ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Stuck supporting out-of-date Windows Servers, what options do I have?

    Scheduled Pinned Locked Moved IT Discussion
    23 Posts 13 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • magicmarkerM
      magicmarker
      last edited by

      I’m dealing with a company that has an old unsupported ERP system running on Windows Server 2008R2 servers. The company has since migrated to SAP but didn’t bring over all the old data from past years. The company is obligated to keep at least 7 years of history for audits, etc… IT will be exporting as much data as we can, but it will be hard to capture all necessary data and have it be easily searchable for employees to look back on sales history, inventory records, etc… The old ERP system consists of 1 Windows Server 2008R2 application server hosting a Pervasive SQL database and 4 Windows Server 2008R2 RDP servers that have the old ERP application installed. I can drop down the RDP server count to 1. The servers are virtual in a VMware environment. I can’t spin up new Windows 2019 servers and reinstall the old ERP application since it is no longer supported on anything past Windows Server 2008R2. What options do I have to create some sort of stand-alone emergency infrastructure that is isolated from the main network? I want to try and keep this simple but need someone to bounce ideas off. Any help, tips, or advice on this?

      1 Reply Last reply Reply Quote 0
      • IRJI
        IRJ
        last edited by IRJ

        1. This goes without saying but VLAN them unto a separate network and allow whitelist only traffic.

        2. Setup a bastion host in this network to administer them. So setup a Windows Server 2019 server only allow incoming RDP traffic to that. Then specifically allow that server exclusively to RDP to your 2008R2 servers

        3. Setup some type of tool that completely locks down processes and doesnt allow any files to be created on the instances

        https://www.symantec.com/products/data-center-security

        1. You could also setup an alternate directory for this domain and create a trust (or dont).
        scottalanmillerS 1 Reply Last reply Reply Quote 3
        • DashrenderD
          Dashrender
          last edited by

          I'd definitely get it off the domain if possible, Put it in it's own network(VLAN/DMZ) and only allow RDP port to have access. Assuming you have a single VM host (or at this host is sharing other production VMs) you should be able to attach to the VM management tools to get a console to the VM when needed for managing the server.

          1 Reply Last reply Reply Quote 0
          • 1
            1337
            last edited by

            I'd like to put it behind a firewall. It could be a virtual one. One connection to the outside, one to the ERP server and one to the RRP server(s). That would allow you to only have minimal traffic without the problem of doing it on the W2008 servers. You could also limit clients access to the RDP servers. If you need to change anything it would be done in the firewall.

            I don't know if RDP on W2008 is a security problem. I don't think so but if it was you could put in a VPN or something.

            Next and perhaps most importantly, I would take one master snapshot. And revert back to that same snapshot every night automatically. Since it's a read-only system for archival purposes there is no point in having it save anything. If Windows could be run on a read-only filesystem that have been even better but I don't think it can. So this system will start fresh every morning. It doesn't matter what someone did or didn't do.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @IRJ
              last edited by

              @IRJ said in Stuck supporting out-of-date Windows Servers, what options do I have?:

              1. This goes without saying but VLAN them unto a separate network and allow whitelist only traffic.

              2. Setup a bastion host in this network to administer from. So setup a Windows Server 2019 server only allow incoming RDP traffic to that. Then specifically allow that server exclusively to RDP to your 2008R2 servers

              3. Setup some type of tool that completely locks down processes and doesnt allow any files to be created on the instances

              https://www.symantec.com/products/data-center-security

              1. You could also setup an alternate directory for this domain and create a trust (or dont).

              This pretty much sums it up.

              1 Reply Last reply Reply Quote 0
              • magicmarkerM
                magicmarker
                last edited by

                Another option that wasn't mentioned is migrating the 2008R2 servers to Azure. Once migrated into Azure, you get security updates for 3 more years after the January 14, 2020 end of support.

                black3dynamiteB IRJI 2 Replies Last reply Reply Quote 0
                • black3dynamiteB
                  black3dynamite @magicmarker
                  last edited by

                  @magicmarker said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                  Another option that wasn't mentioned is migrating the 2008R2 servers to Azure. Once migrated into Azure, you get security updates for 3 more years after the January 14, 2020 end of support.

                  That’s just putting a band-aid on something that you will to have to deal with again.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    StorageNinja Vendor @black3dynamite
                    last edited by

                    @black3dynamite said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                    That’s just putting a band-aid on something that you will to have to deal with again.

                    Time value money. Why not kick the can down the road and invest in an area of the company that actually produces growth instead?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @StorageNinja
                      last edited by

                      @StorageNinja said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                      @black3dynamite said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                      That’s just putting a band-aid on something that you will to have to deal with again.

                      Time value money. Why not kick the can down the road and invest in an area of the company that actually produces growth instead?

                      And maybe it will be the next IT's guy's problem down the road!

                      ObsolesceO 1 Reply Last reply Reply Quote 0
                      • ObsolesceO
                        Obsolesce @scottalanmiller
                        last edited by

                        @scottalanmiller said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                        @StorageNinja said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                        @black3dynamite said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                        That’s just putting a band-aid on something that you will to have to deal with again.

                        Time value money. Why not kick the can down the road and invest in an area of the company that actually produces growth instead?

                        And maybe it will be the next IT's guy's problem down the road!

                        ...if you plan your cards right.

                        1 Reply Last reply Reply Quote 1
                        • FATeknollogeeF
                          FATeknollogee
                          last edited by

                          Not to threadjack...
                          Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad?

                          travisdh1T notverypunnyN 2 Replies Last reply Reply Quote 0
                          • IRJI
                            IRJ @magicmarker
                            last edited by

                            @magicmarker said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                            Another option that wasn't mentioned is migrating the 2008R2 servers to Azure. Once migrated into Azure, you get security updates for 3 more years after the January 14, 2020 end of support.

                            Well played Microsoft...

                            75904c7a-ad0f-42be-9c6d-a95c9a63166d-image.png

                            1 Reply Last reply Reply Quote 0
                            • IRJI
                              IRJ
                              last edited by

                              I didn't know about this, but apparently its old news...

                              https://azure.microsoft.com/en-us/blog/announcing-new-options-for-sql-server-2008-and-windows-server-2008-end-of-support/

                              1 Reply Last reply Reply Quote 0
                              • travisdh1T
                                travisdh1 @FATeknollogee
                                last edited by

                                @FATeknollogee said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                                Not to threadjack...
                                Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad?

                                Microsoft has never been good at upgrades. You'd think they would have it figured out by now, but nope.

                                DashrenderD ObsolesceO 2 Replies Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @travisdh1
                                  last edited by

                                  @travisdh1 said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                                  @FATeknollogee said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                                  Not to threadjack...
                                  Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad?

                                  Microsoft has never been good at upgrades. You'd think they would have it figured out by now, but nope.

                                  Upgrades or updates?

                                  Of course windows isn't perfect, but Windows 10 upgrades in my experience has been pretty damned awesome. updates for Windows 10 have been only slightly less so.

                                  Now server updates - that's another matter.

                                  DustinB3403D 1 Reply Last reply Reply Quote 0
                                  • notverypunnyN
                                    notverypunny @FATeknollogee
                                    last edited by

                                    @FATeknollogee said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                                    Not to threadjack...
                                    Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad?

                                    Any reasonably mature Linux distro is light years ahead of M$ for updates.

                                    1 Reply Last reply Reply Quote 1
                                    • ObsolesceO
                                      Obsolesce @travisdh1
                                      last edited by Obsolesce

                                      @travisdh1 said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                                      @FATeknollogee said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                                      Not to threadjack...
                                      Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad?

                                      Microsoft has never been good at upgrades. You'd think they would have it figured out by now, but nope.

                                      I think they are good now and the method works extremely well. Users literally don't have to do anything to stay up to date. For upgrades, it's handled automatically, all the user has to do is schedule it when prompted to by Windows.

                                      Actually, doing nothing on Win10 presently is the a good bet. You'll get updates when needed (avoiding those occasional breaking changes that all OSs get), but not immediately (like you do when you hit the "check for updates" button, which gives you the latest updates, as it should).

                                      It's only when you start doing things "your" way without knowing what you are doing that things go bad, generally.

                                      But then again, I don't know if the context is business or home use. It depends. But if business, you use business-methods of controlling updates, and you avoid all issues anyways... and is also seamless to the user, completely. Which makes both options excellent presently.

                                      travisdh1T 1 Reply Last reply Reply Quote 1
                                      • IRJI
                                        IRJ
                                        last edited by

                                        The problem isnt really updates itself. It's all the erroneous shit that comes included with Windows. That most people have running and they dont want / need.

                                        Reid CooperR 1 Reply Last reply Reply Quote 0
                                        • Reid CooperR
                                          Reid Cooper @IRJ
                                          last edited by

                                          @IRJ said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                                          The problem isnt really updates itself. It's all the erroneous shit that comes included with Windows. That most people have running and they dont want / need.

                                          Or the updates to the extra shit that no one wants.

                                          1 Reply Last reply Reply Quote 0
                                          • travisdh1T
                                            travisdh1 @Obsolesce
                                            last edited by

                                            @Obsolesce said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                                            @travisdh1 said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                                            @FATeknollogee said in Stuck supporting out-of-date Windows Servers, what options do I have?:

                                            Not to threadjack...
                                            Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad?

                                            Microsoft has never been good at upgrades. You'd think they would have it figured out by now, but nope.

                                            I think they are good now and the method works extremely well. Users literally don't have to do anything to stay up to date. For upgrades, it's handled automatically, all the user has to do is schedule it when prompted to by Windows.

                                            Actually, doing nothing on Win10 presently is the a good bet. You'll get updates when needed (avoiding those occasional breaking changes that all OSs get), but not immediately (like you do when you hit the "check for updates" button, which gives you the latest updates, as it should).

                                            It's only when you start doing things "your" way without knowing what you are doing that things go bad, generally.

                                            But then again, I don't know if the context is business or home use. It depends. But if business, you use business-methods of controlling updates, and you avoid all issues anyways... and is also seamless to the user, completely. Which makes both options excellent presently.

                                            I have yet to work with any sort of Windows patch management that doesn't require much more management time on my part than any reasonable flavor of linux. Linux you set the updates to go, and you can forget about it for 99.99% of the time. Windows always seems to require manual intervention to not break things. Most recent example is the update that broke Access databases. Not that I think Access is a good platform to run a business on in the first place, but many do run on it 😞

                                            DashrenderD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post