More than 600,000 web-facing computers — which host millions of websites — are still running Windows Server 2003, despite it no longer being supported.
The number of web-facing computers running Windows Server 2003 has been on a gradual decline since its peak usage in 2011, but many servers are still using it. Mainstream support for Windows Server 2003 ended in July 2010.
Extended support for Windows Server 2003
ended on July 14, 2015. Crucially, this means that Microsoft will no longer
be issuing security updates for any version of Windows Server 2003. US-CERT
warns that these
unsupported installations of Windows Server 2003 are exposed to an elevated risk
of cybersecurity dangers, such as malicious attacks or electronic data loss.
Windows Server 2003 was originally launched over 12 years ago, with the
latest major update being released 8 years ago in the form of Service Pack 2.
This update was particularly beneficial for web servers, as it added the
Scalable Networking Pack (SNP), which allowed for hardware acceleration of
network packet processing.
Fifth of the internet still running Windows Server 2003
Netcraft's July 2015 Web Server Survey found 175 million
websites that are served directly from Windows Server 2003 computers. These
account for more than a fifth of all websites in the survey, making the
potential attack surface huge.
Most of these sites (73%) are served by Microsoft Internet Information
Services 6.0, which is the version of IIS that shipped with Windows Server 2003
and the 64-bit edition of Windows XP Professional; however, it is rare to see
the latter being used as a web server platform.
The remaining Windows Server 2003-powered sites use a variety of web server
software, with GSHD 3.0, Safedog 4.0.0, Apache 2.2.8 (Win32), kangle 3.4.8,
NetBox Version 2.8 Build 4128 and nginx/1.0.13-win32 being amongst the most
commonly seen Server headers. While vulnerabilities in these software products
can be addressed by applying patches or updates, future vulnerabilities in the
underlying Windows Server 2003 operating system may never be fixed.
14 million of the sites did not send a Server header at all, so it was not
apparent whether the web server software used by these sites could be updated,
but the underlying computers could still be identified as running Windows Server
2003. Netcraft determines the operating system of a remote web server by
analysing the low-level TCP/IP characteristics of response packets, and so it is
independent of whichever server software the site claims to be running.
Backend servers might also be exploitable
In addition to the 175 million websites that are served directly from Windows
Server 2003 computers, a further 1.7 million sites served from other operating
systems sent the Microsoft-IIS/6.0 Server header. This indicates the
presence of backend Windows Server 2003 machines behind load balances and similar devices
that are not running Windows.
For example, if the TCP/IP characteristics of a web server's response indicate that it is running Linux, but the HTTP Server
header reports it is using Microsoft-IIS/6.0, then the Linux machine is likely to be acting as a
reverse proxy to a Windows Server 2003 machine running IIS 6.0. Although the
Windows Server 2003 machine is not directly exposed to the internet, it may
still be possible for a remote attacker to exploit certain Windows and IIS
How many Windows Server 2003 installations are exposed to the web?
Netcraft has developed a technique for identifying the number of unique
computers that act as web servers on the internet. The 175 million sites that
use Windows Server 2003 make use of 1.6 million distinct IP addresses. However,
an individual computer running Windows Server 2003 may have multiple IP
addresses, which makes this an unsuitable metric for determining how many
installations there are.
Further analysis of the low-level TCP/IP characteristics reveals a total of
609,000 web-facing computers running Windows Server 2003. This
is over 10% of all web-facing computers, and shows the true
potential cost of migration, as software licensing is typically charged on a
per-machine rather than per-IP address basis.
Who's still using Windows Server 2003?
China and the United States account for 55% of the world's Windows Server
2003 computers (169,000 in China and 166,000 in the US), yet only 43% of all other web facing computers.
Within China, more than 24,000 of these computers are hosted by Alibaba
Group. Nearly half of these are hosted by
HiChina, which was acquired by Alibaba in 2009, while 7,500 are hosted at
rapidly growing cloud hosting unit, Aliyun.
Aliyun still allows its customers to create Windows Server 2003 virtual machines.
One of the most prominent companies still using Windows Server 2003 on the
LivePerson, which is best known for the live chat software that allows its
customers to talk to their visitors in realtime. Its main site at
www.liveperson.com uses Microsoft IIS
6.0 on Windows Server 2003, and several other sites related to its live chat
functionality — such as sales.liveperson.net — also appear to use IIS 6.0 on Server 2003, but are served via F5 BIG IP web-facing devices.
Even some banks are still using Windows Server 2003 and IIS 6.0 on their main
sites, with the most popular ones including
Grupo Bancolombia. These
sites rank amongst the top 10,000 in the world, and hundreds of other banking
sites also appear to be using Windows Server 2003.
Caisse d'Epargne are also using IIS 6.0, but these sites appear to be served through
F5 BIG-IP or similar devices, rather than
having Windows Server 2003 machines exposed directly to the internet. Even some security and antivirus software vendors are still running IIS 6.0 on
public-facing sites, including
Panda Security and
While Microsoft does not officially offer any support beyond the extended support period ("Once a product transitions out of support, no further support will be provided for the product"), reports suggest that some companies who have not migrated in time have arranged to pay millions of dollars for custom support deals.
PCI compliance: Automatic failure
Companies still using unsupported operating systems like Windows Server 2003
in a cardholder data environment should migrate immediately. All organisations
and merchants who accept, transmit or store cardholder data must maintain a
secure PCI compliant environment.
The Payment Card Industry Data Security Standard (PCI
DSS) provides a baseline of technical and operational requirements designed
to protect cardholder data and sensitive authentication data. PCI DSS
Requirement 6.2 requires all system components and software to be protected from
known vulnerabilities by installing vendor-supplied security patches. This will
not be possible with Windows Server 2003, as no more security updates will be
made available by Microsoft.
Additionally, merchants and service providers who handle a large enough volume of cardholder data
must have quarterly security scans by a PCI SSC Approved Scanning Vendor (such
as Netcraft) in
order to maintain compliance. ASVs
are required to record an automatic failure if the
merchant's cardholder data environment uses an operating system that is no
In some cases, the PCI SSC can allow for risks to be mitigated through the implementation of suitable
compensating controls, but these are unlikely to be sufficient for an unsupported web-facing operating system – especially one which will become less secure as time goes by, as new vulnerabilities are discovered.
Consequently, many merchants still using Windows Server 2003 is likely to be
noncompliant, and could face fines, increased transaction fees, reputational damage, or other
potentially disastrous penalties such as cancelled accounts.
Microsoft advises that any datacenter still using Windows Server 2003 needs
to protect its infrastructure by planning and executing a migration strategy.
Some possible options suggested by Microsoft include switching to Windows Server
2012 R2, Microsoft Azure or Office 365. To help customers migrate, Microsoft has
provided an interactive
2003 Migration Planning Assistant, which, incidentally, is hosted on
Finding out more
Netcraft's techniques provide an independent view with a consistent methodology on the number of web-facing computers at each hosting location worldwide. For more information, see our Hosting Provider Server Count, or contact us at email@example.com for bespoke datasets.
For more information about Netcraft's Automated Vulnerability Scanning for PCI Compliance, please contact us at firstname.lastname@example.org.