Windows Server 2003 End of Support - What Are Your Options?

March 25, 2015 Neal Terracciano

Extended support for Windows Server 2003 ends on July 14th, 2015. It’s Y2K all over again. Except there won’t be any nuclear meltdowns. And no anticipated zombie apocalypses. The banking systems won’t fail, and apparently there’s no chance my credit union is going to lose track of my car note (this was a big hope for me during Y2K).

Ok, so it’s not Y2K. Frankly, it’s really no big deal at all if you no longer have Windows Server 2003 in your infrastructure. So good for you, an approximated 61 percent of the Windows ecosystem. As for the other 39 percent of you Windows servers out there. You’re still, according to Microsoft data, running Windows Server 2003 now…aren’t you. Which as it turns out is just a percent under 40 percent, and that’s a lot of percents, relatively speaking.

“So what does End of Support mean, KRey? Will the OS encrypt itself at midnight on the 15th? Are the servers going to announce a self-destruct sequence like an Inspector Gadget message and then subsequently blow up in our faces?”

No, not exactly…but that would make for a great episode of “Archer”.


Simply put, Microsoft will no longer offer public support for the Windows Server 2003 platform. No more publicly available Windows updates, system patches, hotfixes or Microsoft tech support.

“Why”, you ask? Well there’s a multitude of reasons, most surrounding product lifecycle and all the accoutrement it requires to publicly support a product that is three (3) generations and technically five (5) versions (counting R2’s) old…I mean, c’mon, it’s an aged product, right?

Of course there are also plenty of conspiracy theories circulating around the good ‘ol interwebs about selling new licenses, driving applications upgrades, etc. etc., but ultimately, it doesn’t really matter, does it? It’s being sun-setted regardless, so let’s move on and discuss our options.

What Are Your Options?

As IT administrators, we essentially have three (3) different options for any legacy production servers still running Server 2003. The decisions to be made will, as usual, be based largely on the applications in use and their dependence on the Server 2003 platform. Indeed there are all kinds of cost and time calculations that also need to be performed, but we’ve come to depend on these systems and applications, so the services they provide are paramount to our business’s continued success.

Option #1: Do Nothing

Yes, as anecdotally quintessential as it sounds, the “Do Nothing” approach really is a conscious choice that you can make as an IT team. Maybe the costs to upgrade the systems or applications far outweigh the financial risks presented to the organization. They only provide an API relay to an internally facing service, there’s a whole farm of them so redundancy is not a challenge, and they’re in a private vLAN that has tight routing restrictions. This datacenter is not subject to or connected to any datacenters that are subject to HIPAA or PCI compliance. Besides all that you’ve a golden image of this joker that you can spin up in ten minutes if one of them craps out.

Option #2: Isolation

Perhaps the application being supported on 2003 is being redeveloped for 2012 and is slated to be ready for testing at the beginning of Q3. We just need to make sure that this 2k3 farm is isolated from the nasty, unsupported world out there until they have the upgrades ready for production.

So we isolate the 2k3 servers from the rest of the network, impose tight routing restrictions…maybe pepper in a few next gen firewalls that are performing advanced IPS and Layer 4-7 switching and filtering. There is some cost involved here, but we’ve done what we can to mitigate our risks and minimize our exposure.

NOTE: So obviously, neither of these approaches are true long term punchlines to the 2k3 EoS riddle. There are still implications that exist surrounding security and compliance concerns.

The Windows Server product lines, while differing greatly in look, feel and functionality…still share A LOT of the same code. As new vulnerabilities are discovered in 2k8, 2012 and on, patches for the systems will be released. The dastardlys of the world will reverse engineer those patches and then target the Windows Server ecosystem…and if that vulnerability exists in a patch of shared code, then our 2k3 servers are at risk.

We may have done our best to mitigate the concerns, but if we’re subject to industry compliance standards and there is a breach and our 2k3 servers are affected, then we better have a super solid business case for why they are still there and in production.

Option #3: Upgrade

So this one is also pretty self-explanatory. No 2k3 applications dependencies. Plenty of space in our virtualization stack to replace the legacy 2k3 servers with shiny new late model virtual machines. No budgetary worries about the light bill not getting paid if we have to secure some additional Microsoft licensing.

“Tell you father about upgrading, George”.


Custom Support Agreements

For the Enterprise (read: Deep Pockets) Microsoft offers some additional, “pay-for” assistance to organizations that still have 2k3 in their environment and cannot get rid of it yet.

For the low low price of approximately a couple hundred grand a year, we can enter into a Premium Support Agreement with Microsoft and have a Custom Support Agreement established. This would allow us to continue to receive support. They will provide hotfixes at tens of thousands of dollars per patch, and they’ll still provide tech support as long as we maintain those annual support agreements.

Microsoft will NOT, however, enter into said premium and customer support agreements if you do not already have a concrete business plan to migrate off of the legacy 2k3 platform.

Next Steps

As technologists, we’re aware that these things happen. OS’s get sunsetted, applications get upgraded and hardware gets old. Preparedness is the key to success…according to McKinsey & Co., “Only 23% of companies use a formal strategic planning process to make important strategic decisions.”

Maybe we don’t have the expertise to plan these migrations. Maybe we just don’t have the time. We could be bound by budgetary constraints…or management challenges.

Either way, you’re not alone. Leverage the resources that are available to you. Regardless of whether they originate internally or from your VAR or SuperVar. Any VAR worth patronizing employs these engineering and architecture resources to do just that. Plan, Design and Execute. Make sure that they provide quantification to the “value added” portion of being a Value Added Reseller!

To use an adage from my carpentry days, let’s measure twice, and then cut Server 2003 out of our infrastructure. The sun is setting in July.


Previous Article
Redundancy vs Resiliency
Redundancy vs Resiliency

Redundancy vs. Resiliency. These two terms are often confused but the simple fact is that you ca...

Next Article
Network Security - Accounting for the Human Element
Network Security - Accounting for the Human Element

A network can be hardened against attacks from the outside, and most networking professionals ar...