Research by British Internet services company Netcraft suggests that as many as 600,000 servers worldwide are still running Windows Server 2003, despite the fact that the operating system is no longer supported by Microsoft.

These machines are responsible for around 175 million websites - around 20 percent of all websites indexed by Netcraft.

Extended support for WS2k3 ran out on July 14, and the OS is no longer safe to use, since no new security patches will ever be released.

WS2k3
– Microsoft

For whom the bell tolls

The lifespan of a Microsoft operating system is around 10 years - five years under ‘mainstream support’ when new features are still being added, and another five under ‘extended support’ when only security updates are issued.

Just like the immensely popular Windows XP, Windows Server 2003 got an extension - but eventually its creators had to pull the plug. While Microsoft cannot stop anyone from using the obsolete OS, it no longer issues patches for WS2k3, so even widely known, critical vulnerabilities are never fixed.

And yet Netcraft estimated that in July, there were around 600,000 web-facing servers still using Windows Server 2003 to host around 175 million websites – that’s ten percent of all web-facing machines. A further 1.7 million sites were believed to be hosted using WS2k3 behind load balances and similar devices that are not running Windows.

China and the United States together accounted for 55 percent of the world’s active Windows Server 2003 computers. In China, 24,000 of these were used by Alibaba Group, including 7,500 under its cloud hosting unit Aliyun, which still allows its customers to create Windows Server 2003 virtual machines.

Netcraft also notes that hundreds of banks – including NatWest in the UK – appear to be running the obsolete OS. The company warns that using WS2k3 would be especially harmful for organizations that process financial details of their customers.

The Payment Card Industry Data Security Standard (PCI DSS) includes provisions on patches and security, and neglecting these could result in withdrawal of certification and hefty fines. Any organizations that handle financial details should migrate to a more recent operating system immediately.

The upgrade process from WS2k3 has been previously estimated to be generating billions of dollars for hardware and software vendors.