Windows 2008 and an End to Defender EDR under ESU?

Microsoft is ending support for the popular OS, sparking key security concerns

In just two days on January 14, Microsoft is retiring Windows Server 2008 and other platforms. Even though Windows 2008 has been around for over a decade, it’s still one of the best liked and well used servers today. It’s not confirmed but a Microsoft executive said last summer that the OS is being used by 60 percent of the company’s server install base.

Update: In 2023, Microsoft Retired Windows Server 2012 R2.

Three Options from Microsoft

Microsoft is offering a few options to its users. Data centers still using Windows Server 2008 can update the OS, mitigate or move to the cloud.

Companies who are able, can upgrade. Additional security is built into newer versions of operating systems so they’ll gain that immediate benefit. For some though, the update comes with unacceptable and prohibitive conditions.

For those who can’t upgrade, a second option is mitigation by adding security layers around the end-of-life (EOL) machines and purchasing Extended Security Updates (ESU). However, ESU is an expensive option, costing three quarters of the annual license.

Microsoft is offering companies a third option, which is to stay with their retiring Windows Server 2008 and run it in the cloud, Azure, where Microsoft will then provide three years of ESU free.

Complications Around Upgrades

Complications with upgrades frequently come when applications companies use daily won’t run on newer server editions, as well as hardware and driver issues. When everything is already working fine, the upgrade problem is a big inconvenience, especially if the version you’re on is being EOL’d by the manufacturer.

if an organization faces this predicament, that sometimes must close the door to the upgrade option. Industrial control systems are in a similar fix. Breaking critical applications creates problems these companies can’t afford. In this case, the Windows Server 2008 platform is one of the more stable systems out there. Sometimes third parties make the decision about the operating systems, effecting data centers and impacting individual organizations.

The Giant Internet Threat

By far the biggest risk of all is the Internet. Exposure of these servers to the Internet is highly dangerous, especially when running older software. Vulnerabilities in older systems are a regular cause of devastating cyber attacks. WannaCry spread so vastly because of a Windows vulnerability. Having retired software disallows having other security practices that modernize over time as well, like authentication and certificates, which also put companies more at risk.

Security alternatives include ensuring firewalls are in place. Also, placing newer computers in between the Internet and EOL systems where the new systems are patched and more up to date than the others. That will help but is it enough to fend off the attackers who are also well aware of this EOL timing and are intentionally seeking out these vulnerable machines? Known vulnerabilities discovered and breached by bad actors threaten the whole network or data center.

Cyber insurance isn’t the safety net either. They’ve been pushing back on some claims and their requirements are getting more refined as they figure out this complex market. Expect them to include clauses in policies that if outdated systems in the environment are the cause of a breach, claims will be nullified.

Given how widely deployed Windows Server 2008 is, there's a lot at stake, said Satya Gupta, founder and CTO at Virsec Systems, a San Jose-based cybersecurity vendor.

"Inevitably, a huge number of these servers will remain online, many of them protecting aging infrastructure and healthcare systems," he said. "Unfortunately, it will likely take another global security crisis, like WannaCry or NotPetya, before many of these stragglers catch up."

If EOL servers are essential in your infrastructure, extra security layers are a necessity to protect it.

Read full Say Goodbye to Windows Server 2008 – and Hello to Azure? article.

Further Resources:

ACBackdoor Malware Targets Windows, Linux Users

When Older Windows Systems Won't Die

Microsoft ‘Bluekeep’ Flaw Threatens Medical Devices, IoT

Microsoft’s Familiar Refrain: Disable Macros to Avoid Malware Campaign Running FlawedAmmyy Trojan

With Apache Struts, never throw caution to the wind