With its end of life looming, it’s time now to consider upgrading server software
Brent Moore, Director of Client Services | Safe Systems
When Microsoft announced several years ago that it was ending its support of Windows XP effective April 8, 2014, it ended up being wakeup call for many in the banking industry. Most financial institution through the recession held on to hardware as long as possible, but no technology lasts forever. As time and product cycles march forward, the best thing we can do for our institutions is to keep up with the latest technology. If not for compatibility’s sake, then to keep our systems protected from malware and viruses that could lead to a modern day heist.
Now that the Windows XP end of life date has come and gone, it’s a great time to review how we handled it as an industry, and turn our attention to the next major product Microsoft plans to phase out: Windows Server 2003.
As a trusted technology partner to more than 600 bank and credit unions, Safe Systems supports more than 26,000 devices. Our NetComply managed services suite helps bankers monitor and maintain networked devices across their networks. In early 2013, Safe Systems began its initiative to prepare financial institution clients for the end of support for Windows XP. At the start of that project, we were managing around 9,000 Windows XP devices. We worked to educate clients on the date of expiration of support from Microsoft, and our professional services team helped many clients replace thousands of these devices. The regulators also pushed institutions to upgrade from Windows XP with both formal documentation in exam findings and alerts and notifications. However, by the time April 8, 2014 rolled around, over a thousand Windows XP machines in our customer base were still running XP. According to some reports, those institutions were not alone – globally between 15% and 25% of PCs were still running XP as of April 8. While that percentage was significantly lower among Safe Systems clients, some financial institutions fell behind on upgrades.
What happened? In some cases, institutions didn’t take Microsoft’s announcement seriously. This included not scheduling enough time to get the upgrades completed, not having adequate funds allocated to the project, and not realizing that companies like Safe Systems’ professional services calendars were booked out past the April 8, 2014 date.
As the date approached, Microsoft made it clear XP would no longer receive important patches and security updates. That put a squeeze on everyone to begin upgrades in the final months leading up to XP’s end of life. Getting an upgrade of that nature done can put a big strain on internal staff, and there are only so many providers who are capable of helping within a limited timeframe.
Server 2003 is Next
Microsoft Server 2003 support ends on July 14, 2015. Like XP before it, Microsoft has been clear in reminding businesses that, once support ends, there will no longer be any security updates or patches.
Replacing your workstations is one thing. Upgrading servers is an additional order of magnitude and complexity. When one or two workstations are down, business keeps going. It’s a different story when it comes to business critical network resources. According to data collected by Safe Systems, about 34% of banks and credit unions are still running Server 2003.
Financial institutions should begin preparations to replace any remaining servers that are running Microsoft Server 2003 as soon as possible. For those who found it difficult to line up resources during the replacement of Windows XP, planning ahead can help avoid some headaches. Upgrading sooner can help reduce costs, ensure availability and give you the necessary time to line up installation services.
As a reminder, end of support means Microsoft will no longer provide security updates or technical support for these operating systems. The discontinuation of security updates is the most notable change. It effectively means Microsoft will no longer patch vulnerabilities exploited by malware, which leaves these devices susceptible to attack. In addition, the inability to receive paid support could leave you in a precarious situation if a device has downtime and it provides a critical function.
The FFIEC release a joint statement on October 7, 2013 regarding end of support for Windows XP and although not specific to Server 2003 it can be applied to both. In this statement, the FFIEC wrote: “Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorized addition deletions, and changes of data. Additionally, financial institutions and Technology Service Providers that are subject to the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and continue to use XP after April 8, 2014, may no longer be compliant.”
The statement goes on to reference the risk management guidance documented in the FFIEC IT Examination Handbook which recommends you should perform a risk assessment, select appropriate mitigations, conduct appropriate planning, and ongoing monitoring/reporting of the effectiveness of such controls reported to Senior Management or Board of Directors. Although the FFIEC doesn’t explicitly say replace these devices, you can effectively read between the lines and come to the conclusion that the risk is too great not to. You can review the entire statement at the following URL: http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf.
Technology has come a long way since Server 2003 first rolled out. If you’re upgrading, consult with your consultants and your vendors to gauge what’s changed and how it can affect or enhance your institution’s network.
As a trusted advisor exclusively serving financial institutions, Safe Systems is available to help every step along the way. Whether you seek consultation on server hardware and software or assistance installing and configuring your network, Safe Systems’ experts are available to help. We have worked with more than 600 financial institutions and monitor more than 25,000 devices, and we understand the many considerations that go into providing secure, reliable IT.
The end of support for existing software and hardware is an opportunity to reevaluate your institution’s technology and how it supplements your mission as a bank or credit union. Each institution is different. Safe Systems’ experts work directly with your team to better understand and tailor a solution specific to your needs.