Despite warnings, majority of firms still run some Windows Server 2003
According to a June report covering 200 enterprise data centers totaling more than 90,000 servers, only 7 percent of enterprises were completely free of Windows Server 2003, according to Softchoice, a technology services company.
During the first half of 2015, 21 percent of servers scanned were still running on that operating system, down from 32 percent in 2014 and 43 percent the year before that.
[ ALSO ON CSO: Windows vulnerability can compromise credentials ]
Data center analytics company CloudPhysics reported similar results a week ago, finding that 18 percent of all Windows server virtual machines are still running on Windows Server 2003. The company looked at thousands of virtualized data centers around the globe.
At this rate, CloudPhysics predicted it will be 2018 before the number of these servers is down to a statistically insignificant level.
According to IDC analyst Al Gillen, virtualization allowed companies to stick with older operating systems for longer because they no longer had to upgrade each time they replaced their hardware.
Virtualized servers don't require updated network or display drivers -- the hypervisor abstracts the physical servers and everything connected to them.
"This has been a boon for customers who previously had to face continuous updates to keep current on both servers and system software," he said. But it also helped contribute to an estimated 3 million new Windows Server 2003 installations in 2014.
In May, another IDC brief estimated that there were 1.5 million licensed installations of Windows Server 2003 around the world.
Another survey of more than 1,300 IT managers at companies of all sizes by Spiceworks showed that only 14 percent of IT managers who had Windows Server 2003 have completed the migration. The majority, 76 percent, have either migrated partially or were still in the planning stages as of January of this year, when the survey was conducted.
And 8 percent said they don't have any plans to upgrade, even though 85 percent of those sticking with the old operating system said they had concerns with security vulnerabilities, 72 percent were worried about software compatibility, and 66 percent said they had concerns with compliance risks.
Of those who said they hadn't yet migrated, 51 percent said that the old systems were still working, 48 percent said that they didn't have time, 37 percent pointed to budget constraints, 31 percent said that software compatibility was a factor.
According to Sean Curran, director of the technology infrastructure and operations practice at West Monroe Partners, manufacturing is one example of an industry with extremely expensive custom-built software that cannot be taken offline -- but which also cannot be moved to newer hardware.
"It can cost as much as the business initially invested, if not more, to upgrade," he said.
And that's if the vendor or employees who created the original applications are still even around.
"Organizations tend to be risk averse," said Karl Sigler, threat intelligence manager at Trustwave Holdings. "As long as it's still running, there's no need to fix it. Upgrading can be costly and complex for a lot of organizations."
For regulated industries, that can include compliance audits for each system affected.
"A lot of organizations put it off until the last minute," he said.
He added that some organizations might not even know that they have Windows Server 2003 machines still hanging around.
"A lot of these systems go unidentified, adding risk to a network that's unknown to the IT staff," he said.
Security risks
Unsupported software doesn't get security patches, and doesn't offer many of the security features that newer releases of the operating system have had added in.
"Later operating systems have user rights management and memory protection features," said Sigler.
Even if the old system is running on a completely private network, it doesn't mean a company can ignore these risks, he added.
"If the server is not publicly exposed to the Internet, the risk the servers presents to the organization is far less," he said. "But perimeter security is not enough anymore. We really need security in depth, layers of security that offer protection regardless of what the entry point turns out to be."
Compliance risks
According to West Monroe's Curran, most regulatory clauses require that reasonable security measures be in place to protect data.
"Choosing to do nothing and remain on an unsupported platform may not pass the 'reasonableness' test in the event of a security breach," he said.
That would result in fines, as well as in bad press and lost customers.
Operational risks
Sticking with Windows Server 2003 after June 14, companies may find themselves having to pay hefty support fees to Microsoft.
"Organizations should not expect a reprieve from Microsoft's end of support plans, as Microsoft has been true to its word regarding the end of support for Windows XP," Curran said.
And, in addition to security risks, compliance, and support fees, there are other reasons to want to get rid of Windows Server 2003, said Trustwave's Sigler.
Newer releases are more efficient, he said. They are easier to manage, and they have more functionality.
According to IDC's Gillen, for some companies the best solution may be not to upgrade, but to rip out the old system altogether and switch to a cloud-based, software-as-a-service solution.
"This is particularly true of small and medium-sized businesses," he said. Running Office, Exchange or other Microsoft applications in the cloud could be a better solution for many customers.