Upload
tranque
View
214
Download
1
Embed Size (px)
Citation preview
Research and Recommendations
Windows Server 2003Custom Support AgreementsPaul DeGrootSenior ConsultantSoftware Licensing Advisors
Who Are Software Licensing Advisors?• Mission: “The Customer’s Advocate”
• Too many customers rely only on Microsoft or a reseller, who focuses on what they want to sell• Leaves most customers with software they don't deploy or don't need
• While projects or investments with demonstrable ROI beg for funds• SLA focuses on value and fit
• What you need to buy and the best way to buy it• Align IT spending and strategies with corporate objectives and constraints
• Personnel• Steve Kelley
• Microsoft sales for 5 years, insider knowledge of Microsoft’s negotiating process• Paul DeGroot
• World-renowned expert on Microsoft licensing, previously with Directions on Microsoft
• Steve O'Halloran• SAM technical expert, creator of AssetMetrix (now built into SCCM)
“"I've learned far more from this engagement than I expected. You really
made a difference.."--High-tech manufacturing firm that
reduced EA spend by 50%
“"I've learned far more from this engagement than I expected. You really
made a difference.."--High-tech manufacturing firm that
reduced EA spend by 50%
“"Your team has been absolutely fabulous..." --Fortune 500 consumer products firm that
reduced EA spend by 60%
“"Your team has been absolutely fabulous..." --Fortune 500 consumer products firm that
reduced EA spend by 60%
“We exceeded our expectations for these negotiations. Because we had your
intelligence, we knew what to hang on for. You really showed us the art of the
possible.” --Global 25 resource company
“We exceeded our expectations for these negotiations. Because we had your
intelligence, we knew what to hang on for. You really showed us the art of the
possible.” --Global 25 resource company
“Your financial models, worksheets, and strategies were invaluable. Outstanding work.” --Global 100 pharmaceutical firm that reduced 3-year EA spend by more
than $60 million
“Your financial models, worksheets, and strategies were invaluable. Outstanding work.” --Global 100 pharmaceutical firm that reduced 3-year EA spend by more
than $60 million
The Issue: End of Support for Windows Server 2003• Availability of service packs, updates, hotfixes, and patches depends on a product's life-cycle
phase• Guidelines, not guarantees
Phase Duration Updates Costs
Mainstream 5 years after release, or 2 years after release of successor, whichever is greater
All: Service packs, program patches, updates, hotfixes, security patches
$0
Extended 5 years after the end of Mainstream
Security patches, custom hotfixes
Security patches: $0custom hotfixes require Extended Hotfix Service Agreement
Web 2+ years after the end of Extended
Web access to previously released updates, knowledge base articles
$0
Custom 2 years after the end of Extended Same as Extended Custom Support Agreement, with per device pricing
Why Not Upgrade Windows Server 2003?• The vast majority of our customers who will not upgrade from Windows Server 2003 by July have
a significant barrier to doing so. No one takes the issue casually• A custom application still hasn't been/can't be rewritten• Application vendor's product specifies this version• Will require a costly upgrade to a newer version of a vendor's application• Will void warranty/support on associated application, equipment
• Upgrade drivers• Regulatory compliance requirements
• HIPAA, PCI, etc.• Need to replace hardware but new hardware is not well supported by Server 2003
• Drivers, storage subsystems, faster networks• Want to avoid purchasing a Custom Support Agreement (CSA)
• What's your situation? What are other people doing? Fill out our survey (Google logon required) at https://docs.google.com/forms/d/176GG1UILgff3Pd3J2pIAUe11gu9WIdi2PkNcGRMUPfE/viewform?usp=send_form
The Hitch• A Custom Support Agreement is very expensive
• First year: ~ the cost of the original license• For Windows Server 2003 Standard that is about $700 per license• We have seen quotes for $600
• Second year: double year 1--$1,200 per device• Third year: double year 2 – $2,400 per device
• Not clear what, if anything you will get out of it• Patches may apply to only a few, or even none of your systems
• You don't run .NET applications• Administrators do not browse the Web or run user applications (e-mail, Word, Media Player) from the server console• Your device is not accessible over the network, or to the Internet• You are not running vulnerable services on your servers
• No significant patches may appear in the next year or two• You just need a few more months to de-commission your remaining Server 2003 instances
What kind of risks without a CSA• Microsoft has multiple definitions of update severity
• Critical non-security updates• System may become unavailable
• Critical security updates• Remote Code Execution• Escalation of Privilege• Denial of Service (DOS)• Without user prompts
• Important security updates• Could compromise confidentiality of user data• Some may prompt the user for action, others not
• Many Windows XP critical updates are also applied to Server 2003• Share much of their code• But XP user activities (Web browing, media playing) and common practice of users with admin rights
create more opportunities for compromised systems than servers• No admin logged on much of the time• Consumer features less available
What our research found• Critical updates are declining in frequency
• Many critical updates address narrow, specific configurations that may not be typical• .NET applications• Telnet Use• Windows Media• Office• Paint
2010 2011 2012 2013 2014 20150
5
10
15
20
Windows Server 2003 Critical Security Updates
Non-Security Updates by TypeType Number Most Recent Comment
Application compatibility issue 3 04/05/12 SharePoint and Microsoft time stamps
Feature update 3 10/11/10
1 12/10/12 Volume Shadow Copy issues
1 04/05/12 Templates from Server 2003 VMs
6 10/08/12
Primarily a desktop issue 12 02/10/14
Server Web browser issue 1 04/05/12 Limited to Small Business Server 2003 R2
Updates security capabilities 1 04/05/12 Limited to Small Business Server 2003 R2
WSUS Updates 1 08/29/12
Primarily to implement Extended Protection for Authentication in the Server
Functionality issue that does not affect live data
Functionality issue, with available workaround
Internet security issue with manual workaround
Untrusted security certificates from Comodo, Microsoft; t00-short cryptographic keys
Rendering Web pages, Office and Windows client compatibility
Moot, since no further updates will be delivered via WSUS
Microsoft's Solution: the CSA• Provides Critical and Important updates beyond extended support• Plus problem resolution, some support assistance, account management• Custom hotfixes only for “critical” problems
• Significant business loss or degradation of service• Cause products to crash, lose data, function unpredictably
• No changes for additional functionality, eg time zones, daylight savings• Payment is always retroactive to the start of support
An Alternative: Custom Support Essentials• Covers critical hotfixes only (nothing for “important” severity• Can substantially reduce costs if few critical hotfixes are released• One critical hotfix is included, at a fixed price• Payment is a fixed fee plus a per device fee. As older systems taken out of service, hotfix costs go
down
CSA Strategies• Don't purchase a CSA immediately
• You can always buy it later• By then you may have taken many vulnerable servers out of service, reducing your cost• Cost will be the same if you buy it later
• Consider Custom Support Essentials• For a few critical hotfixes that apply to you it will be less
• Risk reduction• Servers with .NET applications should be upgraded first• Control administrative activities at the console• Turn off unnecessary services, like Telnet
• Take our poll to see what others are doing:
• https://docs.google.com/forms/d/176GG1UILgff3Pd3J2pIAUe11gu9WIdi2PkNcGRMUPfE/viewform?usp=send_form