What security risks are there with SQL2008 and IIS 7.5

We had a security company do an audit and they are concerned about our SQL2008 server end of life and our IIS 7.5 end of life.   The server is 2008 R2.  I was informed the only way to update the IIS server is to switch to a 2012 or new server.

My question is what risk is there with these two pieces of software?
J.R. SitmanIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Martin MillerCTOCommented:
J.R.

Your ultimate risk is a compromise between system and loss of data.

There is a large volume of vulnerabilities for this combo.

As an example for IIS 7.5...
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3436/version_id-92758/Microsoft-IIS-7.5.html

There are several  dedicated security sites with risk publically noted, e.g.

https://www.us-cert.gov/ncas/alerts

If this system is on a public IP Address, I can probably crash it in 30 minutes or less.
0
btanExec ConsultantCommented:
Mainstream Support for SQL Server 2008 and SQL Server 2008 R2 has ended on July 8, 2014. Microsoft is ending support for these products but Microsoft will continue to provide technical support which also includes security updates during the duration of extended support. The latter ends by 7/9/2019.

And as IIS comes with Windows I imagine it has the same lifecycle as Windows. But as a whole, I see both SQL and IIS in, let say, Windows Server 2008 R2 Service Pack 1, has the same extended support as the OS which is 1/14/2020.  
https://support.microsoft.com/en-us/lifecycle/search?alpha=2008%20R2

So do plan early to migrate to new platform. Meanwhile check the hardening and conduct regular checks on the controls in place. The unpatched state leave unnecessary exposure to attacker opportunistic attempt to exploit, and leads to outage or leakage. Even the hardening guideline or firewall filtering and NIPS check serve only as mitigation control to increase detection of exploit, but ultimately the fixes still need to be updated. And you cant do that if there are no further releases...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
J.R. SitmanIT DirectorAuthor Commented:
Thanks for the info.  Not a public site.
0
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

J.R. SitmanIT DirectorAuthor Commented:
where is the link to award points and close the question?
0
btanExec ConsultantCommented:
0
J.R. SitmanIT DirectorAuthor Commented:
look at this post.  The BEST and ASSISTED buttons are gone
0
btanExec ConsultantCommented:
I understand there may be some changes, may I request that you click on the report question to alert moderator for advice.
0
J.R. SitmanIT DirectorAuthor Commented:
ok
0
btanExec ConsultantCommented:
Much appreciated.
0
MacleanSystem EngineerCommented:
https://blogs.msdn.microsoft.com/sqlreleaseservices/end-of-mainstream-support-for-sql-server-2008-and-sql-server-2008-r2/

You got till 2019. As long as you keep deploying the Cumulative Updates and potential further service packs you will be fine till then, but after that security will become an issue as even if not publicly accessible, malicious code from internally infected devices (smartphones or user systems) could exploit vulnerabilities not patched by MS any longer.

https://technet.microsoft.com/en-us/library/ff803383.aspx 

Hence I would suggest you start looking at what options are available in the future to upgrade to a newer SQL version.
Easiest is a single SQL server with sufficient CPU & memory/licensing (Azure or local) and run the database in compatibility mode.
Just point apps to new instances etc. (Easier said then done at times I know)
0
J.R. SitmanIT DirectorAuthor Commented:
Thanks to both.   I guess you cannot split the points anymore.  That is not a good improvement
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server 2008

From novice to tech pro — start learning today.