Lies, damn lies and FOI
We ran a server 2003 instance until very recently, and I constantly got criticised for the "gross security risk" that represented.
This is WRONG for *some* use cases.
On a well designed infrastructure, it is more than possible to design the network operations in such a way that an older, but still critical, application can run on unsupported Hardware/OS/Application framework and etc. safely - if it is only used internally, and cannot reach/see the internet.
It takes effort and planning to ensure that it cannot be reached except as required to provide the "service" it exists to provide, and is only accessible by the clients and methods essential to that service... but that's why internal DNS, subnetting, VLANS, Reverse Proxies and Firewalls exist: to mitigate, control and contain risk.
So MUCH of my staff's time is wasted responding to FOI requests that are just used to sell my details to marketing droids... that I don't want to hear from (and no I don't want your white paper, didn't give you permission to store my details, so GDPR them off your contacts system, please, thank you and goodbye).
Biting the hand that feeds IT
