Windows Server 2003: Dangerous to use but still surprisingly popular

One in 10 web-facing computers is still running Microsoft Windows Server 2003, according to a report - despite the OS no longer being patched by Microsoft.

The number of web-facing computers running Windows Server 2003 has been on a gradual decline since its peak usage in 2011, but many servers are still using it.
Image: Netcraft

Hundreds of thousands of computers are still using the Windows Server 2003 operating system - despite it no longer being patched against hacks.

Internet services firm Netcraft found more than 600,000 web-facing computers, together hosting millions of websites, still running the OS that Microsoft ceased supporting in July this year.

The end of support means the OS no longer receives patches against viruses, spyware and other malware that might seek to exploit the system. The US Computer Emergency Readiness Team warns that those running Windows Server 2003 risk "loss of confidentiality, integrity, and or availability of data, system resources and business assets".

Despite these risks, Netcraft says 175 million websites - what it terms "one-fifth of the internet" - are hosted on machines running Windows Server 2003. The OS also appears to be in use on computers sitting behind web servers for a further 1.7 million sites.

Together accounting for 55 percent, the US and China are home to the bulk of the machines running Windows Server 2003, with 166,000 in the US and 169,000 in China.

Paul Mutton, who works on security and investigations for Netcraft, said the unsupported nature of Windows Server 2003 makes it a tempting target for attackers - which is why it is important for firms to switch away from the OS as soon as possible.

"As time goes by, there will be some vulnerabilities that affect Windows Server 2003 and if those allow things like remote code execution and so on, we're likely to see a massive number of web-facing computers and a much larger number of websites getting hacked. These could then go on to distribute malware and even be made into botnets to enable other attacks.

"Of course, because Windows Server 2003 is now unsupported, those people who try to find vulnerabilities might even now be particularly focusing on this platform because they know it won't be fixed."

Windows Server 2012 R2 is the most recent version of Microsoft's server-targeted operating system - with a variety of options for licensing. In part, Netcraft blames the cost of moving to a more recent Microsoft OS for the proportion of machines still running Windows Server 2003.

"[That proportion] is over 10 percent of all web-facing computers, and shows the true potential cost of migration," the report states.

Moving a server to a Linux-based OS can be difficult for organisations that have traditionally used Windows Server, Mutton said, particularly if they rely heavily on scripts written for ASP.NET, Microsoft's server-side web application framework.

The report lists several major firms and banks still running Windows Server 2003 machines, including UK bank NatWest, part of the larger publicly-owned Royal Bank of Scotland (RBS).

However, while Microsoft is no longer supporting the OS for most users, it will offer fixes for the OS to organisations willing to pay for a custom-support deal.

Such a deal was recently struck by the US Navy, which agreed to pay at least $9m to Microsoft to provide ongoing support for Windows XP, Office 2003, Exchange 2003 and Server 2003. A spokesman for RBS said NatWest is also covered by a custom support deal with Microsoft that began in March this year.

Firms without such a custom support deal in place that use Windows Server 2003 to serve sites that handle financial information could be in breach of data security standards, according to Netcraft - which carries out security testing and assessments for companies.

Netcraft highlights the requirement under Payment Card Industry Data Security Standard (PCI DSS) 6.2 that "all system components and software to be protected from known vulnerabilities by installing vendor-supplied security patches".

The Netcraft report said: "Many merchants still using Windows Server 2003 are likely to be noncompliant and could face fines, increased transaction fees, reputational damage, or other potentially disastrous penalties such as cancelled accounts."

Microsoft advises several options for machines still running Windows Server 2003 - including switching to Windows Server 2012 R2 or its cloud platform Microsoft Azure. It provides an interactive Windows Server 2003 Migration Planning Assistant.

Netcraft says it determines the operating system of web servers by analysing the low-level TCP/IP characteristics of response packets, and so its figures are independent of whichever server software the site claims to be running.