The Windows Server 2012 and Windows Server 2012 R2 are approaching end of life (EOL), and support will cease for both products on October 10th 2023.
What does this mean in practice? Come October, these systems will no longer receive security updates, functionality updates, fixes for bugs, patches, or technical support. This poses risks to both compliance and cyber security. If your organisation is currently utilising these servers, now is the time to consider your ongoing strategy in this area, and plan for upgrades. Namely, you should think about: what will happen, what’s at risk, and your options to maintain security.
The problem with running end of life systems
Although the Windows Server 2012 and Windows Server 2012 R2 will soon reach their end of life, in our experience, many businesses across all sectors are likely still running legacy applications on these systems. These applications may be used in day-to-day business operations (potentially business critical), but are now facing the prospect of becoming untouchable once support ends.
Recreating applications and services
Unfortunately, it’s not straightforward to simply “re-write” an application to function seamlessly in an updated operating system, and to completely rearchitect one for a cloud environment is more onerous still, resulting in substantial downtime and interruptions to operations. These difficulties are only emphasised if the application’s original developer(s) is no longer with the business, and the appropriate documentation is unavailable.
Compliance and cyber security concerns
Productivity and business continuity aside, running applications without up-to-date support and ongoing updates is a serious concern from a cyber security and compliance perspective.
You may find that legal and compliance standards stipulate that, in order to keep customers and clients safe, your operating systems must meet a minimum threshold. Such requirements will commonly reference the need for official vendor support, rendering end-of-life systems noncompliant.
Therefore not only does running end of life systems risk your organisation’s cyber security, it can also result in a substantial financial penalty (often significantly more costly than the price of remedial action to update applications where necessary) or even legal consequences for your business impacting trading, particularly if a breach should occur that is found to have been caused by negligence in opting to continue to use unsecured end of life systems.
The risks associated with end of life systems and applications
While compliance obligations are certainly a driving force behind organisations opting to update applications and systems as end of life rolls around, for many, if there is no immediate requirement to do so, businesses regard the risk as one worth taking.
But what are the risks of continuing to run out-of-date applications and systems which are no longer supported by their vendor?
Savvy threat actors
Should businesses opt to leave end of life Windows 2012 servers in place, compliance aside, they are opening themselves up to the threat of attackers who are aware of this vulnerability and looking to exploit its weaknesses.
With no more security fixes released, end of life servers become a threat minefield, and traditional anti virus solutions alone are unable to provide sufficient protection against vulnerabilities which cannot be patched, which threat actors are quick to exploit.
In 2017 the WannaCry hack was able to infiltrate NHS devices via a weakness in a legacy network, infecting systems with ransomware. The hack impacted 200,000 PCs and cost the NHS a total of £92 million in lost appointments and subsequent remedial IT costs.
While NHS Trusts were warned about the potential vulnerabilities ahead of the attack, systems and the associated security were not updated in time and legacy Windows XP servers offered threat actors a way into the network, demanding a BitCoin payment from users. Leaving end of life systems in place is effectively opening the door to attacks of this nature, particularly considering threat actors’ awareness of these upcoming opportunities.
Financial losses
From a financial standpoint, while upgrading is undoubtedly onerous, the operating costs of running outdated systems shouldn’t be ignored. In a digitally interconnected corporate environment, as new solutions and tools are employed, the likelihood of breakdowns in legacy servers and workstations only increases. If an unsupported, business-critical application should fail, the cost of lost business and remedial action can far surpass that required to upgrade.
Although businesses may have legitimate reasons for seeking to continue use of end of life applications and devices (resource availability, budget limitations and interruptions to productivity being the main cited), as cyber attacks continue to develop in their sophistication and pace, the vulnerability of an unpatched, unsupported system should be considered the primary motivation in upgrading.
How can businesses protect themselves?
There are both short- and long-term approaches to mitigating the risk of end of life systems.
In the short term, if your business handles sensitive customer or client data, it’s essential that this information is ringfenced away from any legacy applications and devices. This approach can also work in reverse. Preventing affected devices from ever accessing potentially harmful content can also help to guard against attacks, effectively containing the vulnerability and minimising the reach of a threat. Restricting the network access of those devices which are no longer supported is a temporary fix and will afford businesses more time while updating as required.
Extended Security Updates are available via Microsoft, although this is ultimately just another temporary measure to remain secure, and should be considered as a means to buy time while preparing for the inevitable upgrades required to legacy systems.
Ultimately, the real solution to an end of life system is to upgrade dependant applications and services as necessary to continue to receive ongoing support and essential patches and fixes. However, where upgrading is unviable, there are robust security solutions available today that understand the intricacies of these vulnerabilities, which can deliver a reliably resistant security posture while your business upgrades.
For those with legacy systems which are currently, or soon to be, out of support, our Symantec Datacentre Security Service can securely ringfence affected systems and applications to minimise downtime and business disruption while maintaining compliance to security standards and fulfilling regulatory obligations. Threatscape has extensive experience in Symantec Datacentre Security across all sectors and a wide range of devices, not limited to: ATMs, CCTV, medical devices, application servers, industrial controls and more, including mass implementation projects impacting 10,000+ devices.
If you’re soon to be faced with the prospect of Windows Server 2012 end of life difficulties, please feel free to get in touch, and one of our expert account executives will contact you to discuss your specific circumstances.
