Your Microsoft network is only as secure as your oldest server

Your future IT plans probably include testing and planning on Windows 10 and Windows 11 deployments. You are researching methods for deployment and management including Group Policy and Intune settings. You’ve read about how Windows 10 and Windows 11 have moved to an annual feature release cadence and away from the twice a year cadence.

Your desktop deployments are relatively under control, but where are your server deployments? I’ve seen evidence that recent desktop Windows updates are interacting with older unpatched platforms and causing undue hardship.

IT professionals blame patching, but the real underlying problem is the server platforms you are using for authentication and storage. If you are still using Windows Server 2003 in your network, not only does it provide entry points in your network for attackers, it allows SMB v1 to be deployed in your network. That prevents networks from deploying more secure authentication techniques and the ability to roll out better ways to connect to your network.

I’ve seen network administrators report that when they have a Windows 2003 machine as a print server, printing issues ensued when the recent October and November security updates were applied to Windows 10 workstations (specifically KB5006670 released on October 12, 2021 for Windows 1; 2004, 20H2, 21H1 and 21H2 and KB5007186 released on November 9, 2021 for Windows 10, 2004, 20H2, 21H1 and 21H2). Administrators had to move the print server to a newer patched platform to solve printing issues triggered by the lack of updates on the Server 2003 platform and the deployment of updates on the Windows 10 platforms. I’ve also seen administrators report that older servers such as Server 2008 R2, Server 2008 and Server 2003 caused network file sharing issues if they were paired with Windows 10.

Be aware of server age and security support end dates

Microsoft announced it is expanding the Extended Security Update (ESU) offerings for Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2008 R2 SP1 for Embedded Systems and Windows Server 2008 SP2 for Embedded Systems if running on Microsoft Azure. These platforms will have an additional year of ESUs beginning on February 14, 2023, ending on January 9, 2024. Windows 7, however will maintain the original ESU date of January 10, 2023 for its ESU support window.

Inventory your server operating systems and review what you have installed. Some supportability dates to keep in mind: Windows Server 2012 is supported through October 10, 2023. After that date you can purchase ESUs for an additional year and each year thereafter for a total of three years.

Don’t just think of the lifecycle of the operating systems. Look at your server farms and age of deployments. If you have physical servers, you can determine the age of the systems by looking at their warranties. For example, if you use HP servers, you can review the warranty online to determine the age of the servers.

Even if all your servers are in a datacenter, review your contracts with the host and their support guidance for the operating systems in their datacenters. They, too, may have lifecycle and migration mandates tied to the supportability of server operating systems. Review your options regarding supportability.

Moving Active Directory to the cloud

If you extend your Active Directory (AD) to cloud properties, be aware of server supportability levels. Extending your AD to cloud services will help you to modernize your AD infrastructure. For example, older AD versions can’t support multifactor authentication, and even then you must be on a supported on-premises server infrastructure and forest level. Services such as Amazon Web Services can be used to extend existing on-premises deployment to cloud platforms. If you use Azure to join your on-premises network, you can use solutions such as Azure AD Connect to synchronize the on-premises identity with Azure and ultimately Microsoft 365 information. 

Many firms use a strategy called “lift and shift”. On-premises servers are merely imaged or moved to virtual machines and shifted to cloud properties. This is one way to deal with the supportability of your server properties. For networks that have IT administrator staff who monitor and deploy hardware in this manner, this is probably the easiest path to take. The resources and processes that you currently use to manage and maintain servers are nearly identical when using IaaS.

Alternatives include a total re-architecture of your network. You can consider going “serverless” with your entire on-premises deployment. Start by inventorying your line-of-business applications to see how prepared you are to migrate to this possibility. Do your applications have cloud alternatives or other platform-as-a-service or micro services approach?

Moving on-premises Exchange and SharePoint to the cloud

Moving Exchange and SharePoint to the cloud will also allow you to reallocate patch management resources to compliance tasks. As someone who has psconfig-ed a SharePoint server to update it, I do not miss dealing with patch management on either SharePoint or Exchange installations.

If your firm is heavily entrenched with on-premises servers, identify those services that can be easily migrated to cloud platforms. If you still have an on-premises Exchange, I strongly recommend that you consider moving to hosted Exchange email. On-premises Exchange is very much in the crosshairs of attackers. Hosted Exchange not only is more protected by Microsoft, it has different technology and infrastructure to ensure that it can be better protected.

If you still plan to have Exchange deployed on premises and not move it to a hosted service, I recommend that you deploy the Microsoft Exchange Emergency Mitigation Service. First introduced in the September updates, this module allows your server to pull down zero-day protections that Microsoft prepares to better protect and defend Exchange servers.

SharePoint is another platform that can be migrated to a cloud platform. Many SharePoint servers can be migrated with minimal issues. Migrating to online SharePoint deployments also makes it easier to keep browser interactions up to date and secure. If you use Internet Explorer as your key browser to access your SharePoint sites, plan to move to a platform that can support modern browsers.

Bottom line, plan to migrate and deploy your server services, not just your workstations. Use this time to review your options and plan where you want your network to move.