Windows Server 2008 (SP2) & 2008 R2 (SP1) will reach End of Extended Support on 1/14/2020
Microsoft has announced the end of extended support date for Windows Server 2008 (service pack 2) and Windows Server 2008 R2 (Service Pack 1) is January 14th, 2020. For many organizations, this will be a major focus area for 2019 to ensure their environment remains protected moving into 2020. Organizations have options to choose from regarding their path forward into 2020, and I’ll outline the various routes companies can follow, starting with the worst option.
Option 1: Do nothing
Despite all the information we have available as to why this is a terrible idea, many organizations will still delay these upgrades to focus on other priorities or ignore the daunting task of upgrading all systems.
Organizations that do nothing and continue leveraging Windows Server 2008 & 2008 R2 past 1/14/2020 will not receive security updates or support from Microsoft. This can cause security and compliance issues and expose an organization’s application and business to security risks. I’ll give an example of what happened after the end of extended support on a previous OS, Windows Server 2003.
After the end of extended support on Windows Server 2003, a vulnerability had been discovered by security researchers at the South China University of Technology, but Microsoft said it wouldn’t issue a patch, even though up to 600,000 servers could be running the unsupported software. According to a vulnerability researcher at Trend Micro, “A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application.”
Organizations choosing to leave these operating systems in place after 1/14/2020 need to go above and beyond to ensure their environments are secured as best as possible, which can be accomplished by following some steps.
Multi-layer security: First things first, adding a network firewall and network application firewall will add multiple layers of security around the system. The server will still have to perform security functions but these added lines of defense will be critical in protecting your assets.
Go offline: Network isolation is a credible option for extending the lifespan of WS2008 & WS2008R2. Isolating all Sever 2008/2008R2 instances from central services will significantly reduce the risk of a breach. If possible, cut off any connection to the internet unless absolutely necessary.
Access restriction and monitoring: As much as possible, limit access to the physical server while locking down non-critical services. Ensure logging is active and check regularly for unauthorized access or suspicious activity.
Regular back-ups: This is not just a security consideration. Expect high failure rates on end of support equipment, so regular backups will prevent extensive data loss. As often as possible, backup system data to an external system. I’d also consider a secondary backup in the cloud. Microsoft’s Azure Backup Services is a recommended location.
Application whitelisting: The opposite of application blacklisting, this process dictates the applications that have permission to run, rather than those that do not. Ensuring only permitted applications are active is an effective method for locking out zero-day exploits and other malware.
The business case for migrating off of Windows Server 2008/2008 R2 is strong – better security, maintaining compliance, software compatibility, low fail rate, energy efficiency, and lower maintenance costs, etc. Now that we got this option out of the way, we can focus on the options that are better for business.
Option 2: Purchase Extended Security Updates for On-Premises or Hosted Environments
For organizations that simply cannot upgrade all their WS2008/2008 R2 environments by 2020, Microsoft does provide Extended Security Updates to clients under specific circumstances.
According to the Extended Security Updates for SQL Server and Windows Server 2008/2008 R2 FAQ guide,
“Customers running SQL Server or Windows Server under licenses with active Software Assurance under an Enterprise Agreement (EA), Enterprise Subscription Agreement (EAS), or a Server and Cloud Enrollment (SCE), can purchase Extended Security Updates annually for three years after End of Support Date. Customers can purchase Extended Security Updates only for the servers they need to cover. Extended Security Updates can be purchased directly from Microsoft or a Microsoft Licensing Partner.”
This means Software Assurance customers can purchase Extended Security Updates on-premises under an Enterprise Agreement (EA), Enterprise Subscription Agreement (EAS), a Server & Cloud Enrollment (SCE), or an Enrollment for Education Solutions (EES). Software Assurance does not need to be on the same enrollment.
Extended Security Updates will be available for purchase beginning on March 1, 2019, and the delivery of the updates will begin immediately after the End of Support date.
What does this include for Windows Server 2008 & 2008 R2?
Extended Security Updates include provision of Security Updates and Bulletins rated “critical” and “important,” for a maximum of three years after January 14th, 2020.
- This offer does not include technical support, but you may use other Microsoft support plans to get assistance on your 2008 and 2008 R2 workloads covered by Extended Security Updates.
- This offer does not include new features, customer-requested non-security hotfixes, or design change requests. However, Microsoft may include non-security fixes as deemed necessary
- There is no retroactive effect for any update that the engineering teams declined in the past.
How much will Extended Security Updates cost for Windows Server 2008 & 2008R2?
- On-premises: Customers with active Software Assurance or subscription licenses can purchase Extended Security Updates for 75% of the EA, EAS, or SCE license
- Hosted environments: Customers who purchased Windows Server 2008 or 2008 R2 from a hoster will need to purchase Extended Security Updates directly from Microsoft or a Microsoft licensing partner for 75% of the full on-premises license cost annually for use in the hosted environment.
Customers that qualify must be on the latest Service Pack to get the Extended Security Updates. This option is costly—as you’re almost paying for the full cost of the licenses for the security updates—and while this route buys more time for an organization to complete their upgrades or migrations, they will still need to happen eventually.
For smaller organizations that do not have one of the prerequisite agreements (EA, EAS, or SCE), This option isn’t available to them, and therefore this of off the table.
Option 3: Rehost your workloads in Azure with Extended Security Updates (without upgrading OS)
Customers who move WS2008 and WS2008 R2 workloads to Azure Virtual Machines (IaaS) “as-is” will have access to Extended Security Updates for three years after the End of Support date for free.
Eligible customers can use the Azure Hybrid Benefit (available to customers with active Software Assurance or Server Subscriptions) to obtain discounts on the license of Azure Virtual Machines (IaaS).
This option is a viable solution for organizations of any size that are not capable of upgrading their operating systems before 2020. It provides the same three years of Extended Security Updates as the previous option without the additional licensing costs.
Additionally, should the organization truly need to host these workloads on premises in the long run, this could buy some time to prepare for a move to Windows Server 2016 or 2019 on premises once fully ready while the workloads are hosted temporarily.
Microsoft provides great tools for properly assessing your workloads before migrating to ensure minimal business impact, as well as migration guidelines for smooth transitions.
Option 4: Upgrade On-Premises (or hosted) Workloads
This option is the best option for organizations with workloads that are best suited to remain locally hosted, especially if an organization has active Software Assurance.
Certain technological and business drivers lead to workloads performing best on premises, whether that’s low bandwidth availability in a region, high performance computing requirements, regulatory reasons, or costs of hosting certain applications in a public cloud.
For these workloads, upgrading to the newest operating systems with WS2019 the best option.
Windows Server 2019 Key Features
Windows Server 2019 has significant improvements for workloads coming from WS2008/2008 R2, a few of which I’ll highlight:
- System Insights: predictive analytics that use a machine-learning model to locally analyze Windows Server system data, to help reduce the operational expenses associated with reactively managing issues
- Server Core App Compatibility feature on demand: increases the functionality and compatibility of Server Core while keeping it as lean as possible
- Enterprise-grade hyperconverged Infrastructure: while this is the culmination of many updates, WS2019’s HCI platform allows a fleet of servers running HyperV to enable dynamic increase or decrease of capacity for workloads without downtime.
- Security Improvements with Windows Defender Advanced Threat Protection (ATP) & Windows Defender ATP Exploit Guard: the deep platform sensors and response actions expose memory- and kernel-level attacks and respond by suppressing malicious files and terminating malicious processes. Windows Defender ATP Exploit Guard is a new set of host-intrusion prevention capabilities, and the four components are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks (outlined below)
- Attack Surface Reduction(ASR) is set of controls that enterprises can enable to prevent malware from getting on the machine by blocking suspicious malicious files (for example, Office files), scripts, lateral movement, ransomware behavior, and email-based threats.
- Network protection protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP addresses through Windows Defender SmartScreen.
- Controlled folder access protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders.
- Exploit protection is a set of mitigations for vulnerability exploits (replacing EMET)that can be easily configured to protect your system and applications.
- Smaller, more efficient containers: WS2019 has a leaner ServerCore image that cuts VM overhead by 50-80%, lowering hardware costs and improving efficiencies
Option 5: Rehost your workloads in Azure & Upgrade OS or rewrite using Azure PaaS
This option is ideal for organizations that have strong cloud strategy goals and view technology more as a business differentiator than a cost center.
Many organizations look at these upgrade times as a great impending event to finally make the migration up to Azure and leverage some of the benefits their licensing entitles them to.
For lift-and-shift IaaS workloads, there are options available to reduce costs and leverage prior investments.
Azure Hybrid Benefit Program
Azure Hybrid Benefit program allows organizations with active software assurance on Windows Server licenses or using Windows Server subscriptions to essentially “bring your own license,” reducing the operational cost of the VMs. Depending on the edition, you can convert or re-use your licenses to run Windows Server VMs in Azure and pay a lower base compute rate. More information on Azure Hybrid Benefit can be found here.
Azure Reserved Instances
Another avenue for cost savings is by leveraging Azure Reserved VM Instances (RIs). What this essentially means is you prepay for Virtual Machines on a 1-year or 3-year term at a discount. For static workloads with predictable resource requirements, this is a no-brainer to implement to reduce costs.
For more dynamic workloads that need the ability to adapt to higher resource demands, you can simplify and automate the management of Azure RI’s that can automatically apply the RI’s to other VM sizes within the same group and region, so your VM’s can scale up as needed without eliminating the cost savings. For more information on RIs, see here.
Rewriting Using Azure Paas
Rewriting a workload from IaaS to PaaS is a far more intensive process, but the benefits can be significant.
Where IaaS provides the Datacenter physical plant, Networking, Firewalls, Security, Servers and Storage, PaaS also includes the Operating Systems, Development tools, database management, and business analytics, PaaS allows you to avoid the expense and complexity of buying and managing software licenses, the underlying application infrastructure and middleware or the development tools and other resources. You manage the applications and services you develop, and the cloud service provider typically manages everything else.
Thorough planning needs to be conducted to determine if your workload is best handled as IaaS, PaaS, or a mix of both. Microsoft has a tremendous amount of reference architectures to help educate organizations and compare to their current practices. Also, this technical case study outlines how Somerset County Council was able to migrate an on-premises solution to Azure PaaS services and is a great article to show the process.
How to Make the Choice
Determining the optimal route for your workloads can be challenging, both from a technological approach as well as total cost of ownership. Let PEI assist in analyzing your workloads and building out the best roadmap for your organization. Please reach out to email@example.com, and we will begin planning the path to your success.
Martin Feehan, Director of Client Relations