[By Michael Gorelik, CTO of Morphisec]
Microsoft’s decision to end support for Windows Server 2012 and 2012 R2 should surprise no one. But the end of support for these decade-old operating systems is still catching many off guard.
Early last year, support ended for Windows 7, Windows 8, 8.1, and Windows Server 2008 R2 happened. At the time, Microsoft’s recommendation for anyone still using these OSs was to upgrade to their recent versions of desktop and server operating systems.
Unfortunately, many organizations are likely unable to implement this advice since legacy systems and applications often cannot be readily migrated due to business implications. In fact, market share data shows that around 5% of all organizations continue to use servers with operating systems long after their official end-of-support date.
Today, hundreds of thousands of servers continue to run with unsupported operating systems, hosting outdated and unpatched applications. In many cases, these systems support mission and business-critical processes which cannot be interrupted.
Microsoft’s core recommendation to any organization relying on this system is identical to the previous OSs: migrate (to Azure) or upgrade to the latest operating system.
For anyone managing an inherited legacy system tied into dozens of business-critical dependencies and custom applications, this advice will probably not be that useful.
This challenge is compounded by the fact that the expertise required to properly and securely configure Legacy OS is fading as professionals are trained on and become familiar with modern versions; Windows 2012 R2 was released over a decade ago.
Moving some of a legacy server’s functions into Azure, per Microsoft’s recommendation, is also a significant challenge. Aside from the security configuration risks and operational change that comes with cloud migration, the common causes of failure excluded from the Azure Service Level agreement may not give enough uptime assurance to make cloud migration feasible without increased costs.
The Security Problem This Creates Is Huge
CISA ranks relying on “unsupported (or end-of-life) software” as the number one security bad practice a company can do. This is not without reason.
Every legacy server inside your organization results in a stockpile of exploitable vulnerabilities, often right at the core of your business processes.
Windows Server 2012 / 2012 R2 has more than 400 exploitable vulnerabilities as of March 2024, and more are likely to be discovered in the future. Research from Rand Corporation shows that the average zero-day has a lifespan of around seven years and often much longer, putting organizations at risk of ever-increasing volumes of vulnerabilities with the potential for long-term exploitability.
Over the latter part of 2023, Morphisec saw over 40 distinct attack patterns targeting legacy operating systems. A growing number of these involve threat actors trying to deploy Cobalt Strike beacons as an attack stage, which is commonly used as part of ransomware deployment.
In this example, Cobalt Strike allows threat actors to stealthily establish persistence by malicious exploitation of run-time memory on endpoints such as a servers. The Legacy servers are more easily penetrated due to OS vulnerabilities, and then leverage for lateral movement and other attack phases. Because servers running Windows Legacy OS, like 2012 R2, keep presenting new memory vulnerabilities and lack security controls against memory compromise, they are a perfect target for this kind of compromise.
What To Do Instead
If you are still relying on Windows Server 2012 / 2012 R2 or other Legacy operating systems and cannot upgrade or migrate, you have two options.
Either pay Microsoft for an extended report package (which should last three years) or find a way to install a security solution that works with your Windows 2012 legacy servers.
Neither of these seems like a good option on the face of things.
Opt for extended support, and you will eventually find yourself navigating a repeating renewal cycle. This will also not solve the inherent challenge of Legacy operating systems running outdated and vulnerable applications.
Trying to make a modern EDR or EPP work with your legacy servers is also challenging. Firstly, the optimal operations of the solutions require the consumption of system resources (CPU/RAM) that are often unavailable on older systems. Modern endpoint protection solutions also rely on architectural visibility components that are either unavailable or exist partially on legacy systems. This includes Anti-Malware Scanning Interface (AMSI) and Event Tracing for Windows (ETW).
However, there is hope. Applying best practices is fundamental, including these essential steps that can help secure legacy systems:
-
Apply security patches where possible: Legacy systems are often vulnerable to cyber threats due to outdated software and business applications. IT professionals should strive to apply security patches whenever these are available, and whenever possible. If the manufacturer no longer provides updates, they may need to implement compensatory controls, such as patchless protection, to mitigate potential vulnerabilities.
-
Implement strong access controls: Limiting access to legacy systems can significantly reduce the risk of unauthorized access and data breaches. IT professionals should enforce strict access controls, including the use of strong authentication methods such as multi-factor authentication (MFA) and role-based access control (RBAC). Additionally, regular monitoring and auditing of user access can help identify any suspicious activities and potential security breaches.
-
Check network segmentation and firewalls: Legacy systems should be isolated from other parts of the network through network segmentation. By implementing firewalls and other network security measures, IT professionals can control and monitor the traffic to and from these systems, reducing the risk of unauthorized access and limiting the potential impact of a security breach on the overall network.
-
Apply compensatory controls and preventative technologies: Technologies like Automated Moving Target Detection (AMTD) can prevent unauthorized code from executing in legacy servers without relying on missing architectural visibility components, and with negligible performance impact. This can serve as a compensatory control and patchless protection against vulnerabilities. Organizations can extend the secure lifespan of Windows legacy servers by using solutions like AMTD that protect Windows legacy OS deterministically.
Securing legacy systems is an ongoing challenge and seems futile, however ensuring up-to-date best practices and proactive defenses are in place can mitigate the impact of legacy, unsupported systems.
About Michael Gorelik
Morphisec CTO Michael Gorelik leads the malware research operation and sets technology strategy. He has extensive experience in the software industry and leading diverse cybersecurity software development projects. Prior to Morphisec, Michael was VP of R&D at MotionLogic GmbH, and previously served in senior leadership positions at Deutsche Telekom Labs. Michael has extensive experience as a red teamer, reverse engineer, and contributor to the MITRE CVE database. He has worked extensively with the FBI and US Department of Homeland Security on countering global cybercrime. Michael is a noted speaker, having presented at multiple industry conferences, such as SANS, BSides, and RSA. Michael holds Bsc and Msc degrees from the Computer Science department at Ben-Gurion University, focusing on synchronization in different OS architectures. He also jointly holds seven patents in the IT space.
