Thousands of UK businesses will continue running Windows Server 2003 after Microsoft shuts down its official support on 14 July, leaving them wide open to cyberattacks.

According to research carried out by American security vendor bit9, as many as two thirds of companies that run vintage Windows Server will be using it after it reaches ‘end-of-life’ stage, and 10 percent have no contingency plan in place.

Of those that are planning to upgrade, more than a third will miss the deadline by the time their project has been completed.

But we’ve seen this before: in 2014, as Microsoft was shutting down support for Windows XP, it caused a crisis so severe it prompted the Chinese state to ban installation of Windows 8 on any new government PCs to “avoid the awkwardness of being confronted with a similar situation again in future.”

Threat or menace

Bit9, which recently merged with security start-up Carbon Black, questioned 153 medium and large UK-based organizations that were running Windows Server 2003, and found that 68 percent would continue using it past the ‘end-of-life’.

Even among those that plan to upgrade, 38 percent will miss the 14 July deadline. Meanwhile 26 percent will use this opportunity to move their workloads to the cloud.

Microsoft has a well-established framework for moving customers onto new releases: the lifespan of an operating system is around 10 years - five years under ‘mainstream support’ when new features are still being added, and another five under ‘extended support’ when only security updates are issued.

There are exceptions to this rule: Microsoft supported the immensely popular Windows XP for a total of 13 years, but despite this final act of mercy, the inevitable end caused a storm of bad publicity for the company.

Following the aforementioned logic, Windows 7 reached extended support stage on 13 January 2015, and security updates will be provided at least until 14 January 2020. Mainstream support for Windows Server 2008 was previously extended by 18 months, so it will retire on the same date in 2020.

Bit9 warns that using an OS without updates could expose servers to a “zero-day forever” scenario, where widely known, critical vulnerabilities are never patched.

“With less than 90 days left until the end-of-life deadline, organizations yet to upgrade must immediately aim to get their WS2K3 systems into a compliant state to eliminate financial, and potential legal, penalties and avoid the brand damage associated with failed audits, data breaches, and noncompliance,” said Chris Strand, senior director of compliance and governance for Bit9 + Carbon Black.

He added that even if businesses have no migration plan in place, there are several temporary measures they can adopt to minimize risk, such as network isolation, application whitelisting and continuous server monitoring.

If all else fails, Microsoft offers expensive support contracts that can extend the life of the OS: for example, the UK government had paid £5.5 million for another year of security updates for Windows XP. Earlier this week, V3 reported that the Crown Commercial Service had not renewed the contract for another year, potentially putting thousands of PCs at risk.