Sign in / up

back to article 175 MILLION websites still powered by Windows Server 2003

Windows Server 2003 support ended a month ago today, but there are still 175 million websites on the public internet – about one in five – that are powered by the operating system. Plenty of the machines also run Microsoft Internet Information Services 6.0, a version of Redmond's web server that has primitive security compared …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. JakeMS
    Thumb Down

    Oh come on..

    If you are a bank and have a server that is for online banking and is running an OS that is no longer supported and obsolete you really should be ashamed of yourself as you are putting your users/clients entirely at risk of fraud.

    Seriously, aren't banks supposed to be one of those companies that have the best of the best security?

    They really should be ashamed of themselves for not having a current/supported operating system.

    It's not like they haven't got the money to do it...

    Also isn't alibaba chinese? if so it's no surprise there most of china is using pirated Windows XP, so it's not a big surprise to find it also has windows server 2003 to go with it..

    9 6 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Oh come on..

      Maybe just maybe those banks have bought the additional support with microsoft are are still applying new patches to windows 2003 servers...

      5 3 Reply
      1. Grikath
        Reply Icon

        Re: Oh come on..

        You're talking banks, right? The sector most likely to have $Stuff running that requires an OS that still talks to the applications running on them, given that a modern OS doesn't support them if they can run them at all.

        6 1 Reply
        1. Tom 13
          Reply Icon

          Re: requires an OS that still talks to the applications

          Nope, not buying that one. We're talking banks, the sort of organizations that plan on making 30 year loans. The death of Server 2003 was announced well ahead of time. They had more than enough time to plan for it and reprogram those apps.

          Yeah, yeah. I know. Once upon a time I did support work for a local bank chain. Yep, their software was crap and depended on DOS functions even when XP was rolling out. No, I didn't have any sympathy for them either.

          6 1 Reply
      2. Robert Helpmann??
        Reply Icon
        Childcatcher

        Re: Oh come on..

        Pretty much the same went on when OS/2 went past end-of-life. Banks were responsible in large part for keeping it alive on life support long after IBM wanted to pull the plug. The usual excuse is that they are risk-averse, but to be honest it's more a case of having a huge amount of changes to be made without having the proper resources devoted to the issue. I would look to see them keep Server 2003 alive for another few years and for there to be licensed third party support after (again, as with OS/2). Windows XP is still being supported (MS is still rolling out patches to paying customers) and its official end of life was April 8, 2014. My best guess is that Server 2003 will finally die become undead around 2020.

        0 0 Reply
    2. AndrueC Silver badge
      Reply Icon
      Unhappy

      Re: Oh come on..

      If you are a bank and have a server that is for online banking and is running an OS that is no longer supported and obsolete you really should be ashamed of yourself as you are putting your users/clients entirely at risk of fraud.

      There's a lot that banks should be ashamed of. They so rarely are though.

      Their solution to fraud is two fold. First they implement systems (eg Chip and Pin) where the objective is to be able to 'prove' that the customer was at fault and therefore they aren't liable. If those kind of tricks fail they cover the cost by increasing charges or adjusting the interest they charge or pay.

      Their basic goal is to just transfer the cost onto their customers. Shame..is not a factor :-/

      15 0 Reply
      1. Peter Brooks 1
        Reply Icon
        IT Angle

        Not just cost

        Banks also want to transfer risk to their customers, and, if that fails, to governments - they have succeeded, more often than not.

        The only point of a bank, in economic terms, is to make money from absorbing risk. Once they stop absorbing risk they're simply a fiscal drag - like the Mafia.

        Banks behave as idiots with technology, because they don't know the risks and, thus, understate them by a few factors of 10. This isn't an accident. Since they don't need to worry about the risk, since it is absorbed by their customers or by governments, why should they bother even knowing what it is?

        0 0 Reply
    3. AndrueC Silver badge
      Reply Icon
      Meh

      Re: Oh come on..

      They really should be ashamed of themselves for not having a current/supported operating system.

      I worked in the financial industry for a while. That left me with even less faith in their IT abilities than I had before. As outside contractors we tried to do the job properly and we mostly succeeded but it was a struggle at times. Even when replacing an old, creaking and badly implemented system they were reluctant to accept our suggestions.

      I can understand 'sticking with what you know' in the financial sector but when 'what you know' is a pile of crap you ought to at least consider something new.

      11 0 Reply
    4. P.B. Lecavalier
      Reply Icon

      Re: Oh come on..

      > Seriously, aren't banks supposed to be one of those companies that have the best of the best security?

      I expected banks to be among the customers of Itanium with HP-UX, with pointy-haired boss saying "We need something good. The more expensive it is, the better it must be."

      This reported state of affair is not necessarily representative, but given how jackass the financial sector can be (Crisis, or the love of needless risk-taking), I'm not terribly surprised.

      4 0 Reply
      1. asdf
        Reply Icon

        Re: Oh come on..

        > the customers of Itanium with HP-UX

        Not to be a dick or carry water for HP but you certainly could do worse security wise. Costly yes, very but script kiddies aren't breaking into that if you have a decent admin.

        0 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Oh come on..

          Well, yes, HP-UX is less bad than the Microsoft rubbish, certainly - but it is still closed source, and closed source can never be trusted.

          0 0 Reply
    5. WolfFan Silver badge
      Reply Icon

      Re: Oh come on..

      Seriously, aren't banks supposed to be one of those companies that have the best of the best security?

      They really should be ashamed of themselves for not having a current/supported operating system.

      You obviously have never worked for a bank. I once had some contracting work for one, at their corporate headquarters. In 2007, they were running NT4 on their servers and their workstations were Win 98. And not 98 SE, either. The only exceptions were a few NT 3.x and Win 2000 Workstation units and one solitary Power Mac G4. They were considering moving up to Win 2000 Server for the servers. Where they were going to get the Win 2000 licenses is left as an exercise for the student. I certainly don't know. I took my money and got out as fast as I could.

      2 0 Reply
      1. Triggerfish
        Reply Icon

        Re: Oh come on..

        A server upgrade is a cost to a business when nothing seems to be wrong with the current one.

        0 0 Reply
      2. Danny 14
        Reply Icon

        Re: Oh come on..

        not agreeing with the sentiment but you can easily license NT4 or 2k by normal MS SA licenses. That's how we license our 2012 (non R2) and 2008R2 by SA 2012R2

        We also bought a job lot of unused cheap W98 stickers and books some years ago, that way we can leverage the upgrade SA licenses cheaply too.

        0 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Why pay for expensive rubbish when you can get better free?

          Why pay for any licenses at all? It is closed-source spyware, as well as being rubbish.

          It is also much more expensive to support than Linux.

          There simply is no rational business case for it.

          0 0 Reply
    6. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Oh come on..

      Do you honestly think banks and government are separate?

      They probably have access to every and any patch in existence, public or private.

      As a point and I've seen it, most atm's use either xp or nt through a modem, how on earth do you think they achieve such a feat without getting hacked?

      My tin foil hat is a bit itchy...

      0 0 Reply
  2. Guus Leeuw

    Re: oh come on

    Now where did you get the notion that these are online banking supporting systems?

    1 2 Reply
    1. Pascal Monett Silver badge
      Reply Icon

      Well, the article does mention that there are banks among the web-facing computers that have an unsecure hosting platform.

      3 0 Reply
      1. Steve Davies 3 Silver badge
        Reply Icon

        And...?

        Every website used by a bank is for on-line banking?

        Are you really, really, really sure about that?

        I do know of one bank that has a web server that only supplies reference material. No customer details are required or held.

        Sure these banks do need a kick where it really hurts but some sites have a greater need for secure connections than others.

        7 1 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: And...?

          Consider that ATMs use Windows for no good reason whatsoever.

          1 0 Reply
  3. r4gg3h
    Facepalm

    Things look better than they did last week...

    ...We just removed 5 Server 2000 websites from our environments!

    Don't ask how many Server 2003 websites we still have. :(

    7 0 Reply
    1. Captain Scarlet
      Reply Icon
      Trollface

      Re: Things look better than they did last week...

      And I take it you don't want to mention about the instances of NT4 left!

      5 0 Reply
      1. Tom 13
        Reply Icon
        Devil

        Re: instances of NT4 left!

        Hey, at this point NT4 is probably nearly as secure as OS/2. Hackers regard them as such obscure and worthless systems they sort of have achieved security through obscurity.

        6 1 Reply
        1. druck Silver badge
          Reply Icon
          FAIL

          Re: instances of NT4 left!

          Tom 13 wrote:

          Hey, at this point NT4 is probably nearly as secure as OS/2. Hackers regard them as such obscure and worthless systems they sort of have achieved security through obscurity.

          No, the exploits will try their luck on any versions of Windows, because look at the most of recent patches which are marked all version of Windows from Vista (last currently support OS) and above,

          and if its in Vista you can be pretty sure its in XP too,

          and if its in XP you can be pretty sure its in W2K too,

          and if its in W2K you can be pretty sure its in NT4 too.

          4 1 Reply
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: instances of NT4 left!

            The vulnerability maybe, but I won't be 100% sure, depends where it is - but if an exploit works on NT is another issue - depends on what API it calls, if it happens to call something not available on NT it will fail, and most compilers/libraries today no longer target NT. Unless you explicitly write and test for it.

            1 0 Reply
    2. Chika
      Reply Icon

      Re: Things look better than they did last week...

      I can believe that. The site I worked at removed its very last W2K machine a little over a year ago and as I was shoved out into the cruel world of the job market they still had a sizeable number of W2K3, both physical and virtual.

      Having said that, the techs responsible were getting their collective heads around W2K12 and were liking it immensely, though the software used on some of the servers are likely to give them a few headaches before they've completely finished so I could see W2K3 being around for some time yet.

      Let's face it; some of the problem here is financial, some laziness, some technical/software related.

      Mind you, since this article includes banks, institutions that still insisted on dial-up modems for some services until very recently because they didn't trust the security of anything else online, my money is on the stuffed shirt in the panelled office in some financial district somewhere with almost no knowledge of tech, a salary that would make quite a few impoverished countries salivate and a case of paranoia that would keep many shrinks in business for years.

      4 0 Reply
      1. Brewster's Angle Grinder Silver badge
        Reply Icon

        Re: Things look better than they did last week...

        "...a case of paranoia that would keep many shrinks in business for years."

        The paranoia is fully justified. If anything, they don't seem to be paranoid enough.

        1 0 Reply
  4. Henry Wertz 1 Gold badge

    95-era code

    "and if its in Vista you can be pretty sure its in XP too,

    and if its in XP you can be pretty sure its in W2K too,

    and if its in W2K you can be pretty sure its in NT4 too."

    I really am not sure about that. Vista is pretty bloated compared to XP, XP is bloated compared to 2000, and 2000 is bloated compared to NT4. Quite a few of those vulnerabilities, the entire subsystem they are exploiting probably doesn't even exist in NT4. Not to say I recommend this "use NT4 because it's too old to be vulnerable" strategy.

    No comment on people still running 2003, or whatever. I won't judge, I mean, 95-era on through about XP (so a good 7 or 8 years), Microsoft seemed to almost encourage very sloppy programming. There were all sorts of monstrosities from this era that would just be this inseperable wad of maybe some actual executable code, and Visual Basic for Applications scripts, and DCOM, and ActiveX, and it'd do some bits in Office 95 or 98, and on and on. You did have people on Slashdot and probably on here saying these had better be rewritten from basically day 1, but the day's finally come where they'll probably find they cannot get it to run in Windows 2012... so they'll have to keep running 2003 forever or finally rewrite their junk.

    1 0 Reply
    1. asdf
      Reply Icon

      Re: 95-era code

      Didn't I read they found some exploit recently that went all the way back to Windows 95?

      1 0 Reply
      1. a_yank_lurker
        Reply Icon

        Re: 95-era code

        Depending on what the attack exploits the problem may go all the way back to DOS or it can only affect versions after 'X'. 'X' is the first version with the exploited functionality.

        1 0 Reply
  5. Anonymous Coward
    Facepalm

    What's wrong with Windows Server 2003 anyway?

    Clearly plenty is - it's a Microsoft product after all, and no-one here can persuade me that Microsoft is in the business of writing quality code. But there's no way that later versions of Windows are in any way 'better' for any reasonable value of 'better'. Microsoft have simply grafted more barely documented DRM-laden, NSA-friendly, privacy-busting shite onto their existing shaky foundations. And a lot of us fall for it time and time again.

    If you're running Windows, it doesn't matter what version you pick. If you've not been hacked by smart Russian teenagers, then you've probably been hacked by Microsoft themselves, and your data has been 'backed up' by persons unknown a long time ago. Too late.

    2 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    No Open Source, No Security

    Using closed source for anything other than a private hobby web-site is criminally stupid.

    The risk committee's of banks are simply unaware of the huge risk that IT has put them at.

    A massive failure of governance. Which will end in tears.... again.

    1 0 Reply
    1. Hans 1
      Reply Icon

      Re: No Open Source, No Security

      >Using closed source for anything other than a private hobby web-site is criminally stupid.

      In a closed network with no physical access to any other network, maybe, and even then ...

      0 0 Reply
  7. ThomB

    A bit of a mix-up, ain't it?

    Seems Mr Sharwood has his figures a bit wrong. The 175 million websites running WinServer 2003 were found in July, but he connects them with the totals reported for August, leading to the one fifth estimate. However, Netcraft's July survey said there were totals of 849,602,745 sites and 5,350,323 web-facing computers. While that doesn't changer a whole lot in terms of percentage etc., it's still a mistake that should be corrected.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon