When Legacy keeps the light on

Prepare for Windows Server 2008 end of support

On January 14, 2020, support for Windows Server 2008 and 2008 R2 will end. That means the end of regular security updates. Don't let your infrastructure and applications go unprotected. In Microsofts words - We're here to help you migrate to current versions for greater security, performance and innovation. If only it was that simple.

Do you have a plan?

An observation around IT Managers, we work with the latest technology but don’t like change, it’s not changing that’s the issue it’s the patching and testing and downtime that needs to be agreed by the business. The business wants to be protected and want to use the latest software but doesn't want the downtime and/or the testing cycle that goes with that. Even worse the cycle of operating systems and databases is long, 2008!, 10 years out of a piece of software (assuming you didn’t install it on the day it was out and are using it until the last moment on the 13th Jan) is a great testimonial in terms of fit for purpose and sweating an asset.

Now I know this is also linked to an application server and the manufacturer doesn’t support anything higher or the application is not portable etc. but let us focus on the reality. You have Windows Server 2008r2 (and I know some of you that’s also Win XP, NT, 2003) installed on your network, it is running an application you can’t do without, the business wants to close it down but it still runs a business workload that can’t be reproduced elsewhere and is still needed, so let’s focus instead on what’s next......

Firstly let us look at the reality if you have something running on an out of date platform, its unlikely to be being upgraded by itself, it has probably been running fine for at least 3 years without any problems so the apparent danger to the business is not in the service its self, its in the delivery of that service, but this falls short of any risk matrix that should be in place.

In short summary, we actually have 3 main risks.

1.      The Service/Application that is being run on the machine will be compromised in some way, that means the service won’t be available which means the system is down and nobody whom you can normally turn to is there to support the environment.

2.      The ecosystem that needs to support the Application & Operating System Environment (OSE) won’t do in the future (Hardware, Hypervisor, Backup, etc.)

3.      The machine out of support becomes an infection risk, a zombie in a crowded healthy room allowed to infect anything it can come in contact with being used as a host to carry infections (payloads) that may not even affect it.

So, frankly a little more serious than just an application going offline for a day, but in businesses I have spoken to, that’s often what has been communicated to the business. I am certainly not advocating, an escalation into full FUD (Fear Uncertainty and Doubt) but we should be more realistic about the ongoing protection and support of those services. On this vain I didn’t really want to mention WannaCry and the NHS in terms of a risk factor, but it highlights the longer-term management of risk if we don’t look at mitigation strategies from day one as part of the lifecycle of any service(s).

In terms of choices, let us be specific in this case to Win2008r2, but this is fairly generic in terms of all of the other options (Win7, SQL and a myriad of other environments).

1.      Upgrade to the next supported version (assuming that you can’t already):

• Upgrade on-premise servers to the current version (available via Monthly Billing or Volume Licencing) – Have you tested the application on Win2012r2, it may be safer to run it with limited application support than no operating system security updates, especially if you need to run it for more than 3-6months more.
• Migrate to a SAAS version (if available) or a different vendor.

2.      Pay to extend support with the vendor:

• Migrate your current 2008 workloads to Azure and benefit from 3 years of Extended Security Updates at no additional charge. If you have active Software Assurance, then save on Azure costs with Azure Hybrid-Use Rights
• Remain on Windows Server 2008R2 and purchase Extended Security Updates for 3 years. This option requires active Software Assurance or subscriptions licences under an Enterprise Agreement only.

3.      Run the application in a controlled environment:

• Lock the legacy down completely, technologies like VMWare NSX and Nutanix Flow as well as traditional firewall solutions can reduce the risk significantly by reducing the exposure to single ports and communication to only the machines or services that need access.
• Virtualise the app further, running the app in a VDI or cloud container can similarly limit exposure from the front end significantly and can often allow for hardware, software and infrastructure deployment to be abstracted from delivery.

The message then is, do something, even if it is just to build a strategy.

Start with how long we need to support it – not can we do without the application for a day if it goes down. Take an audit, add it to the risk register. As part of my normal work, I help companies run audits that will show everything from the Current VM and storage sizing to the cost of running the existing workloads in AWS/Azure as well as identifying current EOL OS's, Hardware etc. They are a building block to your strategy and are in the most part little or no financial cost to yourself.

Why not add me to your team today so we can talk about what’s important to your business while we solve the urgent issues in the process?

If you’re interested to find out more or would like to see what time with one of Bechtle’s presales team could bring in value why not contact me directly.

Email: [email protected]

Phone: +44 1249 467957

Bechtle is the 2019 winner of HPE’s Global Solution Provider of the Year