Tech Refresh as Part of an Effective Vulnerability Management Program: Part Three

Servers and Vulnerability Management

In part three of our blog series on the importance of keeping technology and operating systems updated as part of your vulnerability management program, I’ll focus on servers. Servers are a critical component to your security plan, just like mobile devices and unsupported operating systems are.

Servers provide key support for an organization, usually running critical applications needed for operations. In the past, they were mainly kept on site on a server farm. However, with the arrival of cloud computing, it’s increasingly cost effective to house servers on the cloud.

If you like this blog, check out part one on unsupported operating systems and part two on mobile devices.

Patching

Whether a server is physical or virtual, patching is still a key part of cyber security that needs to be managed. Servers are often public facing, which means any vulnerabilities that can be exploited likely will be. And while many recent data breaches have more to do with third party applications than the operating systems themselves, having a server that is beyond end-of-life and accessible to the public is not a sound cyber security practice. As we talk about the main server operating systems, please note that Linux variants lead the field.

Microsoft Server Life Cycle Support

The development and support for Windows servers is like the desktop. New releases happen every three to four years and Microsoft supports each operating system for ten years.

Operating System*

Release Date

End-of Life Date

Windows Server NT 4.0

July 1996

December 31, 2004

Windows Server 2000

November 2000

April 12, 2011

Windows Server 2003

November 2006

April 8, 2014**

Windows Server 2006

June 2006

July 12, 2016

Windows Server 2012

October 2012

January 10, 2023

Windows Server 2016

October 2016

At least until January 2027

* There are many server variants (SQL, Exchange, HyperV, etc) and service packs configurations. The end-of-life date shown here is the last date supported for that family, with some versions ending sooner.

**Microsoft provided an exception to this when they released a patch specifically for EternalBlue on May 13, 2017 that covered the unsupported Windows XP and Windows Server 2003.

Linux

Linux operating systems are much more common on the server side because they can be customized. They’re also popular because of the security they offer. If we look at statistics from the Cloud Market that analyze images from Amazon’s Elastic Compute Cloud (EC2), just under 90 percent of those images are Linux variants.

Ubuntu Life Cycle Support

Just like on the desktop side, Ubuntu is the most popular distribution of Linux for servers, according to the Cloud Market statistics. About a third of all images being used on EC2 are Ubuntu, running just ahead of Amazon Linux. As noted above, their LTS versions are guaranteed to have at least five years of support, including maintenance and security updates. Minor releases have nine months of guaranteed support.

Operating System

Support End Date

Ubuntu 10.04 LTS

April 2015

Ubuntu 12.04 LTS

April 2020 (support extended)

Ubuntu 14.04 LTS

April 2019

Ubuntu 16.04 LTS

April 2021

Ubuntu 17.10

August 2018

Ubuntu 18.04 LTS

April 2023

Ubuntu 18.10

August 2019

Red Hat Enterprise Linux Life Cycle Support

Red Hat Enterprise Linux (RHEL) is a commercial Linux distribution that comes with structured customer support along with the open source feel that has drawn many users to Linux. Linux has a 10-year support life cycle for its products. Some versions have an extended life cycle support option, like Version 5 shown below.

Operating System

Support End Date

RHEL Version 3

October 31, 2010

RHEL Version 4

February 29, 2012

RHEL Version 5

March 31, 2017

RHEL Version 6

November 30, 2020

RHEL Version 7

June 30, 2024

CentOS Life Cycle Support

CentOS is a RHEL clone that’s supported by Red Hat but operated independently. It offers free and open software distribution. CentOS a popular distribution that has a measurable presence on Amazon’s EC2 platform on par with RHEL. The CentOS distribution cycle follows the Red Hat cycle and the versions are named in-line with Red Hat’s nomenclature and support dates are too.

Operating System

Support End Date

CentOS Version 3

October 31, 2010

CentOS Version 4

February 29, 2012

CentOS Version 5

March 31, 2017

CentOS Version 6

November 30, 2020

CentOS Version 7

June 30, 2024

Amazon Linux, Amazon Machine Image (AMI)

Amazon developed their own version of Linux to run on the EC2 and offered the software at no cost to EC2 users. This version offers automatic patches and updates through a rolling update feature in March and August. The most recent, Version 2018.03, was released in March 2018 and is only available in the EC2 environment. That part drew  some backlash with developers because a local test environment couldn’t be used before the software and updates were rolled into production. But you could still run your test environment in a separate EC2 environment. 

Untested updates could cause problems for applications. Automatic updates and patches can be turned off and applied when the user has validated the release. There is no “outdated” platform for AMI, but with rolling updates, users will be automatically updated to the latest version. The company has stopped further releases of this version and is focusing on their new Amazon Linux 2 release described below. Amazon said they will continue supporting Amazon Linux AMI through June 30, 2020.

Amazon Linux 2

Amazon released their updated Linux platform in June 2018 to give EC2 users a long-term stable platform, including five years of expected support. Additionally, a virtual machine (VM) image was also established for developers to use on a non-EC2 environment. This includes a Docker container image for use in any Docker environment, a VM Kernel-based Virtual Machine (KVM), Oracle VM VirtualBox, Microsoft Hyper-V, and VMware ESXi for on-premises development and testing. Amazon said it will support Linux 2 through June 30, 2023. Support for Linux 2 is the same as for Linux AMI.

Summary

Server management is a vital element to your security and vulnerability management plan. Servers run critical applications necessary for operations and are an important support structure for an organization. Patch management is also key as more servers are publicly accessible.

Do you need a vulnerability assessment or help defining a server strategy? Check out our services page here or contact us here.


*** This is a Security Bloggers Network syndicated blog from Blog – Delta Risk authored by Keith Melancon. Read the original post at: https://deltarisk.com/blog/tech-refresh-as-part-of-an-effective-vulnerability-management-program-part-three/