Any merchants or businesses handling payment and other sensitive data while using a Windows Server 2003 network will need to take precautions when Microsoft ends it support for that platform on July 14.
Data stored on servers tends to be critical for many business operations, making servers more attractive to criminals, said Karl Sigler, threat intelligence manager for Chicago-based security technology provider Trustwave.
Microsoft's end of life for Windows Server 2003 also raises concerns regarding other network operations, including access to the public Internet. By comparison, Microsoft's completion of servicing the Windows XP operating system in April 2014 affected single machines, such as an XP-based point of sale terminal, which when compromised can't do as much damage as a breached server, Sigler said.
When Microsoft ends support for a platform, it will no longer issuer regular security patches.
"Moving forward as security patches are no longer available, any part of the Windows 2003 server network would be vulnerable," Sigler said.
It is especially important for payments businesses to be aware of the server end-of-life because those businesses tend to work with many third-party vendors and often outsource IT support, Sigler said.
Banks and credit unions face the same potential risks if they operate on the server 2003 network, Sigler said.
"It's not enough to look at what you have in-house, which is a problem itself for a lot of organizations," Sigler added. "You also have to make sure and verify that any third party you deal with is doing the same due diligence. It is best to make sure that if they can't eliminate server 2003 completely by migrating to a new platform, they are at least taking steps to protect that platform moving forward."
Fraudsters are more interested in breaching a server because it holds far more access points to sensitive data. "They don't necessarily want your client browser history or whatever you are doing on your personal laptop, though that data has some value," Sigler said.
Instead, when criminals are on a server with connections to an entire network, "that can allow them to pivot to other systems in the network that may not be running 2003 but are now vulnerable because they have learned the passwords," Sigler said.
Trustwave recommends that businesses upgrade to Windows Server 2012, the most recent version of the operating system.
Many businesses will not be able to make that change because much of their hardware operates on Server 2003 and is more than a decade old, making it hard for it to communicate with the 2012 server.
For those companies, simply being aware of the risk and taking some precautions will be vital, Sigler said. "Using network filters that sit in front of the system and are filtering out malware, we call this virtual patching, will go a long way to keep firms secure that can't upgrade," he added.
Businesses that upgrade to a new server will find it worth their while in the long run, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"Those still relying on the 2003 server will want to add an upgrade to their near-term do to list," Conroy said. "The ROI for an upgrade is a pretty easy calculation when you take into account the increasing exposure they'll face, and the combination of fines and reputational risk associated with a breach."
Merchants or payment providers don't have to worry about an immediate onslaught of breaches related to the end of life of the 2003 server, but "every day that passes with the server unsupported will put those relying on it at greater risk," Conroy said.
Simply based on comfort level with a system, it won't be easy for many businesses to part with Windows Server 2003.
"It's a very robust and stable platform, one that IT staff feels comfortable working around," Sigler said.
But the age problem can't be overlooked, he added.
"It's just that it is 12 years old," Sigler said. "It's crickety and creaky, and it's definitely time to upgrade."