End of Life for Microsoft Windows XP and Server 2003: Six-One or Up

Five months from now, Microsoft will stop supporting Windows XP. As Tim Rains points out, running Windows XP after this date will effectively be an open invitation for attack. XP will, in his words, be “zero day forever”.

As you know, Windows XP is the client version of Windows Server 2003, and includes much of the same code. Windows Server 2003 R2 was an incremental update that improved some security aspects, but it’s still the same code base. That will reach its end of life in July 2015, just over 18 months from now.

Why is this important? Simply put, XP and 2003 R2 are old. Security which was state of the art ten years ago, is no longer good enough. It is too expensive, both for you and Microsoft, to stay on antiquated software.

While I am a vociferous supporter of “use what works” and “if it ain’t broke, don’t fix it”, I must add a qualifier: XP and 2003 are broken. Their internals are just not up to the challenge of modern attacks.

The same goes for perennial whipping-boy, SQL Server 2000. Up until two months ago, I was still actively supporting this product at one particular client, but my goal was to upgrade them as soon as possible. Notwithstanding the huge benefit in new features, upgrading to a newer version offers more modern attack mitigation.

I was affected by SQL Slammer in 2003, because I didn’t apply an earlier patch released by Microsoft. I vowed that would never happen again.

It’s time. It’s time to think seriously about security, to harden your defences, to upgrade your software.

If you’re on Windows XP, get on to Windows 7 or Windows 8. Windows 7 with Service Pack 1 is under mainstream support until 2015, and extended support until January 2020. Windows 8 and 8.1 (considered the same product for support purposes) will reach end of life in January 2018 (mainstream) and January 2023 (extended).

As for the Windows Server products, the least you should be running on is Windows Server 2008 R2, which is on the same retirement timeline as Windows 7 SP1.

If it helps, I have this simple reminder: Six-One or Up. The Windows kernel had a major increment to version 6.0 with Vista and Server 2008, and 6.1 for Windows 7 and Server 2008 R2. In other words, version 6.1 is the lowest Windows kernel you should be running anywhere in your environment. If in doubt, type ver in any command prompt on a Windows machine. On this client, I see Microsoft Windows [Version 6.1.7601].

Goodbye, old friend

SQL Server 2000, I will miss you.

Two months ago, my last customer running on SQL Server 2000 took the plunge, and upgraded to SQL Server 2005.

Last night between 9pm and 1:30am this morning, I performed diagnostics on the new environment, and it only struck me today that I would not be supporting SQL Server 2000 for any of my existing customers again.

So long, old friend.

If you or anyone else around you is running SQL Server 2000, let me know. I can help them upgrade to SQL Server 2016. Microsoft no longer supports SQL Server 2000, and neither should you.

But if you’re scared, and your SQL Server 2000 instance needs a friend, I can still help. That’s why I back-ported the Duplicate Index Finder in the first place. I will look after it for as long as you need, before upgrading to a version that is still supported by Microsoft.