Microsoft Workloads on AWS

It’s end of support time again. Are your Microsoft Windows Servers secure?

With the upcoming end of support for Microsoft Windows Server 2012/2012 R2 on October 10, 2023, and the ongoing challenges faced by those on Windows Server 2008/2008 R2, many organizations find themselves in a delicate position. Transitioning away from these older versions isn’t always straightforward. Some organizations are running third-party software that is not yet supported on the latest operating systems. Others, especially those on Windows Server 2012, may simply require more time to strategize and plan for the transition, ensuring minimal disruptions to their operations.

Operating on an end-of-support system exposes organizations to myriad risks, particularly in the realm of security. When regular patching becomes a thing of the past, vulnerabilities can run rampant, jeopardizing the very core of business infrastructures.

In this blog post, I delve into these challenges. Drawing from insights and practical guidelines, I’ll share approaches to fortify legacy systems. My aim is to offer actionable methods that ensure these systems remain secure within your IT security infrastructure.

Why not just use Extended Security Updates (ESUs)?

This is a valid question, and the answer can be quite subjective. You may choose to purchase ESUs for eligible servers, specifically for Windows Server 2012/2012 R2, provided you have a Microsoft Enterprise Agreement and active Software Assurance. However, it’s essential to understand that these ESUs only cover critical and important security updates. Moreover, while ESUs might have been an option for Windows Server 2008/2008 R2, their support ended in January 2023.

While ESUs offer a temporary solution – akin to putting a band-aid on a larger issue – if they align with your long-term strategy for handling end-of-support systems and you have the necessary budget, ESUs might be beneficial. Still, not every organization can or is willing to invest in the often hefty ESU price tag. Additionally, ESUs don’t include new features nor do they address customer-requested non-security hotfixes or design change requests.

Forge ahead, not back: Embrace long-term strategies over quick fixes

The most ideal and favored course of action is to strategize and address legacy system challenges for the long haul. We recognize that for some, this might not be the most feasible route immediately. However, before resorting to any temporary or short-term workarounds, a long-term, sustainable solution should be thoroughly examined, this could include modernizing applications to leverage Windows containers or leveraging automation tools to facilitate seamless upgrades.

Partners in protection: AWS & You, fortifying the cloud together

The AWS Shared Responsibility Model becomes particularly relevant when addressing end-of-support Windows Server operating systems. Within this model, AWS is tasked with ensuring the security “of” the cloud—providing a robust, reliable, and compliant infrastructure. This includes physical hardware, server facilities, and networking components.

On the other hand, you remain responsible for the security “in” the cloud. In the context of end-of-support Windows Server operating systems, this means that while AWS delivers a secure foundation and a range of tools to help manage and mitigate risks, you must be vigilant in how you configure, deploy, and manage these legacy systems on the platform.

As these systems approach or surpass their end-of-support dates, the onus is on you to employ best practices, potentially combining AWS solutions with strategies like Extended Security Updates (ESUs), to ensure these outdated systems don’t become a vulnerability within your IT landscape.

Options to consider for safeguarding end-of-support Windows servers running in AWS

In this section, I’ll delve into a range of options available to you on AWS. These are specifically tailored for those running end-of-support Windows Server operating systems who either can’t use, aren’t willing to use, or are ineligible for ESUs. While these solutions won’t match the security of a fully-supported operating system, they can offer a valuable bridge, granting you additional time for transition.

Furthermore, for an enhanced level of protection, you could even consider combining these AWS strategies with Extended Security Updates (ESUs). This combination provides an extra layer of security and assurance. Adopting these strategies can also facilitate more informed and constructive dialogues with compliance and cybersecurity teams, ensuring a holistic approach to maintaining security standards.

These are the key areas I will cover in this section:

    1. Isolate the servers
    2. Minimize exposure
    3. Use antivirus software
    4. Regularly monitor logs
    5. Maintain backups
    6. Minimize user rights

1. Isolate the servers

Isolating servers that have reached or are approaching their end-of-support is a strategic move that can significantly enhance your security posture. By segregating these servers from the rest of the network, potential vulnerabilities inherent in outdated systems are confined, reducing the risk of a wider system breach. Such isolation not only acts as a protective barrier against potential threats but also offers peace of mind, ensuring that these legacy servers don’t become the weak link in your IT infrastructure.

Below are several ways you could approach server isolation in the AWS cloud:

2. Minimize exposure

Minimizing exposure is a critical strategy when dealing with end-of-support operating systems. By reducing the direct access and interaction such systems have with the broader network and the outside world, you can curtail potential vulnerabilities and threats. Essentially, even though these older systems may inherently carry risks, limiting their exposure can act as a shield, preventing possible breaches from escalating or infiltrating more secure and updated parts of an IT infrastructure.

Below are several ways you could approach minimizing server exposure in the AWS Cloud:

  • Use a load balancer or reverse proxy: Place the end-of-support server behind an AWS Elastic Load Balancer or a reverse proxy running on a supported operating system. The Load Balancer can handle the public traffic, only forwarding legitimate requests to the server.
  • Implement AWS WAF (Web Application Firewall): AWS WAF can be configured to filter, monitor, and block malicious HTTP/S requests targeted at your web applications.
  • Implement a Content Delivery Network (CDN): Use Amazon CloudFront as a CDN, which can cache content closer to the user, thus minimizing direct exposure of the server to the Internet.
  • Implement a DMZ (De-Militarized Zone): Create a DMZ with subnets that are exposed to the Internet and subnets that are not. Place the server in the non-exposed subnet, using intermediary systems to filter and forward traffic.
  • Use NAT Gateways: Provide your workloads with internet access without directly exposing them to the public internet, ensuring tasks like downloading Windows updates are secure.

3. Use antivirus software

For Windows Server systems that have already reached their end-of-support milestone, security vulnerabilities multiply, making them ripe targets for malicious actors. In such scenarios, the role of antivirus software becomes not just beneficial but essential. While these servers no longer receive official patches and updates from Microsoft, a robust antivirus solution can act as a vital line of defence, identifying and neutralizing threats that seek to exploit the outdated nature of these systems. Regularly updating the antivirus database with the latest definitions ensures that even the most recent strains of malware are detected and dealt with.

Here are multiple strategies to implement antivirus measures on end-of-support Windows Servers. While these methods aren’t exclusive to systems operating on AWS, they’re certainly viable options to consider:

  • Choose a compatible antivirus solution: Not all antivirus products may be compatible with an older, end-of-support Windows Server version. Research and find a solution that fits the specific operating system version you are running.
  • Schedule regular scans: Set the antivirus software to perform regular full system scans. Depending on the criticality of the server, this could be daily, weekly, or another appropriate interval.
  • Enable real-time protection: Most antivirus solutions offer real-time protection that monitors file access and operations continuously. This should generally be enabled to catch threats as they occur.
  • Keep definitions updated: Even though the operating system itself won’t receive updates, antivirus definitions (the database that the software uses to recognize threats) must be kept current. This may require manual intervention if automatic updates are not supported for your operating system version.
  • Monitor alerts and reports: Configure alerts for any detections, and regularly review reports to ensure that the system is clean and to identify any emerging threat patterns.
  • Consult the AWS Marketplace: AWS Marketplace has various security solutions, including antivirus software, that are designed to integrate with AWS services. This might make management and deployment easier within the AWS ecosystem.

4. Monitor logs regularly

In the landscape of end-of-support Windows Servers, vigilance becomes a cornerstone of maintaining security. One of the most pivotal practices in this regard is the regular monitoring of server logs. These logs often hold the initial signs of any unusual activity or potential breach. By staying on top of these records, you can catch discrepancies or threats at their nascent stages, allowing for timely intervention.

Nipping problems in the bud is vital; early detection can be the difference between a minor hiccup and a major system compromise. Especially with legacy systems that lack the most recent patches and updates, proactive log monitoring serves as a crucial layer of defence, helping prevent minor issues from snowballing into larger, more complex challenges.

Below are several ways you could approach the monitoring of logs:

  • Use Amazon CloudWatch Logs: Amazon CloudWatch can collect and monitor logs from your Amazon Elastic Compute Cloud (Amazon EC2) instances, applications, and other AWS resources. You can set up custom alarms and alerts for suspicious patterns.
  • Implement third-party log analysis tools: There are many third-party solutions available for advanced log analysis. Some can integrate directly with AWS services and provide real-time monitoring, anomaly detection, and automated responses. Splunk is one such example of this.
  • Collect operating system and application logs: Ensure that your Windows Server’s system, security, and application logs are properly configured and monitored. These can provide insights into unauthorized access attempts, changes to user privileges, etc.
  • Set Up Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behaviour such as malware. It uses data from AWS CloudTrail, VPC Flow Logs, and DNS Logs to identify unexpected and potentially unauthorized activities.

5. Maintain backups

As these systems no longer receive official security patches and updates from Microsoft, they become increasingly susceptible to vulnerabilities, risks, and potential breaches. It’s not just about backing up data, but ensuring that it’s done systematically and frequently. Such proactive backup strategies not only safeguard an organization’s essential data but also provide a foundational layer of resilience against unforeseen challenges associated with end-of-support systems.

  • Use Amazon Elastic Block Store (EBS) snapshots: Amazon EBS snapshots capture the entire state of your EBS volumes, encompassing both the operating system and the associated data. These snapshots offer a point-in-time representation of your entire volume. This comprehensive backup ensures that, when used to create new volumes, both the system state and all the stored data remain intact and consistent.
  • Implement AWS Backup: AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services. You can create custom backup policies and retention rules. A Windows VSS backup using AWS Backup could be a great option.
  • Utilize Amazon Simple Storage Service (Amazon S3): Amazon S3 can be used to store backups of your data.
  • Utilize third-party backup solutions: There are a number of third-party backup solutions in the AWS Marketplace that might offer specific features tailored to your needs, such as integration with particular applications or compliance with specific regulations.

6. Minimize user rights

Minimizing user rights is a cornerstone of IT security, ensuring that only essential accounts possess access, and even then, with the bare minimum permissions required for their tasks. While this principle is a best practice for all servers, its significance is magnified when dealing with end-of-support servers.

These servers, bereft of regular security updates, become prime targets for potential threats. Thus, limiting access to indispensable accounts and rigorously curating their permissions is vital. Such accounts should be stripped of any unnecessary privileges, especially those that don’t align with their designated tasks.

Regular audits can help identify and rectify any excessive privileges or inactive accounts. In essence, for end-of-support servers, stringent user rights management isn’t just best practice; it’s a critical protective measure against heightened vulnerabilities.

Here are some measures to enhance the security of your end-of-support systems:

  • Implement least privilege for applications and services: Not only user accounts but also applications and services running on the server should operate with the least privilege necessary. Run services with non-administrative accounts when possible.
  • Use Role-Based Access Control (RBAC): Define roles within Windows Server that map to specific job functions and assign users to these roles. Avoid using built-in administrative accounts for daily operations.
  • Implement Active Directory Group Policies: Utilize Group Policy within Active Directory (if applicable) to centrally manage and enforce user rights and restrictions.
  • Remove unnecessary accounts: Periodically review and remove or disable unnecessary accounts, including default accounts that may be included in a Windows Server installation.
  • Utilize Windows logging and auditing: Enable detailed logging and auditing within Windows to detect and respond to unauthorized access attempts or privilege escalations.
  • Integrate with AWS Systems Manager: Consider using AWS Systems Manager to automate and centrally manage Windows Server configurations, including user rights.

Conclusion

Navigating the challenges of managing end-of-support Windows Servers is no trivial task, and the upcoming cessation of support for versions like Windows Server 2012/2012 R2 underscores the urgency of this matter. The strategies I’ve highlighted throughout this blog post are designed to offer interim protective measures, acting as bridges to more permanent solutions.

Remember, while these strategies can offer a valuable layer of defence, they’re never a true substitute for the security of a supported operating system. Moreover, these are suggestions meant to catalyse thought and inspire tailored solutions, rather than ironclad rules.

As organizations consider these pathways, they should do so with an innovative spirit and an eye toward the ultimate aim of transitioning to modern, supported systems. The journey through legacy systems might be fraught with challenges, but with the right tools, knowledge, and strategic planning, businesses can safeguard their IT landscape and set a strong foundation for the future.

To read more on the Windows Server end of support topic, read our eBook or explore other blog posts in the Microsoft Windows on AWS channel:

  1. Know your AWS options for Microsoft Windows Server 2012 End of Support
  2. How to manually upgrade Microsoft Windows Server 2012 on AWS
  3. How to automate your Microsoft Windows Server upgrades using AWS Systems Manager
  4. How to upgrade and modernize Microsoft Windows Server 2012 with Windows containers on AWS
  5. How to upgrade Microsoft Windows Server 2012 with AWS Application Migration Servicex

AWS has significantly more services, and more features within those services, than any other cloud provider, making it faster, easier, and more cost effective to move your existing applications to the cloud and build nearly anything you can imagine. Give your Microsoft applications the infrastructure they need to drive the business outcomes you want. Visit our .NET on AWS and AWS Database blogs for additional guidance and options for your Microsoft workloads. Contact us to start your migration and modernization journey today.

Ben Groeneveld

Ben Groeneveld

Ben is a Microsoft Specialist Solutions Architect based in the bustling city of Singapore. Originally from Australia, Ben has ~20 years of IT experience across diverse industries such as mining, oil & gas, and financial services. Having lived in Asia for 11+ years, he brings a unique blend of technical expertise and cultural understanding to his work. As an IT infrastructure generalist, Ben enjoys guiding customers through their cloud migration journey and ensures they smoothly run and optimize both their new and existing workloads on AWS.