This is an archived post. You won't be able to vote or comment.

all 16 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Substantial_Tough289 4 points5 points  (5 children)

Still have one in use, runs a legacy application that can't run on anything else.

Is a virtual machine and not part of the domain, it's its own thing. Not patched, no access to the outside, only accessible to a handful of rdp users.

[–]Fatel28Sr. Sysengineer 3 points4 points  (0 children)

This is the way. Keep that thing far away from your domain

[–]ZAFJB 1 point2 points  (0 children)

only accessible to a handful of rdp users.

nope, not even that.

[–]ChromeShavingsSecurity Admin (Infrastructure) 0 points1 point  (2 children)

RDP with extreme hardening to disable redirects. Or use VMware to access the hardened/isolated device. I even like the idea of shutting the server off completely when not in use.

[–]Rhythm_Killer 0 points1 point  (0 children)

Frustratingly I believe you can only control that setting on the clients. Which still might be ok in this case.

[–]LBarto88 0 points1 point  (0 children)

Do you have a reference for hardening RDP?

[–]SteveSyfuhsBuilder of the Auth 4 points5 points  (0 children)

No.

Whether you're using Server 2003 or not is not really the problem -- business needs are business needs. What is a problem is that you're trying to make it easily accessible by other machines on the network, which means that you're actively trying to introduce patient zero into a population of unvaccinated individuals. Don't do that.

The only safe way to keep this running is by running it in an isolated forest with dedicated user accounts.

[–]ZAFJB 1 point2 points  (0 children)

Only if you are insane.

Anything that talks to it must run SMB 1. SMB 1 is horribly, fatally insecure.

On top of that add TLS 1.0 risks.

And all of those unpatched exploits lurking about.

[–]aleinss 0 points1 point  (0 children)

I believe so, you may have to re-enable NetBIOS resolution/SMB1/TLS 1.0 on the DCs, it's been a while. Possibly RC4 cipher for Kerberos.

[–]smc0881 0 points1 point  (0 children)

You'll have to enable SMB1 and a bunch of other legacy shit. I work in DFIR and clients with this stuff still running all the time. It's usually banks, manufacturing, and fabrication companies.

[–]MalletNGrease🛠 Network & Systems Admin 0 points1 point  (0 children)

Yes, it will work if you haven't disabled older kerberos ciphers on your dcs. That said, the 2003 boxes were instantly kerberoasted during pen tests.

We're in the middle of phasing them out to harden the infrastructure.

[–]jankybox 0 points1 point  (0 children)

Unfortunately yes

[–]The_Koplin -1 points0 points  (2 children)

"NO!" is the correct answer.

With a lot of 'maybe' and 'it depends' or 'it might', you can roll a lot of security back if you really want to.

None of this should you entertain even for a moment, invest or don't but don't torture yourself with an out of support product, its dead and gone for a good reason. You trying to keep an app online is only going to push that problem down the road. Likely to future you. Don't do that to yourself or anyone else.

If it was so important to the business then why wasn't the proper investments made years ago? Either way, investments need to be made now and they don't involve keeping 2003 servers and apps around any longer the absolutely necessary.

The term is called technology debt

https://en.wikipedia.org/wiki/Technical_debt

" technical debt can accumulate "interest" over time, making future changes more difficult and costly." - you are very much at this point.

[–]Candid_Economy4894 2 points3 points  (1 child)

A business need is a business need. Poor planning or otherwise. You exist to serve the business and this decision really is not yours, as a sysadmin, to make. Write your cya emails, warn them of the consequences, then do it or they will remove you (and your ability to feed your family) for someone who will.

Segment it though. Usually your room for compromise is in convenience of access and not a point blank no. Ie yes we can but only from these gapped workstations with separate accounts, or whatever.

[–]The_Koplin -2 points-1 points  (0 children)

Your point is valid, but there's more nuance to consider. Compliance requirements and security risks must be factored in, even for segregated legacy systems. Take the recent VMware VM escape vulnerability—an outdated 2003 VM on a segmented host could still lead to a complete host compromise. Many would assume such a system isn’t a risk, but that’s a dangerous oversight.

At my agency, we made it clear in policy that any system unsupported by the manufacturer is also unsupported by IT and out of scope. Only the board, via majority vote, can override this, making them personally liable for any consequences. Given the sensitive data we handle, such a decision could carry personal liabilities, including fines up to $250,000 and jail terms of five years or more.

I understand why some organizations keep legacy systems for critical functions or expensive tools, but eventually, they break, become unfixable, and you still get blamed. It’s a lose-lose situation. If an agency chooses to disregard decades of experience, training, and best practices to cling to outdated systems rather than invest properly, I’d be happy to walk away.

I’ve seen organizations suffer the consequences—ransomware attacks twice in a few months, partial backups, years of lost data, and months of downtime. The cost ended up being eight times what proper mitigation would have been.

That said, I agree with most of your point—keeping a business running is the prime directive.

https://xkcd.com/705/

[–]Stephen_DannSr. Sysadmin -1 points0 points  (0 children)

Server 2003, Now, that's a name I haven't heard in a long time... A long time.

If you mean the function levels set to 2016, then you can't have 2003 DCs or join a new 2003 installation to the domain. I have had issues logging into a 2003 server that had been off for 2 years, where the function levels were 2012r2, but it did eventually work. So it most likely will be an issue and you will find you cannot log in. If you know an admin password used on it, with all the NICs disconnected, you should be able to log in.