End of support for Microsoft Windows Server 2003

Download ACSC Protect, End of support for Microsoft Windows Server 2003 (250K PDF), February 2015

Introduction

  1. The Australian Signals Directorate's Strategies to Mitigate Targeted Cyber Intrusions ranks timely patching of operating system vulnerabilities and using the latest suitable operating system version as the third most effective strategy to mitigate targeted cyber intrusions.
  2. On 14 July 2015, Microsoft will end support for Microsoft Windows Server 2003. After this date, organisations will no longer receive patches for security vulnerabilities identified in this product. Adversaries may use these unpatched security vulnerabilities to target systems, increasing the likelihood of a successful targeted cyber intrusion.

Intended audience

  1. This advice is intended for organisations unable to upgrade from Microsoft Windows Server 2003 by 14 July 2015.

Scope

  1. This document is separated into:
    1. mitigation strategies for organisations operating an entire Microsoft Windows Server 2003 server fleet
    2. mitigation strategies for organisations that have limited remaining Microsoft Windows Server 2003 server deployments to support legacy business applications.

Recommendations

  1. ASD strongly recommends organisations using Microsoft Windows Server 2003 upgrade to a newer supported operating system such as Microsoft Windows Server 2012 R2 by 14 July 2015.
  2. Organisations unable to upgrade to a newer supported operating system by 14 July 2015 should review the risk assessment for their ICT environment and implement additional controls identified below to reduce their risk exposure.

Operating an entire fleet

  1. Organisations continuing to operate an entire Microsoft Windows Server 2003 server fleet beyond 14 July 2015 should implement the following host-based controls:
    1. Mitigation Strategy #1: Implement an application whitelisting solution, such as Software Restriction Policies (SRP). Application whitelisting, when implemented appropriately, can detect and prevent malicious code execution, network propagation and data exfiltration by an adversary.
    2. Mitigation Strategy #2: For unsupported native applications, either upgrade to supported versions or, if this is not possible, consider removing the application or using alternative applications to achieve similar business functionality. Each application upgraded, removed or replaced with an alternative generally reduces the attack surface of servers and can assist in preventing malicious code execution.
    3. Mitigation Strategy #3: Negotiate an extended support arrangement with Microsoft for the provision of patches for security vulnerabilities. While an extended support arrangement will not address all security vulnerabilities disclosed for legacy Microsoft applications, it will assist in reducing the attack surface of servers.
    4. Mitigation Strategy #4: Avoid using privileged accounts on servers for day-to-day activities. Instead, a low-privileged account should be used for all non-administrative activities and privileged accounts used strictly for administrative activities. Servers will soon be at a higher risk of being compromised due to unpatched vulnerabilities, and lack additional security functionality of newer Microsoft Windows Server versions to protect privileged account credentials from being captured by an adversary and used to propagate throughout a network.
    5. Mitigation Strategy #7: Implement Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Implementing EMET for applications that commonly interact with data from untrusted sources can reduce the risk of successful malicious code execution as well as assisting in the identification of such attempts.
    6. Mitigation Strategies #12 and #13: Implement a third-party software-based application firewall that performs both inbound and outbound filtering of traffic. A software-based application firewall can assist in detecting and preventing malicious code execution, network propagation and data exfiltration by an adversary.
    7. Mitigation Strategies #21, #24, #25 and #27: Apply basic hardening, where possible, to servers, software and all accounts including the use of a strong passphrase policy. Applying basic hardening principles, such as disabling unneeded functionality or common intrusion vectors such as autorun, SMB and NetBIOS services, can assist in preventing malicious code execution and network propagation by an adversary.
    8. Mitigation Strategies #22 and #30: Ensure antivirus applications continue to be supported by vendors. If support ceases from a vendor, switch to an alternative vendor that continues to offer support. The use of antivirus applications can assist in detecting and preventing malicious code execution.
  2. In addition to the above host-based controls, the following controls can be implemented to reduce the likelihood of malicious code reaching servers in the first place. These include:
    1. Mitigation Strategy #23: Prevent servers from directly accessing and being directly accessible from the Internet. By preventing servers from directly accessing and being directly accessible from the Internet, their exposure to untrusted content can be reduced. In cases where patches need to be applied to servers or their applications these should be downloaded from the Internet via alternative means and transferred by appropriate means to the server.
    2. Mitigation Strategy #26: Prevent users from connecting portable media to servers. By preventing portable media being connected to servers, the ability to introduce malicious code to vulnerable servers will be reduced.

Operating a limited deployment

  1. Organisations continuing to operate a limited Microsoft Windows Server 2003 deployment beyond 14 July 2015 to support legacy business applications should consider implementing the following controls:
    1. Mitigation Strategy #10: Isolate servers from other non-essential network services. This can reduce the risk of an adversary using a compromised server to propagate throughout a network and access other network resources.
    2. Mitigation Strategy #14: Virtualise servers and required applications from within a vendor-supported operating system e.g. Microsoft Windows Server 2012 R2. Using virtualised environments can hamper an adversary’s ability to extend their reach beyond the virtualised environment and propagate to other network resources.
    3. Mitigation Strategy #23: Prevent servers from directly accessing and being directly accessible from the Internet. By preventing servers from directly accessing and being directly accessible from the Internet, their exposure to untrusted content can be reduced. In cases where patches need to be applied to servers or their applications these should be downloaded from the Internet via alternative means and transferred by appropriate means to the server.

Additional considerations

  1. Independent of how Microsoft Windows Server 2003 servers are operated by organisations beyond 14 July 2015, additional controls can be implemented to assist in the identification and remediation of cyber intrusions. These include:
    1. Mitigation Strategies #15 and #16: Implement a robust centralised logging and auditing framework to capture and analyse both computer and network-based events. An appropriate auditing framework within an organisation can assist in identifying individual servers that may have been compromised as well as helping to tailor incident response measures to remove infected servers from an organisation's network.

Further information

  1. This document complements the advice listed in ASD's Strategies to Mitigate Targeted Cyber Intrusions.
  2. Further information on patching operating systems can be found in ASD’s Protect publication Assessing Security Vulnerabilities and Patches.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.