leadership or there is no team, it may be time to seek external resources.

About the Author
Adam Frantz
Solutions Engineer
Adam Frantz has been with CBI as an engineer since early 2018, working as part of our implementations division. He is tasked with performing health checks on existing systems, updating security policies, providing insight on best practices, and configuration of security appliances for our Clients. Adam currently holds industry certifications in Cyber security from Cisco, CompTIA, and (ISC)2.
I Need To...
S
Safeguard my data and my brand
Solutions
E
Envision my cybersecurity program
Digital Forensics & Incident Response
C
Comply with regulations
Strategic Services
U
Uncover what I have
Advanced Testing Services
R
Run my cybersecurity operations
Managed Security Services
E
Elevate my business
Why CBi