Research and Recommendations

Windows Server 2003Custom Support AgreementsPaul DeGrootSenior ConsultantSoftware Licensing Advisors

Who Are Software Licensing Advisors?• Mission: “The Customer’s Advocate”

• Too many customers rely only on Microsoft or a reseller, who focuses on what they want to sell• Leaves most customers with software they don't deploy or don't need

• While projects or investments with demonstrable ROI beg for funds• SLA focuses on value and fit

• What you need to buy and the best way to buy it• Align IT spending and strategies with corporate objectives and constraints

• Personnel• Steve Kelley

• Microsoft sales for 5 years, insider knowledge of Microsoft’s negotiating process• Paul DeGroot

• World-renowned expert on Microsoft licensing, previously with Directions on Microsoft

• Steve O'Halloran• SAM technical expert, creator of AssetMetrix (now built into SCCM)

“"I've learned far more from this engagement than I expected. You really

made a difference.."--High-tech manufacturing firm that

reduced EA spend by 50%

“"I've learned far more from this engagement than I expected. You really

made a difference.."--High-tech manufacturing firm that

reduced EA spend by 50%

“"Your team has been absolutely fabulous..." --Fortune 500 consumer products firm that

reduced EA spend by 60%

“"Your team has been absolutely fabulous..." --Fortune 500 consumer products firm that

reduced EA spend by 60%

“We exceeded our expectations for these negotiations. Because we had your

intelligence, we knew what to hang on for. You really showed us the art of the

possible.” --Global 25 resource company

“We exceeded our expectations for these negotiations. Because we had your

intelligence, we knew what to hang on for. You really showed us the art of the

possible.” --Global 25 resource company

“Your financial models, worksheets, and strategies were invaluable. Outstanding work.” --Global 100 pharmaceutical firm that reduced 3-year EA spend by more

than $60 million

“Your financial models, worksheets, and strategies were invaluable. Outstanding work.” --Global 100 pharmaceutical firm that reduced 3-year EA spend by more

than $60 million

Selected Customer Engagements

The Issue: End of Support for Windows Server 2003• Availability of service packs, updates, hotfixes, and patches depends on a product's life-cycle

phase• Guidelines, not guarantees

Phase Duration Updates Costs

Mainstream 5 years after release, or 2 years after release of successor, whichever is greater

All: Service packs, program patches, updates, hotfixes, security patches

$0

Extended 5 years after the end of Mainstream

Security patches, custom hotfixes

Security patches: $0custom hotfixes require Extended Hotfix Service Agreement

Web 2+ years after the end of Extended

Web access to previously released updates, knowledge base articles

$0

Custom 2 years after the end of Extended Same as Extended Custom Support Agreement, with per device pricing

Why Not Upgrade Windows Server 2003?• The vast majority of our customers who will not upgrade from Windows Server 2003 by July have

a significant barrier to doing so. No one takes the issue casually• A custom application still hasn't been/can't be rewritten• Application vendor's product specifies this version• Will require a costly upgrade to a newer version of a vendor's application• Will void warranty/support on associated application, equipment

• Upgrade drivers• Regulatory compliance requirements

• HIPAA, PCI, etc.• Need to replace hardware but new hardware is not well supported by Server 2003

• Drivers, storage subsystems, faster networks• Want to avoid purchasing a Custom Support Agreement (CSA)

• What's your situation? What are other people doing? Fill out our survey (Google logon required) at https://docs.google.com/forms/d/176GG1UILgff3Pd3J2pIAUe11gu9WIdi2PkNcGRMUPfE/viewform?usp=send_form

The Hitch• A Custom Support Agreement is very expensive

• First year: ~ the cost of the original license• For Windows Server 2003 Standard that is about $700 per license• We have seen quotes for $600

• Second year: double year 1--$1,200 per device• Third year: double year 2 – $2,400 per device

• Not clear what, if anything you will get out of it• Patches may apply to only a few, or even none of your systems

• You don't run .NET applications• Administrators do not browse the Web or run user applications (e-mail, Word, Media Player) from the server console• Your device is not accessible over the network, or to the Internet• You are not running vulnerable services on your servers

• No significant patches may appear in the next year or two• You just need a few more months to de-commission your remaining Server 2003 instances

What kind of risks without a CSA• Microsoft has multiple definitions of update severity

• Critical non-security updates• System may become unavailable

• Critical security updates• Remote Code Execution• Escalation of Privilege• Denial of Service (DOS)• Without user prompts

• Important security updates• Could compromise confidentiality of user data• Some may prompt the user for action, others not

• Many Windows XP critical updates are also applied to Server 2003• Share much of their code• But XP user activities (Web browing, media playing) and common practice of users with admin rights

create more opportunities for compromised systems than servers• No admin logged on much of the time• Consumer features less available

What our research found• Critical updates are declining in frequency

• Many critical updates address narrow, specific configurations that may not be typical• .NET applications• Telnet Use• Windows Media• Office• Paint

2010 2011 2012 2013 2014 20150

5

10

15

20

Windows Server 2003 Critical Security Updates

Non-Security Updates by TypeType Number Most Recent Comment

Application compatibility issue 3 04/05/12 SharePoint and Microsoft time stamps

Feature update 3 10/11/10

1 12/10/12 Volume Shadow Copy issues

1 04/05/12 Templates from Server 2003 VMs

6 10/08/12

Primarily a desktop issue 12 02/10/14

Server Web browser issue 1 04/05/12 Limited to Small Business Server 2003 R2

Updates security capabilities 1 04/05/12 Limited to Small Business Server 2003 R2

WSUS Updates 1 08/29/12

Primarily to implement Extended Protection for Authentication in the Server

Functionality issue that does not affect live data

Functionality issue, with available workaround

Internet security issue with manual workaround

Untrusted security certificates from Comodo, Microsoft; t00-short cryptographic keys

Rendering Web pages, Office and Windows client compatibility

Moot, since no further updates will be delivered via WSUS

Microsoft's Solution: the CSA• Provides Critical and Important updates beyond extended support• Plus problem resolution, some support assistance, account management• Custom hotfixes only for “critical” problems

• Significant business loss or degradation of service• Cause products to crash, lose data, function unpredictably

• No changes for additional functionality, eg time zones, daylight savings• Payment is always retroactive to the start of support

An Alternative: Custom Support Essentials• Covers critical hotfixes only (nothing for “important” severity• Can substantially reduce costs if few critical hotfixes are released• One critical hotfix is included, at a fixed price• Payment is a fixed fee plus a per device fee. As older systems taken out of service, hotfix costs go

down

CSA Strategies• Don't purchase a CSA immediately

• You can always buy it later• By then you may have taken many vulnerable servers out of service, reducing your cost• Cost will be the same if you buy it later

• Consider Custom Support Essentials• For a few critical hotfixes that apply to you it will be less

• Risk reduction• Servers with .NET applications should be upgraded first• Control administrative activities at the console• Turn off unnecessary services, like Telnet

• Take our poll to see what others are doing:

• https://docs.google.com/forms/d/176GG1UILgff3Pd3J2pIAUe11gu9WIdi2PkNcGRMUPfE/viewform?usp=send_form