As July 14 -- marking the end of Windows Server 2003's official support lifetime -- approaches, the message from all sides grows louder: Upgrade or else. Analysts and pundits are making a case for the dangers of continuing to run Microsoft's legacy OS in production.
What if you can't upgrade? Or what if you simply choose not to, because everything runs fine and the system isn't exposed to the outside world? What would likely happen if we let a Windows Server 2003 box run indefinitely?
It isn't as absurd or unlikely a scenario as you might think -- and it might be a more direct reflection of the attitude some businesses have toward upgrades.
First, an answer to the question: Why has Windows Server 2003 stuck around for so long? By being good enough.
Wes Miller, research analyst for Directions on Microsoft, compares its persistence to Windows XP's -- also released in the same time frame, also out of its support window, but also good enough to get the job done.
"Windows Server 2008 and later versions changed their game a bit, and they're great products," Miller explained in a phone call, "but a lot of people were happy with Windows Server 2003 R2. A lot of businesses have a sunk cost with it, so they're happy with it, and there's no motivation to change it."
There's also the prevalence of 32-bit applications on Windows Server 2003 systems -- apps that can't be easily upgraded.
"These Windows Server 2003 and 2003 R2 systems out there are predominantly 32-bit," Miller elaborated. "Windows Server 2008 and above, you're talking 64-bit. You don't upgrade servers in place that often, but you're talking about a lot of apps-related work when you're changing architectures."
Where 2003 lurks
Which Windows Server 2003 systems might be candidates for being left as-is? One answer would be to look in many of the same places where Windows NT and Windows 2000 have also made a long-term home.
Pat Simpson, technical architect of software solutions at CDW, described the scenarios for such systems as akin to "servers in manufacturing or on a production floor ... often they are not connected to anything except a specific machine and running highly specialized software for which there may not be an upgrade." In other words, the software on the system and its external dependencies are the real limiting factors.
MVP Orin Thomas has spoken to admins in manufacturing, rather than IT, who still run even Windows NT, and extrapolated what he heard about to Windows Server 2003. "The cost of keeping these [Windows NT] machines running," he wrote, "once you knew the tricks, wasn't so extreme that management prioritized moving to a newer platform." In those situations, he noted, migration to a more recent version of Windows is only a priority after all other options have been exhausted.
James Wedeking, director of solutions for Randstad Technologies' Infrastructure Services practice, had similar experiences: "We are supporting a customer today that still has instances of Microsoft Windows NT 4 Server. I don't think they'll be as frequent, but there are still organizations that do not depend on their technology as much as the IT industry (or IT service providers) would wish."
That said, Simpson noted that "the organizations most likely to still run Windows Server 2003 after the end of support date are also likely to be those that are most at risk -- firms under regulatory compliance restrictions. Often, this is because many of these organizations have internal or proprietary applications that were built specifically to run on Windows Server 2003, and as such, these applications are difficult to migrate away from the operating system."
Keeping the wheels turning
What everyone agrees on: If you elect to keep a Windows Server 2003 system around (against their recommendations), it needs to be isolated -- assuming it isn't already so.
The core message can be summed up by Wedeking: "Keep the systems far away from the Internet." In other words, if an existing system isn't public-facing, don't change it.
The next step that can be taken is to surround the system in question with as much security as can be drummed up. Simpson stated, "Security mitigation, like quarantining or compensations controls, can help to limit the amount of damage that can occur with a breach."
Miller also agrees that barring an upgrade, it's best to "recognize the risk ... put it in a container, lock it down, and do as much risk mitigation as you can." But he also pointed out it's "dangerous [to do this] with a client, exceedingly dangerous with a server."
However, most of the discussions about the sheer number of existing Windows Server 2003 systems still running generally overlook a prevalent, and often ignored, condition outside of the IT world. Upgrades are seen as the business of the company running the system, rather than the company providing the OS or the software.
As Thomas put it, "For a not insubstantial number of organizations, it doesn't matter what ticking clock Microsoft sets with regards to end of support. It will be the organization, and not Microsoft, that decides when those resources will be put out to pasture."
That Windows NT and Windows 2000 are still with us in many forms -- with Windows Server 2003 about to join them -- ought to be proof.