Stuck supporting out-of-date Windows Servers, what options do I have?
-
I’m dealing with a company that has an old unsupported ERP system running on Windows Server 2008R2 servers. The company has since migrated to SAP but didn’t bring over all the old data from past years. The company is obligated to keep at least 7 years of history for audits, etc… IT will be exporting as much data as we can, but it will be hard to capture all necessary data and have it be easily searchable for employees to look back on sales history, inventory records, etc… The old ERP system consists of 1 Windows Server 2008R2 application server hosting a Pervasive SQL database and 4 Windows Server 2008R2 RDP servers that have the old ERP application installed. I can drop down the RDP server count to 1. The servers are virtual in a VMware environment. I can’t spin up new Windows 2019 servers and reinstall the old ERP application since it is no longer supported on anything past Windows Server 2008R2. What options do I have to create some sort of stand-alone emergency infrastructure that is isolated from the main network? I want to try and keep this simple but need someone to bounce ideas off. Any help, tips, or advice on this?
-
-
This goes without saying but VLAN them unto a separate network and allow whitelist only traffic.
-
Setup a bastion host in this network to administer them. So setup a Windows Server 2019 server only allow incoming RDP traffic to that. Then specifically allow that server exclusively to RDP to your 2008R2 servers
-
Setup some type of tool that completely locks down processes and doesnt allow any files to be created on the instances
https://www.symantec.com/products/data-center-security
- You could also setup an alternate directory for this domain and create a trust (or dont).
-
-
I'd definitely get it off the domain if possible, Put it in it's own network(VLAN/DMZ) and only allow RDP port to have access. Assuming you have a single VM host (or at this host is sharing other production VMs) you should be able to attach to the VM management tools to get a console to the VM when needed for managing the server.
-
I'd like to put it behind a firewall. It could be a virtual one. One connection to the outside, one to the ERP server and one to the RRP server(s). That would allow you to only have minimal traffic without the problem of doing it on the W2008 servers. You could also limit clients access to the RDP servers. If you need to change anything it would be done in the firewall.
I don't know if RDP on W2008 is a security problem. I don't think so but if it was you could put in a VPN or something.
Next and perhaps most importantly, I would take one master snapshot. And revert back to that same snapshot every night automatically. Since it's a read-only system for archival purposes there is no point in having it save anything. If Windows could be run on a read-only filesystem that have been even better but I don't think it can. So this system will start fresh every morning. It doesn't matter what someone did or didn't do.
-
@IRJ said in Stuck supporting out-of-date Windows Servers, what options do I have?:
-
This goes without saying but VLAN them unto a separate network and allow whitelist only traffic.
-
Setup a bastion host in this network to administer from. So setup a Windows Server 2019 server only allow incoming RDP traffic to that. Then specifically allow that server exclusively to RDP to your 2008R2 servers
-
Setup some type of tool that completely locks down processes and doesnt allow any files to be created on the instances
https://www.symantec.com/products/data-center-security
- You could also setup an alternate directory for this domain and create a trust (or dont).
This pretty much sums it up.
-
-
Another option that wasn't mentioned is migrating the 2008R2 servers to Azure. Once migrated into Azure, you get security updates for 3 more years after the January 14, 2020 end of support.
-
@magicmarker said in Stuck supporting out-of-date Windows Servers, what options do I have?:
Another option that wasn't mentioned is migrating the 2008R2 servers to Azure. Once migrated into Azure, you get security updates for 3 more years after the January 14, 2020 end of support.
That’s just putting a band-aid on something that you will to have to deal with again.
-
@black3dynamite said in Stuck supporting out-of-date Windows Servers, what options do I have?:
That’s just putting a band-aid on something that you will to have to deal with again.
Time value money. Why not kick the can down the road and invest in an area of the company that actually produces growth instead?
-
@StorageNinja said in Stuck supporting out-of-date Windows Servers, what options do I have?:
@black3dynamite said in Stuck supporting out-of-date Windows Servers, what options do I have?:
That’s just putting a band-aid on something that you will to have to deal with again.
Time value money. Why not kick the can down the road and invest in an area of the company that actually produces growth instead?
And maybe it will be the next IT's guy's problem down the road!
-
@scottalanmiller said in Stuck supporting out-of-date Windows Servers, what options do I have?:
@StorageNinja said in Stuck supporting out-of-date Windows Servers, what options do I have?:
@black3dynamite said in Stuck supporting out-of-date Windows Servers, what options do I have?:
That’s just putting a band-aid on something that you will to have to deal with again.
Time value money. Why not kick the can down the road and invest in an area of the company that actually produces growth instead?
And
maybeit will be the next IT's guy's problem down the road!...if you plan your cards right.
-
Not to threadjack...
Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad? -
@magicmarker said in Stuck supporting out-of-date Windows Servers, what options do I have?:
Another option that wasn't mentioned is migrating the 2008R2 servers to Azure. Once migrated into Azure, you get security updates for 3 more years after the January 14, 2020 end of support.
Well played Microsoft...
-
I didn't know about this, but apparently its old news...
-
@FATeknollogee said in Stuck supporting out-of-date Windows Servers, what options do I have?:
Not to threadjack...
Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad?Microsoft has never been good at upgrades. You'd think they would have it figured out by now, but nope.
-
@travisdh1 said in Stuck supporting out-of-date Windows Servers, what options do I have?:
@FATeknollogee said in Stuck supporting out-of-date Windows Servers, what options do I have?:
Not to threadjack...
Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad?Microsoft has never been good at upgrades. You'd think they would have it figured out by now, but nope.
Upgrades or updates?
Of course windows isn't perfect, but Windows 10 upgrades in my experience has been pretty damned awesome. updates for Windows 10 have been only slightly less so.
Now server updates - that's another matter.
-
@FATeknollogee said in Stuck supporting out-of-date Windows Servers, what options do I have?:
Not to threadjack...
Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad?Any reasonably mature Linux distro is light years ahead of M$ for updates.
-
@travisdh1 said in Stuck supporting out-of-date Windows Servers, what options do I have?:
@FATeknollogee said in Stuck supporting out-of-date Windows Servers, what options do I have?:
Not to threadjack...
Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad?Microsoft has never been good at upgrades. You'd think they would have it figured out by now, but nope.
I think they are good now and the method works extremely well. Users literally don't have to do anything to stay up to date. For upgrades, it's handled automatically, all the user has to do is schedule it when prompted to by Windows.
Actually, doing nothing on Win10 presently is the a good bet. You'll get updates when needed (avoiding those occasional breaking changes that all OSs get), but not immediately (like you do when you hit the "check for updates" button, which gives you the latest updates, as it should).
It's only when you start doing things "your" way without knowing what you are doing that things go bad, generally.
But then again, I don't know if the context is business or home use. It depends. But if business, you use business-methods of controlling updates, and you avoid all issues anyways... and is also seamless to the user, completely. Which makes both options excellent presently.
-
The problem isnt really updates itself. It's all the erroneous shit that comes included with Windows. That most people have running and they dont want / need.
-
@IRJ said in Stuck supporting out-of-date Windows Servers, what options do I have?:
The problem isnt really updates itself. It's all the erroneous shit that comes included with Windows. That most people have running and they dont want / need.
Or the updates to the extra shit that no one wants.
-
@Obsolesce said in Stuck supporting out-of-date Windows Servers, what options do I have?:
@travisdh1 said in Stuck supporting out-of-date Windows Servers, what options do I have?:
@FATeknollogee said in Stuck supporting out-of-date Windows Servers, what options do I have?:
Not to threadjack...
Now that I've experienced Fedora WS & Server updates, why do/does Windows updates suck so bad?Microsoft has never been good at upgrades. You'd think they would have it figured out by now, but nope.
I think they are good now and the method works extremely well. Users literally don't have to do anything to stay up to date. For upgrades, it's handled automatically, all the user has to do is schedule it when prompted to by Windows.
Actually, doing nothing on Win10 presently is the a good bet. You'll get updates when needed (avoiding those occasional breaking changes that all OSs get), but not immediately (like you do when you hit the "check for updates" button, which gives you the latest updates, as it should).
It's only when you start doing things "your" way without knowing what you are doing that things go bad, generally.
But then again, I don't know if the context is business or home use. It depends. But if business, you use business-methods of controlling updates, and you avoid all issues anyways... and is also seamless to the user, completely. Which makes both options excellent presently.
I have yet to work with any sort of Windows patch management that doesn't require much more management time on my part than any reasonable flavor of linux. Linux you set the updates to go, and you can forget about it for 99.99% of the time. Windows always seems to require manual intervention to not break things. Most recent example is the update that broke Access databases. Not that I think Access is a good platform to run a business on in the first place, but many do run on it
