Servers and Vulnerability Management
In part three of our blog series on the importance of keeping technology and operating systems updated as part of your vulnerability management program, I’ll focus on servers. Servers are a critical component to your security plan, just like mobile devices and unsupported operating systems are.
Servers provide key support for an organization, usually running critical applications needed for operations. In the past, they were mainly kept on site on a server farm. However, with the arrival of cloud computing, it’s increasingly cost effective to house servers on the cloud.
If you like this blog, check out part one on unsupported operating systems and part two on mobile devices.
Patching
Whether a server is physical or virtual, patching is still a key part of cyber security that needs to be managed. Servers are often public facing, which means any vulnerabilities that can be exploited likely will be. And while many recent data breaches have more to do with third party applications than the operating systems themselves, having a server that is beyond end-of-life and accessible to the public is not a sound cyber security practice. As we talk about the main server operating systems, please note that Linux variants lead the field.
Microsoft Server Life Cycle Support
The development and support for Windows servers is like the desktop. New releases happen every three to four years and Microsoft supports each operating system for ten years.
| Operating System* | Release Date | End-of Life Date |
| Windows Server NT 4.0 | July 1996 | December 31, 2004 |
| Windows Server 2000 | November 2000 | April 12, 2011 |
| Windows Server 2003 | November 2006 | April 8, 2014** |
| Windows Server 2006 | June 2006 | July 12, 2016 |
| Windows Server 2012 | October 2012 | January 10, 2023 |
| Windows Server 2016 | October 2016 | At least until January 2027 |
* There are many server variants (SQL, Exchange, HyperV, etc) and service packs configurations. The end-of-life date shown here is the last date supported for that family, with some versions ending sooner.
**Microsoft provided an exception to this when they released a patch specifically for EternalBlue on May 13, 2017 that covered the unsupported Windows XP and Windows Server 2003.
Linux
Linux operating systems are much more common on the server side because they can be customized. They’re also popular because of the security they offer. If we look at statistics from the Cloud Market that analyze images from Amazon’s Elastic Compute Cloud (EC2), just under 90 percent of those images are Linux variants.
Ubuntu Life Cycle Support
Just like on the desktop side, Ubuntu is the most popular distribution of Linux for servers, according to the Cloud Market statistics. About a third of all images being used on EC2 are Ubuntu, running just ahead of Amazon Linux. As noted above, their LTS versions are guaranteed to have at least five years of support, including maintenance and security updates. Minor releases have nine months of guaranteed support.
| Operating System | Support End Date |
| Ubuntu 10.04 LTS | April 2015 |
| Ubuntu 12.04 LTS | April 2020 (support extended) |
| Ubuntu 14.04 LTS | April 2019 |
| Ubuntu 16.04 LTS | April 2021 |
| Ubuntu 17.10 | August 2018 |
| Ubuntu 18.04 LTS | April 2023 |
| Ubuntu 18.10 | August 2019 |
Red Hat Enterprise Linux Life Cycle Support
Red Hat Enterprise Linux (RHEL) is a commercial Linux distribution that comes with structured customer support along with the open source feel that has drawn many users to Linux. Linux has a 10-year support life cycle for its products. Some versions have an extended life cycle support option, like Version 5 shown below.
| Operating System | Support End Date |
| RHEL Version 3 | October 31, 2010 |
| RHEL Version 4 | February 29, 2012 |
| RHEL Version 5 | March 31, 2017 |
| RHEL Version 6 | November 30, 2020 |
| RHEL Version 7 | June 30, 2024 |
CentOS Life Cycle Support
CentOS is a RHEL clone that’s supported by Red Hat but operated independently. It offers free and open software distribution. CentOS a popular distribution that has a measurable presence on Amazon’s EC2 platform on par with RHEL. The CentOS distribution cycle follows the Red Hat cycle and the versions are named in-line with Red Hat’s nomenclature and support dates are too.
| Operating System | Support End Date |
| CentOS Version 3 | October 31, 2010 |
| CentOS Version 4 | February 29, 2012 |
| CentOS Version 5 | March 31, 2017 |
| CentOS Version 6 | November 30, 2020 |
| CentOS Version 7 | June 30, 2024 |
Amazon Linux, Amazon Machine Image (AMI)
Amazon developed their own version of Linux to run on the EC2 and offered the software at no cost to EC2 users. This version offers automatic patches and updates through a rolling update feature in March and August. The most recent, Version 2018.03, was released in March 2018 and is only available in the EC2 environment. That part drew some backlash with developers because a local test environment couldn’t be used before the software and updates were rolled into production. But you could still run your test environment in a separate EC2 environment.
Untested updates could cause problems for applications. Automatic updates and patches can be turned off and applied when the user has validated the release. There is no “outdated” platform for AMI, but with rolling updates, users will be automatically updated to the latest version. The company has stopped further releases of this version and is focusing on their new Amazon Linux 2 release described below. Amazon said they will continue supporting Amazon Linux AMI through June 30, 2020.
Amazon Linux 2
Amazon released their updated Linux platform in June 2018 to give EC2 users a long-term stable platform, including five years of expected support. Additionally, a virtual machine (VM) image was also established for developers to use on a non-EC2 environment. This includes a Docker container image for use in any Docker environment, a VM Kernel-based Virtual Machine (KVM), Oracle VM VirtualBox, Microsoft Hyper-V, and VMware ESXi for on-premises development and testing. Amazon said it will support Linux 2 through June 30, 2023. Support for Linux 2 is the same as for Linux AMI.
Summary
Server management is a vital element to your security and vulnerability management plan. Servers run critical applications necessary for operations and are an important support structure for an organization. Patch management is also key as more servers are publicly accessible.
Do you need a vulnerability assessment or help defining a server strategy? Check out our services page here or contact us here.