Windows Server 2012 end-of-life – what is it and what to do?

The term ‘end of life’ (EOL) when referring to software or the components your web application may be running is an important concept to understand. It affects the security and stability of your application and, once announced, may require some forward planning – especially if you’re running Windows Server 2012.

The end-of-life of a software product is the final stage of its lifecycle where it is no longer supported by the vendor. Specifically, it’s a date released by the vendor as part of support documentation for the project. No further development occurs on the project after this point so no updates are released and the vendor will no longer answer any queries or provide any technical support. 

This can make it difficult to run applications which depend on products that have been end-of-lifed. Primarily, this is because the project will no longer receive security updates and any vulnerabilities discovered past the end-of-life date may not be patched, meaning there’s no way to run the software securely without the risk of the application and its data being compromised.

The risk to application security is significant. In fact, the Open Web Application Security Project (OWASP) lists vulnerable and outdated components sixth in its 2021 Top 10 security risks.

The exact risk of running end-of-lifed components is difficult to determine as it will depend what vulnerabilities are discovered within the software, how easily they can be exploited by attackers and whether there are any mitigations which can be implemented to work around the vulnerability. However, without a vendor to provide full support and a security update to fix the original vulnerability the risk of an attack is too great. 

All software components used by your application should ideally have information on their software lifecycle and end-of-life data published by their developer – otherwise it can be difficult to determine whether it’s safe to still use that component. This is particularly important for large components such as operating systems or development frameworks, which can sometimes have very severe vulnerabilities.

Hopefully you know the operating system used to run your web application, but if not ask your application developers, or if this is not possible we can assist you. It’s likely it’s either Linux, Windows or a serverless solution. If it’s Windows, you can usually determine the version yourself. 
 

Windows Server 2012 (R2), 2016, 2019 and 2022 are currently supported by Microsoft, but Windows Server 2012’s end-of-life date is 10 October 2023. After this point Microsoft will no longer release any updates for Windows 2012 as standard, including security updates.

To avoid the risk of compromise to any applications you run on Windows Server 2012, you’ll need to plan to migrate these to a later version of Windows Server (probably 2022). While it is possible to upgrade a Windows Server without losing settings and data via an in-place upgrade this can only upgrade one Windows version at a time. It is also likely to result in some downtime on your application while the upgrade runs and there’s a possibility your application may not function correctly after the upgrade. As such, we would always recommend creating a new Windows Server and migrating your application to the new operating system.

Creating a new server allows you to migrate and test your application on the new Windows version without affecting your live application and once testing it is complete you can migrate to the new server without any significant risk or downtime.

In general, later Windows Server versions are extremely backward compatible with earlier versions. However, this is not always the case with other software so you many find your application or other dependent components do not run on Windows 2022, or require significant changes or updates to work. 

Most vendors will provide a set of software requirements which should give you an idea of whether your application and its underlying components support Windows 2022. If you’re not sure, ask your current application support provider or speak to us to discuss a review of your application. It may be the case that your current software doesn’t, but your vendor provides an updated version, requiring both the operating system and your software to be updated!

For these reasons, we’d suggest reviewing any applications you have running on Windows 2012 over the next few months. You can assess their complexity and possible compatibility with Windows 2022, giving you plenty of time to migrate your application prior to the deadline.

Should this be problematic, there are some other potential options. Microsoft provides an extended security updates programme, offering an additional three years of updates under certain conditions. Alternatively, you may be able to migrate your application to Linux instead. 

OWA can provide further advice on all of the options mentioned above as well as other possibilities tailored specifically for your own applications running on Windows 2012, so please contact us to set up a review of your application if you’d like more information.