Millions still running the risk with Windows Server 2003

More than 600,000 web-facing computers — which host millions of websites — are still running Windows Server 2003, despite it no longer being supported.

The number of web-facing computers running Windows Server 2003 has been on a gradual decline since its peak usage in 2011, but many servers are still using it. Mainstream support for Windows Server 2003 ended in July 2010.

The number of web-facing computers running Windows Server 2003 has been on a gradual decline since its peak usage in 2011, but many servers are still using it. Mainstream support for Windows Server 2003 ended in July 2010.

Extended support for Windows Server 2003 ended on July 14, 2015. Crucially, this means that Microsoft will no longer be issuing security updates for any version of Windows Server 2003. US-CERT warns that these unsupported installations of Windows Server 2003 are exposed to an elevated risk of cybersecurity dangers, such as malicious attacks or electronic data loss.

Windows Server 2003 was originally launched over 12 years ago, with the latest major update being released 8 years ago in the form of Service Pack 2. This update was particularly beneficial for web servers, as it added the Scalable Networking Pack (SNP), which allowed for hardware acceleration of network packet processing.

Fifth of the internet still running Windows Server 2003

Netcraft's July 2015 Web Server Survey found 175 million websites that are served directly from Windows Server 2003 computers. These account for more than a fifth of all websites in the survey, making the potential attack surface huge.

Most of these sites (73%) are served by Microsoft Internet Information Services 6.0, which is the version of IIS that shipped with Windows Server 2003 and the 64-bit edition of Windows XP Professional; however, it is rare to see the latter being used as a web server platform.

The remaining Windows Server 2003-powered sites use a variety of web server software, with GSHD 3.0, Safedog 4.0.0, Apache 2.2.8 (Win32), kangle 3.4.8, NetBox Version 2.8 Build 4128 and nginx/1.0.13-win32 being amongst the most commonly seen Server headers. While vulnerabilities in these software products can be addressed by applying patches or updates, future vulnerabilities in the underlying Windows Server 2003 operating system may never be fixed.

14 million of the sites did not send a Server header at all, so it was not apparent whether the web server software used by these sites could be updated, but the underlying computers could still be identified as running Windows Server 2003. Netcraft determines the operating system of a remote web server by analysing the low-level TCP/IP characteristics of response packets, and so it is independent of whichever server software the site claims to be running.

Backend servers might also be exploitable

In addition to the 175 million websites that are served directly from Windows Server 2003 computers, a further 1.7 million sites served from other operating systems sent the Microsoft-IIS/6.0 Server header. This indicates the presence of backend Windows Server 2003 machines behind load balances and similar devices that are not running Windows.

For example, if the TCP/IP characteristics of a web server's response indicate that it is running Linux, but the HTTP Server header reports it is using Microsoft-IIS/6.0, then the Linux machine is likely to be acting as a reverse proxy to a Windows Server 2003 machine running IIS 6.0. Although the Windows Server 2003 machine is not directly exposed to the internet, it may still be possible for a remote attacker to exploit certain Windows and IIS vulnerabilities.

How many Windows Server 2003 installations are exposed to the web?

Netcraft has developed a technique for identifying the number of unique computers that act as web servers on the internet. The 175 million sites that use Windows Server 2003 make use of 1.6 million distinct IP addresses. However, an individual computer running Windows Server 2003 may have multiple IP addresses, which makes this an unsuitable metric for determining how many installations there are.

Further analysis of the low-level TCP/IP characteristics reveals a total of 609,000 web-facing computers running Windows Server 2003. This is over 10% of all web-facing computers, and shows the true potential cost of migration, as software licensing is typically charged on a per-machine rather than per-IP address basis.

Who's still using Windows Server 2003?

China and the United States account for 55% of the world's Windows Server 2003 computers (169,000 in China and 166,000 in the US), yet only 43% of all other web facing computers.

Within China, more than 24,000 of these computers are hosted by Alibaba Group. Nearly half of these are hosted by HiChina, which was acquired by Alibaba in 2009, while 7,500 are hosted at its rapidly growing cloud hosting unit, Aliyun.

Aliyun still allows its customers to create Windows Server 2003 virtual machines.

Aliyun still allows its customers to create Windows Server 2003 virtual machines.

One of the most prominent companies still using Windows Server 2003 on the internet is LivePerson, which is best known for the live chat software that allows its customers to talk to their visitors in realtime. Its main site at www.liveperson.com uses Microsoft IIS 6.0 on Windows Server 2003, and several other sites related to its live chat functionality — such as sales.liveperson.net — also appear to use IIS 6.0 on Server 2003, but are served via F5 BIG IP web-facing devices.

Even some banks are still using Windows Server 2003 and IIS 6.0 on their main sites, with the most popular ones including Natwest, ANZ, and Grupo Bancolombia. These sites rank amongst the top 10,000 in the world, and hundreds of other banking sites also appear to be using Windows Server 2003.

ING Direct and Caisse d'Epargne are also using IIS 6.0, but these sites appear to be served through F5 BIG-IP or similar devices, rather than having Windows Server 2003 machines exposed directly to the internet. Even some security and antivirus software vendors are still running IIS 6.0 on public-facing sites, including Panda Security and eScan.

While Microsoft does not officially offer any support beyond the extended support period ("Once a product transitions out of support, no further support will be provided for the product"), reports suggest that some companies who have not migrated in time have arranged to pay millions of dollars for custom support deals.

PCI compliance: Automatic failure

Companies still using unsupported operating systems like Windows Server 2003 in a cardholder data environment should migrate immediately. All organisations and merchants who accept, transmit or store cardholder data must maintain a secure PCI compliant environment.

The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements designed to protect cardholder data and sensitive authentication data. PCI DSS Requirement 6.2 requires all system components and software to be protected from known vulnerabilities by installing vendor-supplied security patches. This will not be possible with Windows Server 2003, as no more security updates will be made available by Microsoft.

Additionally, merchants and service providers who handle a large enough volume of cardholder data must have quarterly security scans by a PCI SSC Approved Scanning Vendor (such as Netcraft) in order to maintain compliance. ASVs are required to record an automatic failure if the merchant's cardholder data environment uses an operating system that is no longer supported.

In some cases, the PCI SSC can allow for risks to be mitigated through the implementation of suitable compensating controls, but these are unlikely to be sufficient for an unsupported web-facing operating system – especially one which will become less secure as time goes by, as new vulnerabilities are discovered.

Consequently, many merchants still using Windows Server 2003 is likely to be noncompliant, and could face fines, increased transaction fees, reputational damage, or other potentially disastrous penalties such as cancelled accounts.

Microsoft advises that any datacenter still using Windows Server 2003 needs to protect its infrastructure by planning and executing a migration strategy. Some possible options suggested by Microsoft include switching to Windows Server 2012 R2, Microsoft Azure or Office 365. To help customers migrate, Microsoft has provided an interactive Windows Server 2003 Migration Planning Assistant, which, incidentally, is hosted on Microsoft Azure.

Finding out more

Netcraft's techniques provide an independent view with a consistent methodology on the number of web-facing computers at each hosting location worldwide. For more information, see our Hosting Provider Server Count, or contact us at sales@netcraft.com for bespoke datasets.

For more information about Netcraft's Automated Vulnerability Scanning for PCI Compliance, please contact us at security-sales@netcraft.com.

Most Reliable Hosting Company Sites in July 2015

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Datapipe Linux 0:00:00 0.004 0.106 0.012 0.026 0.037
2 GoDaddy.com Inc Linux 0:00:00 0.009 0.131 0.009 0.023 0.024
3 Qube Managed Services Linux 0:00:00 0.009 0.109 0.047 0.094 0.094
4 EveryCity SmartOS 0:00:00 0.009 0.067 0.066 0.131 0.131
5 XILO Communications Ltd. Linux 0:00:00 0.013 0.182 0.063 0.128 0.128
6 Anexia Linux 0:00:00 0.013 0.404 0.086 0.173 0.173
7 Bigstep Linux 0:00:00 0.018 0.111 0.062 0.124 0.124
8 LeaseWeb Linux 0:00:00 0.022 0.224 0.025 0.053 0.053
9 ServerStack Linux 0:00:00 0.027 0.080 0.072 0.143 0.143
10 Swishmail FreeBSD 0:00:00 0.031 0.123 0.066 0.132 0.172

See full table

Datapipe had the most reliable company website during July, responding successfully to all but one of Netcraft's requests. This continues their regular appearance in the top 10, making 11 of the past 12 months and every month of 2015 so far. Datapipe offers a 100% Uptime Guarantee, and fulfilled this promise on its own site, with 100% uptime recorded over the past 9 years.

With two failed requests each, GoDaddy, Qube, and EveryCity contend for second place. The ranking between them is decided by the average connection time, putting GoDaddy into second place and Qube into third. GoDaddy recently produced CODE, a documentary about gender bias in the tech industry; the film was selected for the Tribeca Film Festival. Qube is based in London and offers managed private cloud hosting services from datacentres in London, New York and Zurich.

Linux is once again the most common choice of Operating System; 8 out of the top 10 companies used the OS to power their website. The two remaining sites were powered by SmartOS and FreeBSD. This is the first time since December 2014 that no sites powered by Windows have appeared in the top 10.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Most Reliable Hosting Company Sites in June 2015

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Qube Managed Services Linux 0:00:00 0.000 0.102 0.052 0.104 0.104
2 ServerStack Linux 0:00:00 0.000 0.074 0.076 0.152 0.152
3 Bigstep Linux 0:00:00 0.005 0.117 0.060 0.123 0.123
4 iWeb Linux 0:00:00 0.005 0.135 0.078 0.156 0.156
5 Anexia Linux 0:00:00 0.005 0.541 0.085 0.172 0.172
6 GoDaddy.com Inc Linux 0:00:00 0.010 0.121 0.009 0.022 0.023
7 Datapipe Linux 0:00:00 0.015 0.095 0.013 0.027 0.037
8 Netcetera Windows Server 2012 0:00:00 0.015 0.055 0.083 0.165 0.165
9 LeaseWeb Linux 0:00:00 0.025 0.224 0.028 0.061 0.061
10 One.com Linux 0:00:00 0.025 0.166 0.058 0.217 0.218

See full table

Qube Managed Services had the most reliable website during June, responding successfully to all of Netcraft's requests. This is Qube's fourth appearance in the top ten in 2015, continuing its strong showing from 2014 when it placed in the top ten in eleven months, and came first on four occasions. Qube is based in London and offers managed private cloud hosting services from datacentres in London, New York and Zurich.

In second place, ServerStack also successfully responded to all requests in June, placing second only as a result of a slightly slower average connection time. ServerStack provides managed hosting services to enterprises from three datacentres in Amsterdam, New Jersey and San Jose. It has appeared in the top 10 list frequently in the past few years.

Bigstep, iWeb and Anexia also did well this month, each responding to all but one request.

Linux remains the most popular choice of operating system, with 9 of the top 10 companies using the OS to power their website, while the remaining one uses Windows Server 2012.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

阿里云的发展壮大已让阿里集团成为中国最大的服务器主机提供商

[Read this article in English]

中国云主机服务提供商阿里云正在以前所未有的速度发展壮大。从今年4月到5月仅一个月的时间,从阿里云直接连接到国际互联网的Web服务器数量就增长了8千多台。这样的迅猛增长已让其母公司阿里巴巴集团一跃成为世界第四大同时也是中国第一大服务器主机提供商。

Continue reading

Most Reliable Hosting Company Sites in May 2015

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 EveryCity SmartOS 0:00:00 0.008 0.079 0.066 0.133 0.133
2 Datapipe Linux 0:00:00 0.017 0.085 0.012 0.024 0.032
3 Anexia Linux 0:00:00 0.017 0.633 0.088 0.176 0.176
4 CWCS Linux 0:00:00 0.017 0.188 0.104 0.186 0.187
5 XILO Communications Ltd. Linux 0:00:00 0.030 0.179 0.064 0.129 0.129
6 INetU Windows Server 2008 0:00:00 0.038 0.098 0.068 0.199 0.404
7 Netcetera Windows Server 2012 0:00:00 0.038 0.056 0.081 0.161 0.161
8 New York Internet FreeBSD 0:00:00 0.047 0.186 0.030 0.062 0.180
9 Hyve Managed Hosting Linux 0:17:02 0.051 0.156 0.064 0.127 0.128
10 Umbee Hosting Linux 0:00:00 0.076 0.072 0.064 0.481 1.231

See full table

EveryCity had the most reliable website during May 2015, responding to all but two of Netcraft's requests. Since Netcraft began monitoring its site in April 2014, EveryCity has maintained a 100% uptime record. Besides SmartOS-based hosting, EveryCity also specialises in Solaris hosting on both SPARC and Intel platforms.

In second place is Datapipe, with just four failed requests to its website during May 2015. Two other companies had the same number of failures: Anexia and CWCS. Datapipe's impressively quick average connection time (0.012 seconds) gives it the edge in the tie-breaker, fending off both Anexia (0.088 seconds) and CWCS (0.104 seconds). Datapipe has data centres in key technology and financial hubs including New York, Silicon Valley, London, and Hong Kong.

Anexia (3rd place) and CWCS (4th place), both with four failed requests and both of which are based in Europe, differ in their focus: Anexia operates 58 data centres across the world, whereas CWCS concentrates on the UK market, owning two "state of the art" British data centres. Anexia announced in early May that it had become an official Debian mirror, providing support to the open-source project.

Making it into the top 10 for the first time since its monitoring began in February 2015, Umbee Hosting's website responded to all but a handful of Netcraft's requests. Umbee Hosting has five data centres, spread across three continents: two in the London region, two in metro New York, and one in Sydney.

Linux remains a popular choice amongst the top 10 hosting company websites, powering six. The use of SmartOS and FreeBSD brings up the total of UNIX-based operating systems to eight. The remaining two are powered by Windows Server 2008 and 2012.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Aliyun cloud growth makes Alibaba largest hosting company in China

Chinese cloud hosting company Aliyun is growing faster than ever, with more than 8,000 more web-facing computers found in the May 2015 survey than in April's. This growth has launched Aliyun's parent company, Alibaba Group, into position as the 4th largest hosting company in the world, as well as the largest in China.

This reflects a positive change in Aliyun's fortunes, whose earlier impressive growth had started to stagnate towards the end of 2013. However, growth later resumed in earnest, coinciding with Aliyun's partnership with rival cloud computing company Inspur in July 2014. The growth has continued ever since, with the largest absolute growth being seen between April 2015 and May 2015.

aliyun-growth

Aliyun now accounts for 38% of the web-facing computers hosted by Alibaba Group, while 44% are operated by HiChina, which was acquired by Alibaba in 2009. If the latest growth trends continue, Aliyun will soon account for the majority of web-facing computers at Alibaba.

All of the web-facing computers at Aliyun are located in China, which offers significant advantages for the local market. Hosting a website close to its end-users generally results in faster page loads, but increased reliability is the most crucial factor in this case. Connectivity between China and other countries is often slow, unstable or even blocked, making China the most practical location for hosting websites aimed at local consumers.

However, this also means that Aliyun would be a troublesome choice for any company that has a significant user base outside of China. This is exemplified by the following graph, which shows the performance and reliability of www.aliyun.com when accessed from the Netherlands:

uptime

This connectivity problem has so far proven to be insurmountable, and is likely to be a showstopper for most companies with customers outside of China. Unfortunately, this problem only seems to be getting worse: Nearly half of the requests made from the Netherlands over the past 20 days failed, whereas only 4% failed during a similar 20-day period in 2013.

Globally, Amazon continues to dominate the hosting arena with nearly three times as many web-facing computers as Alibaba Group. DigitalOcean recently usurped OVH Net to become the second largest hosting company. Amazon, DigitalOcean and Aliyun are all similar in that they provide relatively low-cost virtual servers, but Aliyun's growth is likely restricted by the impracticalities of using it to serve content outside of China.

Considering this rather significant restriction, it is impressive that Aliyun's current growth rate is almost on par with DigitalOcean's (in fact, Alibaba Group as a whole exceeded DigitalOcean's absolute growth in May 2015). This growth perhaps demonstrates the scale of the Chinese market, and if it were practical to use Aliyun to host websites for a global audience, Aliyun could well give Amazon a run for its money.

Amazon and DigitalOcean are likely to remain ahead for a fair while, particularly as they both provide a variety of hosting locations in several different countries. This gives customers flexibility over where a website can be hosted, providing not just performance benefits, but also regulatory ones — for example, German data protection laws limits where companies can store personal data, in particular making it unappealing to do so outside of Germany or the EU.

Amazon is perhaps still best known for its retail operations, but recently surprised some analysts by announcing that its Amazon Web Services segment is profitable. This segment generated sales of $1.57bn in the first quarter of 2015, and operating income of $265m, demonstrating that it can now operate without having to fall back on Amazon's other revenue streams.

Aliyun operates under a similar safety net, with its parent, Alibaba Group, having significant revenue from other business areas, including business-to-business trading via alibaba.com and an eBay-like consumer-to-consumer marketplace on taobao.com. Both Aliyun and Amazon Web Services have had opportunities to grow in this relatively risk-free environment, where – if necessary – they can be supported by the parent group's other business areas.

With this safety net in place, Aliyun is well placed to continue its growth within China, and could even contemplate adding datacenters abroad. Notably, its ability to invest in new datacenters is not likely to be a problem: Alibaba Group (NYSE:BABA) has a higher market capitalisation than Amazon (NASDAQ:AMZN).

Aliyun has already tried to attract foreign customers by offering support and site content in English, and aliyun.com also mentions that it is "preparing to support more languages to improve user experience". New customers must provide their phone number when creating an Aliyun account, which is verified by text message in the 23 supported countries. Customers in other countries can also register an Aliyun account by following a slower offline registration process.

However, any plans for global expansion could be scuppered unless Aliyun can solve the connectivity issues and also match the low prices offered by DigitalOcean, where the cheapest virtual machine costs only $5/month, including up to 1TB of data transfer. A somewhat-similar Elastic Compute Service instance at Aliyun (1-core, 512MB memory, 20GB storage, bandwidth limited to 3Mbps) costs ¥109/month, making it more than three times as expensive. This instance costs only ¥38/month if the customer chooses Aliyun's pay-as-you-go option for bandwidth (which would cope better with bursts of traffic), but this could work out far more expensive for heavy users — at ¥0.80 per GB of outbound public network traffic, 1TB of traffic would cost over $120 at Aliyun, whereas it is included in the price of DigitalOcean's $5 droplet.