As Microsoft support winds down, security risks ratchet up
- By Kurt Mackie
- Jan 05, 2016
When it comes to security, government IT managers do their best to balance risk and cost. In 2016 that balance will be harder to maintain when “extended support” for some Microsoft products ends.
Security risks will increase when Microsoft stops issuing security patches some older Internet Explorer browser versions, as well as some .NET Framework 4 versions. In April of this year, SQL Server 2005 also will lose extended support.
The products won't get any future hotfixes, although agencies can buy "Custom Support" contracts. That's a potentially costly option, though, with costs going up after the first year, but for some agencies, it’s worth the cost.
In April 2015, for example, the Army issued a request for information seeking a company that would provide security updates for Windows XP (which lost support in April 2014), while the Army worked to migrate off the outdated operating system.
Similarly, the Space and Naval Warfare Systems Command awarded Microsoft a $9.1 million contract in June 2015 to continue support for 100,000 workstations still running XP, Office 2003, Exchange 2003 and Server 2003. The contract is to run through July 12, 2016, but includes options that, if exercised, would continue support until June 2017 and bring the total tab to $30.8 million.
Internet Explorer's loss of extended support happens on Jan. 12, 2016. That's an accelerated deadline. Previously, IE browsers had product support lifecycles that were tied to the underlying Windows product lifecycles. With Microsoft's revised policy announced more than a year ago, organizations must upgrade to the most current IE version per supported Windows version by the Jan. 12, 2016 deadline.
In essence, the new IE policy means most organizations will need to be running IE 11 by the Jan. 12 deadline. However, there's an exception for the few organizations running Windows Vista Service Pack 2, which can continue to run the IE 9 browser since it's the most current IE browser for that Windows product.
Agencies that must support custom web apps may have migration problems. They can try Microsoft's recently updated Enterprise Mode for Internet Explorer tools, which provides a means of emulating older IE technologies using an IE 11 browser. Alternatively, there's more granular support for browser compatibilities issues in the solutions offered by Browsium Inc.
IE 11 is currently the most used Internet Explorer version, according to general December web polling by Net Applications. Those results showed IE 11 use at 25.6 percent, followed by IE 10 use at 4 percent and IE 9 use at 6.7 percent. IE 8 is still used by 9 percent, according to those stats.
.NET Framework 4
Microsoft has also specified a Jan. 12, 2016, end of extended support deadline for some .NET Framework 4 versions. After that date, .NET Framework 4, 4.5 and 4.5.1 will cease getting hotfixes and security updates.
This deadline, part of a new policy announced in August 2014, may be easier to meet since agencies can install .NET Framework 4.5.2 or higher versions and continue to stay supported. The .NET versions from 4.5.2 are described by Microsoft as "in-place" upgrades, which make the process a bit easier. An in-place upgrade doesn't require that the earlier .NET Framework version be uninstalled.
Microsoft carved out an exception for .NET Framework 3.5 Service Pack 1. Its lifecycle is still based on Microsoft's old policy. That is, the product lifecycle of .NET Framework 3.5 Service Pack 1 is still based the underlying Windows product lifecycle and will lose extended support at the same time that Windows does.
SQL Server 2005
The end of extended support for SQL Server 2005 is scheduled for April 12, 2016. It takes several months to plan and execute a SQL Server migration, according to Microsoft.
Microsoft's technical upgrade guide (PDF) suggests that it's possible to perform an in-place upgrade from SQL Server 2005 to SQL Server 2014. The exception is a move from 32-bit SQL Server 2005 to 64-bit SQL Server 2014, where an in-place upgrade can't be performed.
This story originally appeared on Redmondmag, a sister site to GCN.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.