People pointing at servers.

Tech Refresh as Part of an Effective Vulnerability Management Program: Part Three

In Cyber Security Strategy by Keith Melancon

Servers and Vulnerability Management

In part three of our blog series on the importance of keeping technology and operating systems updated as part of your vulnerability management program, I’ll focus on servers. Servers are a critical component to your security plan, just like mobile devices and unsupported operating systems are.

Servers provide key support for an organization, usually running critical applications needed for operations. In the past, they were mainly kept on site on a server farm. However, with the arrival of cloud computing, it’s increasingly cost effective to house servers on the cloud.

If you like this blog, check out part one on unsupported operating systems and part two on mobile devices.

Patching

Whether a server is physical or virtual, patching is still a key part of cyber security that needs to be managed. Servers are often public facing, which means any vulnerabilities that can be exploited likely will be. And while many recent data breaches have more to do with third party applications than the operating systems themselves, having a server that is beyond end-of-life and accessible to the public is not a sound cyber security practice. As we talk about the main server operating systems, please note that Linux variants lead the field.

Microsoft Server Life Cycle Support

The development and support for Windows servers is like the desktop. New releases happen every three to four years and Microsoft supports each operating system for ten years.

Operating System* Release Date End-of Life Date
Windows Server NT 4.0 July 1996 December 31, 2004
Windows Server 2000 November 2000 April 12, 2011
Windows Server 2003 November 2006 April 8, 2014**
Windows Server 2006 June 2006 July 12, 2016
Windows Server 2012 October 2012 January 10, 2023
Windows Server 2016 October 2016 At least until January 2027

* There are many server variants (SQL, Exchange, HyperV, etc) and service packs configurations. The end-of-life date shown here is the last date supported for that family, with some versions ending sooner.

**Microsoft provided an exception to this when they released a patch specifically for EternalBlue on May 13, 2017 that covered the unsupported Windows XP and Windows Server 2003.

Linux

Linux operating systems are much more common on the server side because they can be customized. They’re also popular because of the security they offer. If we look at statistics from the Cloud Market that analyze images from Amazon’s Elastic Compute Cloud (EC2), just under 90 percent of those images are Linux variants.

Ubuntu Life Cycle Support

Just like on the desktop side, Ubuntu is the most popular distribution of Linux for servers, according to the Cloud Market statistics. About a third of all images being used on EC2 are Ubuntu, running just ahead of Amazon Linux. As noted above, their LTS versions are guaranteed to have at least five years of support, including maintenance and security updates. Minor releases have nine months of guaranteed support.

Operating System Support End Date
Ubuntu 10.04 LTS April 2015
Ubuntu 12.04 LTS April 2020 (support extended)
Ubuntu 14.04 LTS April 2019
Ubuntu 16.04 LTS April 2021
Ubuntu 17.10 August 2018
Ubuntu 18.04 LTS April 2023
Ubuntu 18.10 August 2019

Red Hat Enterprise Linux Life Cycle Support

Red Hat Enterprise Linux (RHEL) is a commercial Linux distribution that comes with structured customer support along with the open source feel that has drawn many users to Linux. Linux has a 10-year support life cycle for its products. Some versions have an extended life cycle support option, like Version 5 shown below.

Operating System Support End Date
RHEL Version 3 October 31, 2010
RHEL Version 4 February 29, 2012
RHEL Version 5 March 31, 2017
RHEL Version 6 November 30, 2020
RHEL Version 7 June 30, 2024

CentOS Life Cycle Support

CentOS is a RHEL clone that’s supported by Red Hat but operated independently. It offers free and open software distribution. CentOS a popular distribution that has a measurable presence on Amazon’s EC2 platform on par with RHEL. The CentOS distribution cycle follows the Red Hat cycle and the versions are named in-line with Red Hat’s nomenclature and support dates are too.

Operating System Support End Date
CentOS Version 3 October 31, 2010
CentOS Version 4 February 29, 2012
CentOS Version 5 March 31, 2017
CentOS Version 6 November 30, 2020
CentOS Version 7 June 30, 2024

Amazon Linux, Amazon Machine Image (AMI)

Amazon developed their own version of Linux to run on the EC2 and offered the software at no cost to EC2 users. This version offers automatic patches and updates through a rolling update feature in March and August. The most recent, Version 2018.03, was released in March 2018 and is only available in the EC2 environment. That part drew  some backlash with developers because a local test environment couldn’t be used before the software and updates were rolled into production. But you could still run your test environment in a separate EC2 environment.

Untested updates could cause problems for applications. Automatic updates and patches can be turned off and applied when the user has validated the release. There is no “outdated” platform for AMI, but with rolling updates, users will be automatically updated to the latest version. The company has stopped further releases of this version and is focusing on their new Amazon Linux 2 release described below. Amazon said they will continue supporting Amazon Linux AMI through June 30, 2020.

Amazon Linux 2

Amazon released their updated Linux platform in June 2018 to give EC2 users a long-term stable platform, including five years of expected support. Additionally, a virtual machine (VM) image was also established for developers to use on a non-EC2 environment. This includes a Docker container image for use in any Docker environment, a VM Kernel-based Virtual Machine (KVM), Oracle VM VirtualBox, Microsoft Hyper-V, and VMware ESXi for on-premises development and testing. Amazon said it will support Linux 2 through June 30, 2023. Support for Linux 2 is the same as for Linux AMI.

Summary

Server management is a vital element to your security and vulnerability management plan. Servers run critical applications necessary for operations and are an important support structure for an organization. Patch management is also key as more servers are publicly accessible.

Do you need a vulnerability assessment or help defining a server strategy? Check out our services page here or contact us here.