It’s been a good run, but today marks exactly one year until Microsoft stops releasing security updates for Windows 7 & Windows Server 2008 R2. What are your options? Read on.

Windows 7 was first released in October 2009 – just shy of 10 years ago. The last service pack (SP1) was released in February 2011. Microsoft’s older support policy means the Extended Support end date lands on 14th January 2020. The timeline for Windows Server looks very similar – with it reaching EOL on the exact some date.

What happens on these EOL dates? Microsoft stops releasing security updates. The products keep working, but you are now exposed to a whole world of soon-to-be-unleashed zero-day security vulnerabilities.

As with the EOL of Windows Server 2003 R2 and Windows XP, there is a fair bit of panic and uncertainty surrounding this change. Industries such as broadcast seem to be particularly affected, as they prefer to cling onto stable platforms for much longer than the general public.

Each time Microsoft stops supporting an operating system, you generally have four options:

  1. Do nothing. Keep using the product and risk the lack of security updates
  2. Upgrade to a newer operating system
  3. Pay Microsoft for Extended Security Updates
  4. Move your servers to Azure to take advantage of Extended Security Updates for free

Option 1: Do Nothing

This is probably the worst thing you could do. Windows is a platform with a huge exposure to security issues. Even if your system is fairly well segregated from the rest of the world, there are still attack vectors – for example, SMB and RDP are commonly used to sneak attacks through an internal network using protocol vulnerabilities.

Attackers often look to businesses running out-of-date and unsupported software as easy targets. We can be pretty sure in 2020 there’ll be some good new exploits targeting those still on these older operating systems.

Option 2: Upgrade

Given we have exactly one year from today, that should be ample time for most smaller operations to thoroughly plan, test and roll out upgrades.

Virtualisation makes upgrading a bit safer by allowing you to create snapshots, so make sure you take advantage of that when upgrading live systems. You may also just wish to create new VMs and migrate the workloads across (this is my preferred method).

If you’re a Software Assurance customer, you may already have access to newer version of Microsoft Volume License software (SA allows you to receive complimentary upgrade licenses for new products released in the three years since your license purchase date).

Option 3: Pay for extended security updates

If you really can’t upgrade in time, Microsoft allows you to purchase extended security updates. However, it’s not priced very attractively – you have to pay 75% of the original product’s license fee every year. This product is available for three years after the EOL, which takes us to February 2023.

Option 4: Move to Azure

Azure is Microsoft’s cloud services platform, and they are really trying to incentivise moving your workload into the cloud. Any 2008 R2 server in Azure will get security updates until February 2023 – at no additional cost. This can save you thousands of dollars over Option 3, but you now have to pay for the cost of the VMs.