Editor’s Note: Coming 2023, Microsoft’s end of support will mean all support and updates for its Windows 8.1 operating system and Server 2012 R2 will stop. NetGain Technologies recommends reviewing your technology stack and if you have any of these systems in place, start planning to replace them before their end of support dates.
All things must come to an end. Just as technology has an end of life, the software running on it has an end of life too. What can be confusing is that these do not always coincide. Take, for example, your smartphone. You bought it under the assumption of using it for a certain period. This may have been based on what the manufacturer recommended, your budget, or assumptions on how older devices have performed before they made it to the tech graveyard.
To extend the life of your device, one of the biggest opportunities that we have in terms of mitigating security is to ensure devices are patched. Patches are typically released by the vendor in a predetermined cadence – monthly, quarterly, on-demand, or otherwise. While devices are in “support” these patches are available to a device.
As we come up on another critical Windows end of life event or Microsoft’s end of support, it’s important to remember why it’s desirable to keep devices under an active support agreement, and more than anything, running supportable hardware and software. First let’s define what Microsoft’s end of support means as different manufacturers have various definitions behind the term, or other lifecycle dates that might be more important. Ultimately Microsoft’s end of support or Microsoft’s end of life means that new features and development of the product will no longer exist, and that security vulnerabilities will not be patched. The latter is much more concerning than the former when considering heighted security requirements for business and the need to limit risks towards business IP, client data and other corporate/company info.
When considering Microsoft Services, specifically their Windows and Server Operating Systems, they have historically followed a schedule of five years of mainstream support, and an additional five years of extended support. During mainstream support, Microsoft provides new releases, updates, service packs, builds, fixes and patches in order to enhance a product’s security and reliability, close vulnerabilities and fix problems.
During extended support, security and reliability updates are provided, as well as bug fixes, but non-security updates are typically not provided. Once extended support is over for a product, it effectively goes “end of life”.
When Server 2008 & Windows 7 ended life, you were provided the option to purchase Extended Security Updates (ESU), but this only provided critical and important updates along with technical support for the product. One risk this presents is third party application capability. Often ESU is used to allow an older application to remain on an “EOL” OS, whereby it would not have run if upgraded to a modern OS. At this point, it likely wouldn’t make sense to use Server 2016 for new installations considering the operating system went end of mainstream support Jan. 11, 2022, although it will have mainstream support for another five years.
Other vendors have slightly different practices where they might have an end of software and end of hardware support as separate dates. Cisco, as an example, typically ended software support – including any vulnerability fixes – two years before the hardware end of life date. This means that while Cisco will support the hardware until it’s effective end of life, they stop patching any security vulnerabilities two years prior to the end of life. For a device that sits at the end of your network – in some cases, “the door to your business’ home”, it would make sense to ensure that the exterior walls are consistently patched for known vulnerabilities.
Just because our windows operating systems don’t sit on the perimeter of our network (typically, although those would be of a much higher chance of exploit/concern) doesn’t mean that they don’t provide a high risk to your organization. As soon as vulnerabilities exists for these systems, cyber attackers will be writing scripts to attack through external penetration tactics, email campaigns and other methods to hit weak targets. These unpatched systems act as patient zero targets where an exploit will occur on them, and then act as a beacon to move laterally through the network as attackers look to gain more privilege to compromise data and information.
With any type of capital expenditure, if we can budget for it, it makes it much easier to move forward in a successful manner, limiting risk due to security exposure, or the risk involved with any technology change and cutover. When a new purchase is made, going through the process of outlining straight line depreciation of a product will help in defining a budget timeline for its replacement. Additionally, looking at the sum of the whole can allow us to recycle our equipment in phases to spread our capital spend across multiple fiscal years so that we’re limiting how much we must spend, year over year.
Alternatively, there may be options for us to get creative on how we move forward. Assuming we have 10 2012 servers running on two ESX hosts (running VMware 6.7), it might make sense to look at leveraging a public cloud option in place of purchasing and installing new operating systems to run on hardware that will need replaced in the future. Microsoft has started to incentivize customers to move to its Azure public cloud platform, and it’s enticing given the consistent streamlined updates, platform integration and operational spend model. It also could be a consideration given the supply chain shortages we’ve come to see on both the consumer and business side, particularly when it comes to hardware requiring microchips as those have seen the highest impact.
Please schedule a time with a NetGain expert to learn which of your products might be reaching end of support soon.
#####
Critical Dates
| Date | Vendor | Product | Impact |
| 1/10/2023 | Microsoft | Windows 8.1 | End of Extended Support |
| 10/10/2023 | Microsoft | Server 2012 & 2012r2 | End of Extended Support |
| 1/10/2023 | Microsoft | Hyper-V Server 2012 & 2012 R2 | End of Extended Support |
| 6/14/2022 | Microsoft | Internet Explorer 11 on Windows 10 | End of Extended Support |
| 7/9/2024 | Microsoft | SQL Server 2014 | End of Extended Support |
| 7/12/2022 | Microsoft | SQL Server 2012 | End of Extended Support |
| 1/12/2027 | Microsoft | Windows Server 2016 | End of Extended Support |
| 10/14/2025 | Microsoft | Windows 10 | End of Extended Support |
| 10/15/2022 | VMware | ESXi/vCenter 6.5 & 6.7 | End of General Support |
| 4/2/2025 | VMware | ESXi/vCenter 7.0 | End of General Support |
| 10/28/2022 | Cisco | ISR4321/4331 | End of Vulnerability Support |
| 7/31/2020 | Cisco | CUCM 12.0 | End of SW Maintenance Release |
| 4/11/2023 | Microsoft | Office 2013 | End of Extended Support |
| 10/14/2025 | Microsoft | Office 2016 | End of Extended Support |
References
- https://docs.microsoft.com/en-us/answers/questions/572027/mainsteam-end-date.html#:~:text=Mainstream%20Support%20begins%20when%20the,Mainstream%20Support%20and%20Extended%20Support.
- https://docs.microsoft.com/en-us/lifecycle/
- https://docs.microsoft.com/en-us/lifecycle/products/
- https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates
- https://lifecycle.vmware.com/#/
- https://www.vmware.com/support/lifecycle-policies.html
