What security risks are there with SQL2008 and IIS 7.5

We had a security company do an audit and they are concerned about our SQL2008 server end of life and our IIS 7.5 end of life.   The server is 2008 R2.  I was informed the only way to update the IIS server is to switch to a 2012 or new server.

My question is what risk is there with these two pieces of software?
J.R. SitmanIT DirectorAsked:
Who is Participating?
 
btanExec ConsultantCommented:
Mainstream Support for SQL Server 2008 and SQL Server 2008 R2 has ended on July 8, 2014. Microsoft is ending support for these products but Microsoft will continue to provide technical support which also includes security updates during the duration of extended support. The latter ends by 7/9/2019.

And as IIS comes with Windows I imagine it has the same lifecycle as Windows. But as a whole, I see both SQL and IIS in, let say, Windows Server 2008 R2 Service Pack 1, has the same extended support as the OS which is 1/14/2020.  
https://support.microsoft.com/en-us/lifecycle/search?alpha=2008%20R2

So do plan early to migrate to new platform. Meanwhile check the hardening and conduct regular checks on the controls in place. The unpatched state leave unnecessary exposure to attacker opportunistic attempt to exploit, and leads to outage or leakage. Even the hardening guideline or firewall filtering and NIPS check serve only as mitigation control to increase detection of exploit, but ultimately the fixes still need to be updated. And you cant do that if there are no further releases...
0
 
Martin MillerCTOCommented:
J.R.

Your ultimate risk is a compromise between system and loss of data.

There is a large volume of vulnerabilities for this combo.

As an example for IIS 7.5...
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3436/version_id-92758/Microsoft-IIS-7.5.html

There are several  dedicated security sites with risk publically noted, e.g.

https://www.us-cert.gov/ncas/alerts

If this system is on a public IP Address, I can probably crash it in 30 minutes or less.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Thanks for the info.  Not a public site.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
J.R. SitmanIT DirectorAuthor Commented:
where is the link to award points and close the question?
0
 
btanExec ConsultantCommented:
0
 
J.R. SitmanIT DirectorAuthor Commented:
look at this post.  The BEST and ASSISTED buttons are gone
0
 
btanExec ConsultantCommented:
I understand there may be some changes, may I request that you click on the report question to alert moderator for advice.
0
 
J.R. SitmanIT DirectorAuthor Commented:
ok
0
 
btanExec ConsultantCommented:
Much appreciated.
0
 
MacleanSystem EngineerCommented:
https://blogs.msdn.microsoft.com/sqlreleaseservices/end-of-mainstream-support-for-sql-server-2008-and-sql-server-2008-r2/

You got till 2019. As long as you keep deploying the Cumulative Updates and potential further service packs you will be fine till then, but after that security will become an issue as even if not publicly accessible, malicious code from internally infected devices (smartphones or user systems) could exploit vulnerabilities not patched by MS any longer.

https://technet.microsoft.com/en-us/library/ff803383.aspx 

Hence I would suggest you start looking at what options are available in the future to upgrade to a newer SQL version.
Easiest is a single SQL server with sufficient CPU & memory/licensing (Azure or local) and run the database in compatibility mode.
Just point apps to new instances etc. (Easier said then done at times I know)
0
 
J.R. SitmanIT DirectorAuthor Commented:
Thanks to both.   I guess you cannot split the points anymore.  That is not a good improvement
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.