Windows 2012 R2 EOS, ADCS/PKI and You. Are You Ready or Risking?

Is your ADCS/PKI running on Windows 2012 R2?

Microsoft is ending its support of Windows Server 2012 R2 on October 10, 2023. This will officially spell the end of extended end-of-support (EOS).

Released in October 2012, Windows Server 2012 passed the original EOS date over three years ago, on October 9, 2018. Microsoft will stop providing technical support and bug fixes for newly discovered issues that may impact the usability or stability of servers running the two products.

If your organization uses Windows Server 2012 and 2012 R2 after Oct 2023, you’ll be vulnerable to cyberattacks and compliance risks. This poses a serious organizational and personal risk for executives responsible for the security of your digital infrastructure.

How serious is the risk? If we step back in time, you may remember that, when Windows ended support for Windows 7 in January 2021, the US Federal Bureau of Investigation issued a warning to industry users that the platform was open to risk, vulnerabilities, and exploits. And while the notice didn’t state this specifically, they did imply that the onus would be on the organizations to protect their user’s data.

“As time passes, Windows 7 becomes more vulnerable to exploitation due to a lack of security updates and new vulnerabilities discovered. With fewer customers able to maintain a patched Windows 7 system after its end of life, cybercriminals will continue to view Windows 7 as a soft target,” the FBI notice said.

Schedule Time With an Expert

PKI Solutions will help your organization meet the needs of your Windows 2012 R2 migration concerns and other PKI-related worries that you may not be staffed for. Please don’t hesitate to book some time to talk about your PKI environment concerns:

 https://calendly.com/pkisolutionsconnect

And for more on our experts and what we can do for you regarding your Windows Server 2012 R2 or other Windows Server migrations, please visit: https://www.pkisolutions.com/windows-server-2012-r2-eos-migration/

And true to form, this happened to several organizations that didn’t update their servers. In 2018, Zoll, a medical device vendor, sued Barracuda Networks, claiming that Barracuda failed to manage a server migration properly, leaving the data of more than 275,000 of its users exposed.

As a result of those failures, Zoll is now liable for injury and damages incurred by its patients because of the breach. Failing to ensure all systems remain in compliance can put your company at risk and for senior management, possibly even making them criminally liable in the case of a security breach on unsupported OS’s.

Any business that is still running Windows Server 2012 and 2012 R2 needs to institute a migration policy as soon as possible. Migrations can take months to years to complete – depending on the number of servers and the size of the company.

Responsible IT parties without an upgrade plan will quickly find themselves passing a critical deadline that could leave their organization and management liable for the risk caused by unsupported servers.

Hackers excel at attacking environments that are no longer covered by updates or support. At this level, these attacks serve as an entry point into your entire system.

To make the subject even more worrisome, look at the stats below from a survey by Keyfactor and the Ponemon Institute. In a nutshell, nearly HALF the companies surveyed felt that they didn’t have the staff or skillset in place to handle IT security and PKI-related concerns.

Keyfactor-Ponemon Institute: The Impact of Unsecured Identities 2020

Insufficient IT security skills and resources leave PKI shorthanded. Deploying and running an effective PKI involves many moving parts beyond software – including infrastructure, policies, and trained personnel. However, most organizations lack specialized knowledge and depth in personnel required to support the ongoing operation of their PKI. According to Figure 10, only 38 percent of respondents say their organizations have sufficient IT security staff members dedicated to their PKI deployment. This problem is further complicated by the fact that only 47 percent of respondents say their organizations are able to hire and retain qualified IT security personnel.

Keyfactor-Ponemon Institute: State of Machine Identity Management 2022

Skills shortages and lack of personnel still hinder PKI deployments.

Despite its importance, IT organizations often lack the skills and expertise to dedicate to their PKI deployment. Fifty-four percent of respondents say they have six or more staff involved in deploying and managing PKI. However, half of respondents say they still don’t have enough personnel dedicated to their PKI, a slight decrease from 55 percent in last year’s study.

Resources

• https://learn.microsoft.com/en-US/lifecycle/announcements/sql-server-2012-windows-server-2012-2012-r2-end-of-support
• https://www.microsoft.com/en-us/windows-server/extended-security-updates
• https://assets.documentcloud.org/documents/7013545/Windows-7-End-of-Life-PIN-20200803-002-BC.pdf
• https://healthitsecurity.com/news/medical-device-vendor-zoll-sues-it-firm-over-breach-affecting-277k
• https://www.keyfactor.com/resources/the-impact-of-unsecured-digital-identities-2020-report-critical-trust-index/
• https://www.keyfactor.com/state-of-machine-identity-management-2022/