We help IT Professionals succeed at work.

Protect Legacy Server

Paul Walsh
Paul Walsh used Ask the Experts™
Hi All,

We have a few legacy servers that shortly will no longer be covered by Critical updates. These wont be able to be updated to a newer OS for a little while. We have a solid AV on them and they sit behind a decent friewall. Is there anything else we need to do to further protect these servers until we can upgrade them. None of them bar one touches the internet in any way.

Our reseller has suggested Trend Deep Security. Is this a good path to take / has anyone any experience with this product?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Hi Paul.

Let me share an example to make you understand how critical this really is.
Let's say you run a file server. The service behind the file shares could be vulnerable and when these vulnerability becomes known, it can be attacked.

->How would this attack possibly look like: it could suffice to send malformed network packets to the server in order to gain full access to all data on it
->Who could carry out such an attack: anyone with access to these file shares, so for example all your employees.
->Impact: the access permissions that you (hopefully) enforce will no longer be respected.
->what would a firewall or some other software do about it: in many cases nothing at all since only OS components and no malware are being (ab)used.

That is just one example, but it will apply true for many scenarios.
So unless you perfectly trust your employees, you don't have much of a choice but need to get rid of that server as soon as possible.

There's no being extra-careful and I wouldn't rely on tools here.
Ask yourself who's responsible if something happens. The end of support date has been known for a long time.
ste5anSenior Developer
Protect against what?

When those servers are isolated (on the physical layer) and only traffic for the necessary services is allowed, then it is "not a problem":

1. Necessary traffic means DPI, packet filtering and/or proxy servers. So more than just "firewalls".
2. Not a problem means permanent monitoring.
3. Not problem means, that when there will be a critical issue, then it maybe necessary to switch it off. Yeah, I mean really, power off.
4. Make sure that your DR plans are in place and your recovery procedures are tested.
5. When you think "solid AV" is part of the solution, then you should upgrade as fast as possible. AV has proven more than once in the past to be a vector for infections on its own. Then AV is normally only useful where you have file based user interaction. This sounds like scenarios, where the risk of sticking to old versions is to high.
6. Important part is risk assessment. How expensive will a data loss get? Down-time without production? Is customer data processed by those systems? The GDPR rules may apply, thus any incident must be reported. Which will result probably in reputation loss. As well as in possible fees for not using actual standards.

3, 4 & 6 normally imply: Considering the costs for an incident and when you have DR in place, then you should check your assumption. Maybe you can/must upgrade.

When there are hard reasons, why this is not possible: I don't know TDSt, but the solutions using AI I'm aware of have a to high failure rate. They are only useful in combination with a good insurance.

In short: You may try, but you need to be prepared to switch tomorrow. And you should communicate the risk (in money) to the management.
Exec Consultant
Distinguished Expert 2018
You need to do a risk assessment as ultimately the residual risk is to be accepted by the system owner and not you per se.

There is element of non compliance as well unless your organization does not have a security or IT policy dictating the use of EOL or EOS asset. They are the target that any hacker or malware will be spring boarding to penetrate into your database systems to siphon off the data.

Suggest you look into reduce the blast area by segregating out these legacy server in a separate VLAN and restrict the ingress and egress of the data flow and transaction.  

Continuous monitoring of the alert from your security controls are critical and be prepared to activate your BCP for data recovery - in short, data backup should be off those systems.

Firewall and AV are necessary but not sufficient even if you are not having legacy system. Host level of intrusion detection and ransomware defences are critical to augment the AV no matter how solid it is as it is still based on signature. Application whitelisting and restriction on the use of portable device is needed too.

All privileged access to those servers need to be inspected and logged on the activity so that anomalous events can be surface as early possible, and of course make sure the MFA are in place for remote administration.

Mitigation controls should be in your risk register that was earlier mentioned.

As for Deep Security it is alright as endpoint security for anti malware but it does not fulfil the above mentioned. You needed process control and possible investigative capabilities when things goes wrong.. sort of endpoint detect and response (EDR) tool.