/ Infosec

End of life dates and server headers

As I write this, it's 7 months until Windows 7, Windows 2008 and 2008 R2 go end of life. On 14th January 2020, Microsoft will cease all support for these operating systems along with SQL Server 2008.

When Microsoft declare the end of life of a product, it doesn't mean that it will stop working but it does mean that there are no longer any patches for it. Should a security hole be found, the server will be vulnerable with no OS level remediation possible.

For these reasons alone, companies really need to start planning migrations off Windows 7, Server 2008 and 2008 R2, especially if any of these servers are accessible from the internet for web services.

When you access a webserver it is possible to get an awful lot of information from that server about it's operating system, version of web server and so on. This information is very easy to collect and a gold mine for hackers.

As an example, running the command

wget -O /dev/null --server-response www.bbc.co.uk from either a linux box or from bash on windows will provide a whole slew of information on the web server we've connected to. One piece of information is the server OS:

Connecting to www.bbc.co.uk (www.bbc.co.uk)||:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
Server: nginx
X-BBC-No-Scheme-Rewrite: 1
X-Cache-Action: HIT
X-Cache-Hits: 13515
Vary: X-BBC-Edge-Scheme
Cache-Control: public, max-age=3600

It's quite clear to see that the BBC website is run on nginx - there is no version number so it is hard to know just what sort of attacks could work if we were that sort of person - this is no bad thing of course.

But, what about in the windows world? Well, windows will show the webserver as an IIS version:

Connecting to [Deleted] connected.
HTTP request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
Content-Length: 163
Content-Type: text/html
Location: [Deleted]
Server: Microsoft-IIS/6.0

I've removed the site name for reasons that'll be clear in a minute.

It's easy to see that the web server is IIS/6.0, but what OS is that? A quick google and the MS tech note at https://support.microsoft.com/en-gb/help/224609/how-to-obtain-versions-of-internet-information-server-iis says it's for Windows 2003. That means that the server behind the website is Windows 2003. An OS that went end of life on July 14th 2015.

It gets worse, a quick look at my domain scanning database and:


Of course, it is quite possible for CDN networks, load balancers and so on to alter the header but why they'd alter it to show an old OS is beyond me and so I suspect that the headers are real and that yes, there are legacy servers out there hosting websites, including windows 2000 servers which show up as IIS/5.0

Often, the problem is that a system is deployed, it's not looked after or maintained then companies get scared about replacing it. The result is not only tech debt but a serious security risk just waiting to happen, to avoid this it is imperitive to keep on top of end of life dates, patch and reboot systems to ensure that they are reboot safe and always have documentation on how they were installed. Even today, the very basics seem to be ignored on projects and so we keep ending up repeating the same mistakes.

In summary, Start your journey away from Windows 2008 now. It will save you headaches next year.

Gary Williams

Gary Williams

IT Person | Veeam Vanguard | VMware vExpert | Windows admin | Docker fan | Spiceworks moderator | keeper of 3 cats | Avid Tea fan

Read More