Agencies still depending on Windows Server 2003 will be looking at steep costs if they buy into a Microsoft Custom Support Agreement to cover updates to the software that will no longer be supported after July 14, 2015.
Agencies still depending on Windows Server 2003 will be looking at steep costs if they buy into a Microsoft Custom Support Agreement (CSA) to cover updates to the software that will no longer be supported after July 14, 2015.
According to licensing expert Paul DeGroot, a senior consultant with Software Licensing Advisors Inc. and owner of Pica Communications, CSA costs are calculated based on the number of devices under support. In the first year, the per-device cost will be approximately the same as the price of the original Windows Server 2003 license, or around $600 to $700 per license for the Standard edition. In the next year, that price will double. In the third year, Microsoft doubles the second-year price. If an organization started the first year of a CSA paying $600 per device, then it will be paying $2,400 per device by the third year, according to DeGroot's calculations, which used 2014 pricing information.
In the webcast, DeGroot explained that the $600 per license price was based on a customer's experience. Exactly what Microsoft actually charges for CSAs isn't generally known, since the company doesn't explain its CSAs publicly in great detail.
CSAs are agreements that organizations establish with Microsoft via its Premier Support services at the end of a product's lifecycle. Microsoft's enterprise software has two product-lifecycle support phases of five years each, which are known as "mainstream support" and "extended support." When extended support ends, the software is considered to be "unsupported." It means that no security patches for the software will be arriving from Microsoft. The exception to this rule is the CSA, which DeGroot described as an "expensive" option for organizations.
DeGroot had suggestions for IT managers facing a CSA:
- Upgrade servers with .NET apps first.
- Don’t use Windows Server 2003 consoles as general purpose PCs because 85 percent of all Critical security updates issued in 2010 were released in response to attacks facilitated by the console users doing something, such as opening a file.
- Turn off unnecessary services such as Telnet that can expose the server to potential attacks.
- Try negotiating with Microsoft. Use a list of past Critical updates and talk to Microsoft about whether the CSA will be cost effective.
- Defer buying into a CSA immediately as a CSA can always be purchased later. It's based on the number of devices, so when it's purchased later an organization's costs may have gone down. However, a CSA is "not retroactive," so an organization can't buy it and expect to get a hotfix that was previously released.
- Consider "Custom Support Essentials." It's about one third the cost of a CSA. DeGroot said that organizations can ask Microsoft about a Custom Support Essentials Agreement but the company doesn't advertise it.
- Cross your fingers. If people take chances without signing up for a CSA, it could affect CSA pricing. DeGroot noted that seemed to have been the case with Windows XP's end of support, which had high CSA costs initially.
NEXT STORY: After FedRAMP: Trust, but verify