end-of-life windows 2003 security

avir used Ask the Experts™
Our organization is running our website on windows 2003 and preparing to migrate to Linux with a new website. Until then (could be another 6 - 10 months) and in this era of no Microsoft support for windows 2003, what security measures can we take to prevent security breaches and malware infections. Needless to say, the higher-ups are reluctant to invest money in a "lame duck" server.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
There is nothing you can do from a Microsoft perspective. All over.

See if a top name Antivirus (Symantec Endpoint Protection or as good top name) has a product that runs on Server 2003. That might help.

Put a hardware firewall in front of the server to prevent DDOS attacks and the like.

the hard way:
turn it off from time to time just to see them jump up and down as a reminder for the Investment and that it is out of service

more practically:
Hope you had patched the latest and Kept it running. Without Extended Support you are reall behind schedule. Monitor a vulnerabilities board to see which security fixes are published and if they apply for 2003. When the Situation becomes more severe, Report it upwards. Try to Speed it up and do it in 3 month, you should be ok then.

And try to get them involed in things. If they know ist easy to ignore you, they will probably do it more often.

An example: the board decided that Air conditioning is costly, so they erjected it. They approved for air circulation. On the hottest day we inverted the circulation to blow the outside air inside.
Next day: VOILA! Airco approved and get it installed ASAP!

Learn the code and stuff works man.

Good luck
Make the case to the business from a  risk point of view. Explain that you will be at risk from possible cyber attacks and ensure you have an email trail from yourself highlighting the risks and proving that you are raised concerns and so cannot be blamed in the event of an issue.

Make sure the server is patched as best you can. Ensure you have a good anti-virus product on the server.

Plug any security concerns on the server and ensure it is behind your corporate firewall etc.

Above all raise your concerns and so they can be traced.
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.


Thanks for the feedback.
You are welcome. But keep in mind, this is jus a small part of the whole
puzzle. Fixing a single instance in the security landscape normally does not
change too much.

Do you have an overview, where you stand

Backup (and where is it safely stored)
Access Rights
Antivirus of Systems
Client Security
Patch Management
Encrypted drives of management, salesforce / people travelling
Awareness to train the users
physical security
fire prevention
Uniterruptable Power
etc, etc ?

just a thought or two


Thanks for the extra thoughts. I'm supposed to have a meeting with our network manager and I will bring up these points.
I am sure he has the same issues with bringing those to the attention of the bosses, but if you are two and not alone, your situation has already dramatically improved (low cost :)

Good luck!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial