Microsoft Windows Server 2003 End of Life

June 1, 2015

Background

Effective July 14th, 2015 Microsoft is discontinuing extended support for its Windows Server 2003 operating system. After July 14th, 2015, there will be no security patches for this operating system from Microsoft. For more information please see:

http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/

There is a tremendous risk in allowing Windows operating systems to remain on the campus network after end of support. Without security patches for newly discovered vulnerabilities, Windows Server 2003 systems will be easy targets for hackers looking to exploit systems with minimal effort. Industry experts generally agree this is a very likely scenario following July 14th, 2015.

Enforcement of campus Minimum Security Standards for Windows Server 2003 systems

Campus Minimum Security Standards for Networked Devices (MSSND) require that devices connected to the campus network only run software for which security patches are made available in a timely fashion. After July 14th, Windows Server 2003 will no longer be in compliance with MSSND. This long-standing policy is in place to ensure the security of institutional data, and to ensure the network remains usable for the entire campus community.

Beginning June 2015, Information Security and Policy (ISP) will send email notices to the responsible individual or group for Windows Server 2003 systems connected to the campus network, asking these devices be upgraded to a supported operating system or else removed from the network.

Starting August 1st, 2015, ISP will begin escalating unresolved vulnerability notices for Windows 2003 to blocks from the campus network.

All unsupported Windows Server 2003 devices seen on the campus network will be subject to this enforcement action.

Options for systems currently running Windows Server 2003

If you support systems currently running Windows Server 2003, here are your options for remaining connected to the campus network after July 14th, 2015:

  1. Upgrade to a supported operating system. Upgrades to Windows Server 2008 and 2012 are available to departments free of charge under our Microsoft licensing agreement. For information on obtaining Microsoft software, please see https://software.berkeley.edu/microsoft

  2. File an MSS Exception Request. Due to the risk of leaving an unsupported server operating system on the campus network, we will be granting exception requests only under limited circumstances (see below for details).

  3. Retire the system. If the services running on the Windows Server 2003 system are no longer necessary, or can be consolidated on to other servers, remove the server from the campus network.

  4. Purchase and extended support contract from Microsoft. Under this contract, Microsoft will continue to provide security updates and other hotfixes for an additional year. There is a significant cost associated with this option. For information on purchasing an extended support contract, please contact security@berkeley.edu.

Minimum Security Standards exception requests for Windows Server 2003

For exceptional circumstances requiring Windows Server 2003 to remain on the campus network past July 14th, 2015 without an extended support contract, an exception request must be submitted and an exception to campus policy obtained. The exception request allows the Windows Server 2003 system to remain on the network for the specified period of time, provided that all the required compensating controls (described below) are maintained. Compensating controls are alternatives to maintaining a patched operating system. In all cases, compensating controls must be implemented for the exception to be granted.

The following minimal conditions must be met in order to obtain an MSS exception to use Windows Server 2003 on the campus network after July 14th, 2015 (unless an extended support contract is obtained):

  • The server must be tracked in an inventory control system, including physical location, network identity, and primary administrator

  • The server must be running the latest available Service Pack and security updates for this platform

  • Firewalls or other controls must be used to restrict both inbound and outbound network traffic to a minimal list of devices required to communicate with the server

  • The server must be used only for the minimal purposes for which it is required, and never for services accessible to the general Internet, web browsing, or any casual use

Exceptions requests should be limited to the amount of time necessary to bring the system into compliance, with a maximum length of one year. After one year the system must be in compliance, unless there are compelling reasons why an extension to the exception request should be granted.

To submit an MSS exception request for Windows Server 2003: https://security.berkeley.edu/MinStdsException.html. Be sure to include all the required information described above in your request.

Data Classification

Data classification is the starting point for how security risk is evaluated. Not all data requires the same level of protection. Public data requires very little, whereas personally-identifiable data such as social security numbers requires considerable protective measures.

The campus data classification standard ranks data from 0 (low impact in the event of unauthorized disclosure) to 3 (extreme impact). Protection level 1 data requires the least protective measures, whereas protection level 3 data requires the most. Computing devices, such as Windows Server machines, are classified according to the highest protection level of data they store, process or transmit. For example, if a Windows Server is mostly used for sharing public information (protection level 0), but it also has spreadsheets with social security numbers (protection level 2), then the Windows Server is considered protection level 2.

Externally regulated data, such as PCI and HIPAA, do not allow for exceptions. No exceptions for such regulated data will be granted.

If you anticipate the need for keeping a Windows Server 2003 server handling protection level 2 data on the campus network past end of support, please contact us (security@berkeley.edu) as soon as possible to discuss options.

More information on the data classification standard for campus is available at: https://security.berkeley.edu/content/draft-data-classification-standard

Summary

  • All Windows Server 2003 systems must be upgraded, covered under a paid support contract, or removed from the campus network by July 14th, 2015.

  • Under specific circumstance with strict compensating controls, an MSS exception request to keep WIndows Server 2003 systems on the campus network may be granted.

  • If you support an Window Server 2003 systems that handle data classified as protection level 2, contact security@berkeley.edu

For any questions, comments, or concerns about this policy or enforcement practices, contact security@berkeley.edu