So You Can Avoid Risks Before The End Of Windows Server 2008
As of January 14, 2020, an essential part of desktop computers and Windows servers worldwide will no longer be protected by Microsoft. The next time an attacker finds a vulnerability that affects these machines, no patch will be provided, and the business systems will be unprotected. This information affects both Windows Server 2008 R2, Windows Server 2008, and Windows 7.
The potential impact is difficult to estimate, but it could be of enormous scope. Some estimates suggest that Windows Server 2008 and 2008 R2 still account for almost a third of all server machines running worldwide. And despite having more than a decade, these operating systems are still used extensively, as evidenced by a recent survey among Guardicore customers, a leader in security inside data centers and the cloud
Microsoft offers organizations several options to manage the end of the life of these operating systems. The first and best option is to upgrade to Windows 10 and Windows Server 2016, both with many years of support ahead. Alternatively, organizations can contract with Microsoft some customized security solutions, an offer that is probably expensive. Depending on the business relationship with Microsoft and the specific operating system, the cost can reach € 200 per machine per year. And although Microsoft will offer this extended support for free for companies that migrate to Azure, that migration itself carries additional implications.
The Reality Is That Many Organizations Cannot Do Without Using Windows Server 2008
However, the fact is that many organizations cannot immediately upgrade their unsupported systems for a variety of reasons. From regulatory issues and certification requirements to lack of budget or the existence of legacy software. Also, this process is usually long, which leaves the network exposed to dangers. Therefore, solutions are needed that can protect the systems during this transition period, which can last for years.
Organizations that are in this situation should not be victims of panic because they can still limit the risks, even if they do not update or migrate the systems immediately. Thanks for taking some additional precautions, organizations can always effectively protect their networks, limiting exposure, as they continue to evaluate the best long-term course of action they can take.
From Guardicore, we recommend taking these 5 measures:
- To begin, we encourage organizations to apply best practice guides for Windows Server 2008 R2 and Windows 7. Microsoft always publishes such guidelines as part of the Microsoft baseline security analyzer.
- Whenever possible, you must disable SMBv1 and enable SMBv2 message signing. This will prevent any lateral movement attacks, including all attacks that use the EternalBlue family of vulnerabilities and many techniques that take advantage of NTLM retransmission.
- Change network authentication settings to block the use of old and weak authentication methods, such as NTLMv1 and LanMan. This will prevent many token theft attacks used by popular tools like Mimikatz.
- To assist investigations into future security incidents and reduce the risk of modified records, we recommend that you forward all event logs to a centralized and protected server. Microsoft offers guidance on this, and Palantir provides many examples and helps programs.
- A segment to reinforce security: take advantage of segmentation to limit attack options for lateral movement. By segmenting the network into logical parts, organizations can reduce the attack surface and reduce the risk of being compromised. For example, in most corporate networks, corporate machines do not need to communicate with each other. With micro-segmentation, traffic between machines within the same segment can be easily blocked, avoiding rapid lateral movements.
While the use of unsupported systems is never a recommended practice, with careful planning and a combination of tools, you can significantly reduce the risk of using these obsolete systems while planning an update.
A combination of Microsoft and Guardicore tools can help the company be prepared and protected from the end of the life of Windows Server 2008 R2, Windows Server 2008, and Windows 7.