Around 58 percent of all Windows servers on the Internet are no longer regularly provided with security updates and are therefore ticking time bombs.
A scan of all systems accessible on the Internet by Rapid7 has shown that significantly more than half of the Windows servers are still running Windows Server 2008 running. And Microsoft officially ended its support on January 14, 2020. This means that these Windows systems no longer receive regular security updates and can therefore no longer be operated securely in the network.
Rapid7 found the vast majority of these insecure systems in the USA and China. In Germany the situation looks somewhat better; but the security company also found many tens of thousands of systems with Windows Server 2008 in this country. Unfortunately, the graphics presented do not give an exact number; we asked Rapid7 for them. Our search at Shodan at least confirms Rapid7’s results. There you will find over 50,000 servers with IIS 7.5 in Germany right away, which is part of the standard equipment of Windows Server 2008 R2.
Windows Server 2008 dominates
According to Rapid7, the operating systems no longer supported by Microsoft make up around 58 percent of all Windows servers. These include Server 2008 (2 percent), Server 2008 R2 (51 percent) and systems with Server 2003 (almost 6 percent). Only around a third (33.4 percent) runs Server 2012 R2. The cross-test with Shodan shows around the same number of Windows servers with IIS 7.5 worldwide as those with IIS 10.0 (around 1.5 million each) and thus at least confirms the trend. There are a number of plausible explanations for the difference, such as the fact that systems without externally accessible web servers were also included in the Rapid7 evaluation.
Rapid7’s figures are from September 2020. But the security company also supplies one Trend over the months showing that the number of unsupported Windows servers has decreased by about a third since January. But now the value is stagnating at almost 3 million servers.
The official end of the life cycle of a Windows version means that Microsoft no longer protects them against new security vulnerabilities with the routinely created updates. In exceptional cases, such as the critical zero logon vulnerability that became known recently, which turns attackers directly into domain admins over the network, Microsoft mercifully also supplies patches for versions that have already been discontinued. But you’re on a very thin drip.
In general, a server can no longer be safely operated on the network after its official life cycle has expired – and certainly not if it can be reached from the Internet. Anyone who still finds something like this on their network should look for alternatives as soon as possible and at least restrict access rigidly until they are introduced.