How Can Clients Use TLS 1.2 When the Server Only Supports TLS 1.0 (Windows Server 2003)?

[-]

Waffles943@reddit

Any audit that cares about TLS 1.0 being outdated is going to care about an operating system that has been EOL for a decade. All encrypted network traffic is going to use TLS 1.0, not just HTTPS. SMB is going to use TLS 1.0, RDP is going to use TLS 1.0, MSSQL is going to use TLS 1.0. You can lock this server way down and prevent all inbound traffic except for only necessary encrypted traffic from a reverse proxy, but that does not entirely address the fact your server can be popped by any number of exploits from the last decade and will forever be a liability. This also poses an important question, if this is the server in a software that uses client software to connect and communicate, would that client software support a higher version of TLS? If not, then frankly there isn’t much you can do, maybe some awkward VDI, but you’re just adding so many layers of complexity that could more easily addressed by changing to a software that is supported. You need to try to find a way to explain WHY this is bad in terms of monetary impact.

Reply

[-]

knightress_oxhide@reddit

"Unfortunately, upgrading the server OS is **not an option** at the moment." \-- 2033 \--2043 \--2053

Reply

[-]

skydiveguy@reddit

I guarantee it's a server that manages their sales pipeline. Sales never want to invest time or money into anything unless its better hotel rooms, expensive dinners, alcohol, etc.

Reply

[-]

IdiosyncraticBond@reddit

Give them a choice: A) Upgrade the server or B) Not have yhe server anymore Their choice.

Reply

[-]

Jawb0nz@reddit

It might be fun to P2V it, then inline it up to 2022. Not directly, but up to 2008r2, then 2012r2, 2016, and finally 2022. That's such a big jump that I couldn't imagine going straight up would work. Granted, I have serious doubts that the stepped upgrade would work either, but an offline virtual could be played with while the prod server stays online.

Reply

[-]

purplemonkeymad@reddit

I bet there is a non-zero chance that it's still 32bit. I vaguely remember there being some issue with doing an in place between architectures.

Reply

[-]

LimesFruit@reddit

no idea about on windows server, but on windows client, you can't officially do it. but can technically do it using a 64 bit windows 8 beta build with a modded installer, but that's something for r/ShittySysadmin lol

Reply

[-]

Jawb0nz@reddit

That actually makes a lot of sense and I should have thought about that piece.

Reply

[-]

tankerkiller125real@reddit

Or third option... Insurance company is your friend in these cases (if you want to pull the nuclear option)

Reply

[-]

Valdaraak@reddit

Every year I have to fill out our cyber insurance questionnaire, I always get a nice list of things that I get easy approval to do since they're asking about it.

Reply

[-]

davidgrayPhotography@reddit

That was my local OPSM (chain of optometrist stores) for the longest time. They had some crusty Unix-based software from the 1990s they were using, until they upgraded.. ..to a Unix distro that ran the same crusty Unix-based software, but this time in a terminal window! They finally upgraded to a modern system some time around 2019, nearly 20 years after I first started going there..

Reply

[-]

loupgarou21@reddit

heh, I have a client that an old as400 running their sales and fulfillment, and it hadn't been updated since 2008, because when they tried updating it, it broke something in their sales/fulfillment software, and the quote they got to fix it was $200k+. They rolled back and haven't tried updating since. We've told them many, many times they're on borrowed time, but they just keep burying their head.

Reply

[-]

fedesoundsystem@reddit

we promise next quarter we upgrade. This time is for real some toxic proyect manager

Reply

[-]

TheEnterprise@reddit

Then the only reply is: "Unfortunately, **passing the security audit is not an option** at the moment." Sucks to be in that position. I think we've all been there at some point.

Reply

[-]

Burgergold@reddit

It should have been 10y ago before the eol Or at least with extended aupport, maybe until 2018 We are in 2025, windows 2016 is going out of support soon

Reply

[-]

cats_are_the_devil@reddit

Money on the software they are using not having support for anything higher than 2016.

Reply

[-]

Burgergold@reddit

Then work on dropping this software Tls is the last of the priority

Reply

[-]

HotPieFactory@reddit

The moments are plentyful and never run out.

Reply

[-]

Sato1515@reddit

My brother in administration, this is a 22-year-old OS. I don’t understand how you’re going to pass an audit regardless of clients using TLS 1.2 while the underlying infrastructure is so vulnerable. However your best bet honestly is, depending what you’re running, a reverse proxy that clients connect to. What are you running that clients are connecting to?

Reply

[-]

rootsquasher@reddit

>a reverse proxy This was my first thought too.

Reply

[-]

DontMilkThePlatypus@reddit

*\*laughs in AS/400*\*

Reply

[-]

DigitalDemon75038@reddit

I actively support Telnet emulation configurations to AS400 lol good money

Reply

[-]

pdp10@reddit

Telnet over TLS is normal for tn5250 to AS/400.

Reply

[-]

DigitalDemon75038@reddit

5250 and vt220 split the action down the middle for us, most folks using Honeywell’s basicTE or velocity or staylinked, such a push to Android, you seeing the same?

Reply

[-]

pdp10@reddit

> Honeywell’s basicTE We don't have systems of that type, but stateful terminal sessions aren't a bad solution in general. Android is definitely the mobile OS of choice for industrial or specialized hardware. Being stateful, instead of REST, you do need a high quality WiFi network if you want to avoid frequent session drops.

Reply

[-]

DigitalDemon75038@reddit

They queue the changes until reconnect now so the session is retained

Reply

[-]

NightGod@reddit

\*eye twitch\* My first IT job in 94 was as a S/36 operator. They upgraded to AS/400 while I was there, it was like going from a 286 to Pentium (something else I experienced at that same company)

Reply

[-]

DontMilkThePlatypus@reddit

Wanna hear something funny? My first (sort of 2nd) IT job was also with AS/400. In 2017.

Reply

[-]

NightGod@reddit

Absolutely crazy how some of those old systems just get so embedded in a business that they just stick around forever

Reply

[-]

ihaxr@reddit

`PWRDWNSYS *IMMED`

Reply

[-]

Fluffy-Queequeg@reddit

It’s quite common for a project to be done by the business and handed over to support, but then the business refuses to spend any money on upgrades because the tool does what it’s supposed to and just works. I.T. Then gets hit with security audits, so wants to upgrade the OS to the latest version, but the app being used won’t run on the new OS, so it needs to upgraded as well. This requires functional consultants from the business, as I.T. Doesn’t support the application itself, just the infrastructure it runs on. Joe, who implemented the app 15 years ago actually left the business 14 years ago, and nobody else has a clue how the thing works as everything was outsourced to an Indian MSP, and thus application is not in scope for them 😂

Reply

[-]

stra1ghtarrow@reddit

my last place exactly

Reply

[-]

BadSausageFactory@reddit

This is us, distribution warehouse full of terminals running CentOS5 with an equally ancient app, worked fine until TLS requirements. Now Win11 with new software, integration, visibility, blah blah, the old stuff actually worked great so that was a tough sell but our cyber insurance made the decision for us.

Reply

[-]

Fluffy-Queequeg@reddit

Yep. We are getting hit with TLS cipher disable requests every week, but if you can believe it, we even still have apps using http 😂 That is actually a bigger nightmare as we also have some apps designed to work with IE7 and HTML4, and these apps use frames that aggregate across various systems, and you can’t mix http and https on the same page. It’s frustrating as the MSP we have looking after this stuff is hopeless at this kind of stuff…”Oh, we never got any KT about that, so it’s not in scope” Tearing my hair out be base this is really basic common knowledge kind of stuff, but it’s a legacy app on life support but the replacement is years away. What was hilarious was one part of this app used to have a Java Applet embedded in it to do some diagram display, but it only worked with Java 1.6. The fix for that was to upgrade the app from Java to Flash! Finally there was an another patch released to make it use HTML5, even though the core app still uses HTML4. I’m workout with MSP staff who have never used a command line or can recall IE7. I think IE7 is to them what COBOL is to me

Reply

[-]

Call_Me_Papa_Bill@reddit

TLS 1.0, SMBv1, NTLMv1, HTTP… but the worst of all is clear text LDAP being used to pass credentials for sensitive (aka Domain Admin equivalent) service accounts. My guess is when the APTs get their beachhead machine and start running discovery scripts, this is one of the first things they look for.

Reply

[-]

Fluffy-Queequeg@reddit

Oh, we definitely have that clear text LDAP stuff going on for some apps 😂

Reply

[-]

BadSausageFactory@reddit

We had an app like that, I remember having to do the GPO thing where a website calls the older IE instead of edge. The users thanked me. I told them to never speak of it again.

Reply

[-]

Sato1515@reddit

Oh don’t get me wrong, I’m painfully aware of how these situations occur. Admin gets a shit sandwich and has to make the best of it is a tale as old as time.

Reply

[-]

Fluffy-Queequeg@reddit

I have about 10 such apps on my plate right now. We’re also at the point where we get CVE patches and can’t apply them as the vendor only patches releases from the last 2 years, so now we’re just replying to the security team with “can’t implement due to being out of support - please refer to business owner”

Reply

[-]

when_adam_delved@reddit

This is painful. thoughts and prayers

Reply

[-]

PREMIUM_POKEBALL@reddit

It is. but the burden is on the secop team to light fires. Admin did all he can and should one of the few times they can push just as hard back onto the security team. To be clear secop team are doing their best as I would as well. Secop needs to look past the admins and focus their sights higher. Admins *cannot* apply a fix which does not exist.

Reply

[-]

Fluffy-Queequeg@reddit

I bet these apps are still there long after I am retired!

Reply

[-]

Username_15_taken@reddit

I've had to do this also >_<

Reply

[-]

ZealousidealTurn2211@reddit

We try to avoid these by insisting on documented support plans (and thankfully have support from leadership who back us up on them) but inevitably some group somewhere "knows better" and insists internally "IT's hoops are just them being difficult".

Reply

[-]

coltsfan2365@reddit

You are exactly right. I was hired to be solo IT at a factory 4 months ago that has a Windows 2012 server that they don't see any issues with. Wireless AP's were last upgraded in 2016 and firewalls hit EOL long ago. They have no clue about cybersecurity and wouldn't pass an audit. Heck, I'm not sure if they SPELL audit. Long story short, I have already put in my 2 weeks' notice. They are going to soon hire their 4th IT manager in the last 12 months and can't figure out why.

Reply

[-]

CaptainZippi@reddit

You know, I didn’t expect to have PTSD flashbacks to <checks notes> …last week.

Reply

[-]

ResponsibleJeniTalia@reddit

I came here because I thought the title was a typo. 😬

Reply

[-]

LotusTileMaster@reddit

Oh, come on. There is a critical application that absolutely needs to have support. On a serious note, get your companies to upgrade their tech. The fastest way to do it is through insurance. No insurance company worth their salt is providing cyber insurance for ancient systems.

Reply

[-]

irrision@reddit

They probably have cyber security and just lie on the questionnaires.

Reply

[-]

StockMarketCasino@reddit

Are you servers fully patched?... *Technically* yes

Reply

[-]

Karma_Vampire@reddit

We have indeed plugged the network cables in to patch them into our network, so that’s a “yes” on the questionnaire :)

Reply

[-]

Technical-Message615@reddit

The latest patches are installed.

Reply

[-]

doll-haus@reddit

Oh, I just smeared Bondo of all of them.

Reply

[-]

Baerentoeter@reddit

"Sometimes my genius is almost frightening" - Dude from Top Gear

Reply

[-]

MeateaW@reddit

Are your servers fully supported?... *I still support them! so yes!*

Reply

[-]

BBO1007@reddit

All the “latest” patches.

Reply

[-]

Internal_Horror_3155@reddit

Technically correct. The best type of correct.

Reply

[-]

Brua_G@reddit

You mean cybersecurity insurance, right?

Reply

[-]

Darkhexical@reddit

I was told our deductible for cyber security insurance is apparently 500k.

Reply

[-]

swattz101@reddit

We have a couple of systems so that there aren't many people alive that know how they work anymore. Our login warning banner is a laminated 3x5 card and the logon is a paper log sheet sitting next to it.

Reply

[-]

3Cogs@reddit

We have some expensive devices with embedded OS which can't be updated. They now live on their own mini domain with a 2008 server DC, isolated from the internet. It's still on our risk register though.

Reply

[-]

i-sleep-well@reddit

The divide between 'critical applications' that are critical enough to warrant all sorts of esoteric fixes and critical enough that it deserves spending money on, is huge.

Reply

[-]

Happy_Kale888@reddit

They check the boxes on the survey then when they make a claim and realize it was all a lie the insurance does not pay. Insurance still collects the premium everyone is happy but the customer...

Reply

[-]

TheGlennDavid@reddit

Oh they're "providing" it, they're just not paying out. "Never files a claim" of the best customer, but "will probably file a claim but will definitely be found to have made false statements to us" is a close second.

Reply

[-]

pdp10@reddit

I know Ultrix isn't new enough to have shared libraries or formal Y2K compliance, but c'mon now, be reasonable.

Reply

[-]

hardingd@reddit

I’m dying over here - 😂

Reply

[-]

GhoastTypist@reddit

Okay now thats a line that I didn't know I needed to hear. >Sir, if your OS is old enough to drink it needs to be put down. Crazy now I feel old.

Reply

[-]

30yearCurse@reddit

I heard a rumor that social security is running cobol... ;)

Reply

[-]

Call_Me_Papa_Bill@reddit

Came here to say this. I am a cybersecurity consultant specializing in compromise recovery. This server IS your weakest link and it WILL be the entry point for your breach. So many bad things here: for one, if it is domain joined you have to leave SMBv1 enabled on DCs so it can get group policy updates. SMBv1 is very bad and should have been disabled years ago.

Reply

[-]

Brwdr@reddit

CSIRT here, Vulnerability Management called me to talk to you! I have Policy & Audit with me and Legal was notified as well. You are instructed to put the Microsoft Windows Server 2003 license on the desk and put your hands behind your head. Do it now and there will be no new troubles for you. We have Purchasing prepared to call you as soon as you relinquish the license, to talk about license upgrades. Please follow all orders and no one will get RIF'd.

Reply

[-]

abubin@reddit

Yup setup a reverse proxy frontend with TLS 1.2. Try nginx if it's web application. Or use Cloudflare.

Reply

[-]

donkey360@reddit

I wanna throw Kemp Load Balancer into list of good reverse proxies [https://kemptechnologies.com/](https://kemptechnologies.com/)

Reply

[-]

1a2b3c4d_1a2b3c4d@reddit

15 years ago I loved my Kemp Load Balancers...

Reply

[-]

ISU_Sycamores@reddit

I was thinking all of these things, including getting off that legacy OS. Fronting the server with some load balancer then setup a local firewall and only allow connections from it. Call it compensating controls.

Reply

[-]

Maybe_Factor@reddit

Depending on the exact nature of the audit, you may be able to set up a proxy server to receive TLS 1.2 connections and simply forward requests to your outdated POS server and software. You'll need to talk to your auditor about whether that's an acceptable solution.

Reply

[-]

Nonaveragemonkey@reddit

I'd refuse to touch that nightmare. They're 15 years into borrowed time.

Reply

[-]

cwheeler33@reddit

You need to explain why this wasn’t migrated 10 years ago… and why is it not an option now. Some of those answers determine/eliminate possible solutions.

Reply

[-]

Maleficent_Bar5012@reddit

2003 hasn't been supported in a very long time, does not receive updates and won't support tls1.2 Upgrading the OS to a modern supported OS is the way to resolve it. Windows server 2016 at least.

Reply

[-]

Sajem@reddit

> Unfortunately, upgrading the server OS is not an option at the moment. Remind your Exec's that this system may cause the company to fail the audit which *may* impact any contracts, cyber insurance etc. etc. Additionally, in the audit, mark the section this applies to as non-compliant **and then** there should be a comment or similar where you should be able to state that the company has accepted the risk and add a brief comment on how you intend to remediate the risk in the future Your company *should* also have a RFFR register where you add all of the non-compliance risks that explain exactly what the risk is and why it isn't being remediated **then** your CISO and C levels sign off on the RFFR register agreeing to the risk to the company. Not your problem anymore, it is now the executive levels problem.

Reply

[-]

jaymemaurice@reddit

Reverse proxy but don't do that. Don't do it yourself because the OS isn't patched and who knows what vulnerabilities you will hit if you are effectively putting IIS to the open. I actually worked for a tech startup that I'm going to now shamelessly shill that solved this problem. They had agent software that would use "the cloud" as a rendezvous point where they would do the reverse proxying, allow tokenized authentication, custom waf rules, and custom authorization rules and even a pluggable oidc identity layer. It's used by many municipalities to allow remote access to old un-pachable critical infrastructure that needs to be accessible by many different user bases that aren't federated and can also enforce a second factor of you integrate identity providers who can't be guaranteed to have their users enroll. The company is Agilicus. So the idea becomes that this server gets only restricted outbound internet access in its own DMZ, the agent gets installed (windows/Linux x86 arm MIPS) on the machine or a machine that has access to the service ports on the machine. It creates a tunnel* to the cloud. In the cloud portal, the admin creates the mapping rules that can expose the service either directly to the public Internet through web application firewall (Lame) or with the identity layer that first makes sure you complete single sign in before linking their ingress to your service. You set the cname for the app to their cloud ingress and they handle cert generation and renewal automated through letsencrypt. You now have zero trust network access, TLS1.3, 2fa, CSRF and whatever else. Your legacy app is now both accessible from anywhere but protected requiring users to log in with their native credentials before it can be interacted with. You also have immutable logs from the middle layer to trace what user made which web calls.

Reply

[-]

jaymemaurice@reddit

Their primary focus is trying to deal with all the things on the Internet that should not even be on the Internet, or should be updated but can't be... Like think municipal parking enforcement software contact that was given to somebody's son and they built it on Tomcat and used log4j... and they since tried and the city has no budget... Agilicus comes in and solves the problem allowing users to authenticate before the /s/turtles/proxies/ all the way down connect you to the service on the HP-UX workstation with 1387 days uptime.

Reply

[-]

itishowitisanditbad@reddit

>Unfortunately, upgrading the server OS is not an option at the moment. It *is* and *has been* for *decades*. If its not *now* then it *never will be*. Fail the fucking audit if thats the necessary 'needful' to get it replaced. People can't just say 'no' and it be ok.

Reply

[-]

Obvious-Jacket-3770@reddit

Well upgrading to a new OS that's actually supported **IS** an option if you want to pass the audit. Truth is you're going to fail because your company is exposing a connection to clients on a system that GROSSLY out of all support on a connection protocol that is also grossly out of support and not aligned with any security standards. It's been 22 years, your company has no excuse here.

Reply

[-]

netsysllc@reddit

upgrade the server....

Reply

[-]

GiveDanADollar@reddit

Is this public facing? OMG

Reply

[-]

GiveDanADollar@reddit

this is public facing? OMG

Reply

[-]

ThaLegendaryCat@reddit

Reverse proxy. And well I won’t ask why in the name of the overlords someone is forcing you to keep a 2003 online. Since if you do TLS termination or MITM you can upgrade TLS without the server being any wiser to this assuming your proxy supports ancient insecure still. Is this compliant with security standards well I’m not sure in this situation as a 2003 in prod is involved.

Reply

[-]

Technical-Message615@reddit

Server can do http and have the proxy do https. No need to support old TLS ;)

Reply

[-]

ThaLegendaryCat@reddit

I made the resonable assumption that the old thing is running a config we aren’t allowed to touch for the purposes of this post. So options like plain HTTP are sometimes not on the table.

Reply

[-]

Technical-Message615@reddit

If I can't touch it it's out of my scope and out of my care. Not my circus not my monkeys. They want me to take care of it? I will, but my way, not theirs.

Reply

[-]

BeyondAeon@reddit

Linux + nginx with a proxy\_pass option is good for this ....

Reply

[-]

LeaveMickeyOutOfThis@reddit

This is the approach I would take along with a bunch of network controls to ensure this traffic can only pass through the reverse proxy. Obviously, if you audit control is only looking at the server in isolation then this won’t fix it; however, if the audit control is looking at the ecosystem, this should be sufficient.

Reply

[-]

Sushi-And-The-Beast@reddit

Yeah, reverse proxy… End user connects via TLS 1.2/3 to the reverse proxy, the reverse proxy connects via TLS 1.0 to the 2003 server. Had to do this a while back because the Oracle server did not support certs past 1024 and the CA was not issuing certs below 2048. So I had to stand up a openssh CA and import the roots. And it worked. And the peasants rejoiced

Reply

[-]

PinkertonFld@reddit

I've seen this in government though. Mission-Critical Software that was written by people who are long gone, needs some old library to work, and nobody wants to fix the real issue, or the source is long gone (or the company that wrote it is belly-up). So you have to put it in a jail, with \*zero\* other connections to the real world, behind a reverse proxy (like you say). And place a few tripwires documented to death with a IOU that it'll be updated soon (newsflash, it won't). It's mitigation, and it's better than nothing, and shockingly common... (Hell I know of a few NT 3.51 boxes still running in a Data Center in Sacramento...)

Reply

[-]

WWWVWVWVVWVVVVVVWWVX@reddit

Manufacturing, too. The amount of shops I've gone into and seen the machines running on XP and older is insane. Nobody wants to pay to upgrade a machine that works.

Reply

[-]

mineral_minion@reddit

I work in a manufacturing company. Right now for our line equipment, we can get replacement XP boxes under the existing service contract OR pay a king's ransom for the upgrade kit + support contract...which is Windows 7 with no patches applied.

Reply

[-]

dagamore12@reddit

Not NT3.51 but I know of a few, thankfully hard off networked systems, running Solaris 6 and 7. Thankfully I dont support them anymore.

Reply

[-]

bfrd9k@reddit

This is the correct answer.

Reply

[-]

rose_gold_glitter@reddit

No, the correct answer is you have no chance of passing an audit with a server OS that is decades old and 2 months off a decade, since it got its last patch.

Reply

[-]

Dal90@reddit

"Accept the Risk" Audit passed.

Reply

[-]

rose_gold_glitter@reddit

True, you can put a risk mitigation plan in action and reclassify the risk as lower. It does depend on the audit type, though.

Reply

[-]

M365Certified@reddit

Depends on the audit, but thats it. Compensating Controls/Mitigating factors. A really thick wall with the tiniest window possible. And an executive will need to sign that AoR, you can't hide it.

Reply

[-]

aedinius@reddit

Wait, you can pass an audit?

Reply

[-]

SlntPrgrssn@reddit

nginx for example? so basically what you suggest is that newer version would actually run on the proxy and not on the server itself,is that correct?

Reply

[-]

TheRealLambardi@reddit

There are answers but it’s work. - put behind reverse proxy. - put waf in front of it. - mesh style vpn (would avoid that unless you already have one built and deployed) - install different web server on server 2003 Don’t sweat it..let the audit fail come up with the answer, hand costs to business and it’s a yes / no but don’t take it as a personal failure .

Reply

[-]

Sol3141@reddit

As someone who did this last year. You will spend more time digging up ancient out of date and inaccessible documentation just to reverse engineer a solution that will consist of a house of cards taped to another house of cards dangling over a fire. DO. NOT. ATTEMPT. Your time and efforts are better spent on a real solution like migrating the system. If they don't want to do that, and won't listen to you, then you can tell them to hire a specialist contractor to do it.

Reply

[-]

unavoidablefate@reddit

You've had 22 years to plan upgrades. Your company has dug it's own grave.

Reply

[-]

Enough_Pattern8875@reddit

LOL

Reply

[-]

doll-haus@reddit

Put this server behind some sort of proxy. Apache guacamole or the like. Clients connect to guacamole in a secure fashion, the security nightmare is kept between your ancient server and whatever serves as the interface.

Reply

[-]

hackinandcoffin@reddit

Get a load balancer that will accept the client connection at TLS 1.2 and then connects to server at 1.0. It will encrypt/decrypt/reencrypt the traffic.

Reply

[-]

SwiftSloth1892@reddit

And I thought I was bad for still rooting out 2012 servers

Reply

[-]

LucidZulu@reddit

Lock down firewall rules and reverse proxy with traffik or nginx. Both a free to use.

Reply

[-]

IsThatGerry@reddit

Jesus!! 2003!?!? 🤦🏻‍♂️

Reply

[-]

follow-the-lead@reddit

Alright so if it absolutely must stay at server 2003 (actually not a good solution) then you can wrap it in tech around it. I’m assuming that it’s an iis web app that’s the problem here. If so, you can kind of get away with offering the site up via http and put a reverse proxy in front of it that handles the tls termination. Something like nginx or ha proxy on a Linux box sitting next to it. Make sure you use something open source, much easier to get upgrade funding for a free server. Clearly support isn’t a priority for these clowns.

Reply

[-]

Igot1forya@reddit

This raises a question of how old your Windows DOMAIN is for you to have a TLS 1.0 server present. Your forest functional level can't possibly be high enough to support both Server 2003 and modern servers. Get that server off your domain, you're crippling your environment just having it exist (unless it's not domain joined). Long term (assuming you stay on-prem): I would like to suggest a possible way to move away from this server gracefully by setting up a DFS server (add the DFS namespace and replication roles). And create a replication target to point to new(er) file server(s). Let them replicate/sync data to each other, and then have your clients point to the new DFS share path. Then once everyone has had all share drives remapped and repointed to the DFS path, you can retire the old server. This way, when a newer version of Windows server comes out you simply add the newer file servers to DFS as a replication partner and you can gracefully retire the older version without involving users since their connections are pointed at the universal DFS path and not locked to one particular file server.

Reply

[-]

sandbox_legend@reddit

Big assumption that the 2k3 box isn't the primary DC and omni-server.

Reply

[-]

Igot1forya@reddit

One would certainly hope not. But the possibility is there, I suppose.

Reply

[-]

sandbox_legend@reddit

I am betting there is a 50% chance the next question would be how do I get TLS 1.2 working on windows xp

Reply

[-]

butter_lover@reddit

put it behind a load balancer. any load balancer. preferably f5. done.

Reply

[-]

MeateaW@reddit

Reverse proxy. End of thread.

Reply

[-]

TravellingBeard@reddit

LOL...I think you know the answer.

Reply

[-]

Huge_Ad_2133@reddit

The simple unavoidable result of the facts you represent is that you will fail your audit. The insecure TLS protocol is just one of the many many reasons you shouldn’t be on 2003. You also should not be on 2008 and should be getting off of 2012. Keep up or get run over. It is the way of things.

Reply

[-]

silesonez@reddit

post in r/ShittySysadmin

Reply

[-]

PAiN_Magnet@reddit

How does the Audit allow for such an outdated and unsupported server? You're asking the wrong questions and looking for the wrong answers.

Reply

[-]

someguy7710@reddit

I was literally laughing out loud and my wife asked me what was so funny. So then I had to explain it to a non technical person. Damn you op

Reply

[-]

ITRetired@reddit

Back in 2003 my three daughters lived with us. Now I have three grandsons and another arriving any day soon. And you are telling us that upgrading is not an option??

Reply

[-]

Alternative-Print646@reddit

Over 2 decades old , come on now ..,.

Reply

[-]

Jayhawker_Pilot@reddit

So an audit is driving this? A server that has been end of life for 15 years? Am I getting the jist of this? If you want it replaced (and if you don't, get out of the industry), fail the audit. Sometimes you have to fail audits to get management off their ass to do something. It is not your job to solve incompetence.

Reply

[-]

GaryDWilliams_@reddit

haproxy in the middle, clients hit that, it hits 2003. It's what I've had to do when dealing with this sort of thing.

Reply

[-]

Some_Troll_Shaman@reddit

Lol. Really, any auditor that finds a 2003 server in prod is going laugh till he or she pees. It does not matter what the TLS requirements.... it's old enough to remember Goatse. If your org still has a critical org wide app that is stuck on a 2003 server you are going to fail any cybersecurity audit. Do not worry about ticking the box for TLS1.2. You need to hide that shame behind network segmentation, a firewall and jump box or some kind of reverse proxy and or WAF for the application and no-one should ever know its on a machine old enough to drink in all 50 states.

Reply

[-]

ferrybig@reddit

Put a server in front of the outdated server, which accepts TLS 1.2 and TLS 1.3 connections and up and then makes a connection to the upstream server. This can be an application running on the server itself, so you can make an unencrypted connection to localhost, so no client needs to be set to a TLS lower than TLS 1.2

Reply

[-]

Much-Environment6478@reddit

It still has to be firewalled off and not joined to AD (which it probably is) on the same subnet as their DCs.

Reply

[-]

superwizdude@reddit

You will fail any on-premises security scan. This server OS is too old and is vulnerable as f*ck to a whole bunch of exploits. Put it in a DMZ with a proxy server. Make immediate plans to replace this with a modern server. I had customers replacing 2008R2 servers years ago for similar reasons. Running 2003 today is unforgivable.

Reply

[-]

Much-Environment6478@reddit

"It still needs to be accessed by admins in AD" - This thing is probably still on the same flat network as their PCI systems and not firewalled off. The amount of work and money that'll need to be spent making this 1 system compliant will dwarf doing actual research/updating to a server that supports TLS 1.2 (or 1.3).

Reply

[-]

Moru21@reddit

You replace the server, period.

Reply

[-]

No_Profile_6441@reddit

Bwahahahahaha

Reply

[-]

W3tTaint@reddit

Good luck with that audit.

Reply

[-]

Cutoffjeanshortz37@reddit

Audits are known for just looking at the sheets and never under the sheets to find out what shit is there. That's why everyone loves audits. They're so easy, quick and never find anything, just tell you you're doing a great job. 🙄 /s lots and lots of /s.......

Reply

[-]

catwiesel@reddit

stunnel

Reply

[-]

SilenceEstAureum@reddit

\>Some things I've considered: \*Blank\* Consider failing your audit because you're using a server should've been decommissioned 15 years ago

Reply

[-]

theSarx@reddit

Upgrading the OS is not an option, in fact it's mandatory. You have a massive security hole in your environment my dude. Get rid of it, asap.

Reply

[-]

BillyD70@reddit

First, make sure an officer of the company signs off on the rush register to accept the risk of running this non-compliant system. Preferably, the officer will be the head of whichever department REQUIRES the non-compliant system (eg CFO for any financial system). Often, system changes suddenly become possible when someone has to put their signature on the line. Once you have risk acceptance, technically isolate that system as much as possible and monitor it closely.

Reply

[-]

arominus@reddit

Sounds like you’re screwed man, you either upgrade that 2003 box or you fail the audit. Leaderships choice. You’re not getting out of this one.

Reply

[-]

FlickKnocker@reddit

Have you actually tried moving the app to something other than 2003? Just because the system requirements can’t read a crystal ball, doesn’t mean it won’t run on a newer OS.

Reply

[-]

LastTechStanding@reddit

They can’t…. It’s 2025….. n-2 is Server 2019… keep up

Reply

[-]

TabTwo0711@reddit

Upgrade the server

Reply

[-]

bojack1437@reddit

Upgrade the OS... Your second best option is to upgrade the OS... Your third best option. Yes, upgrade the OS. Your last stitch last resort option depending on if this is an HTTP application or what this is, you might be able to put some kind of reverse proxy in front of it, or something like stunnel.

Reply

[-]

WillVH52@reddit

Even doing an in place upgrade to 2008 R2 would give you TLS 1.2 support, worth considering at this point.

Reply

[-]

chriscrowder@reddit

This is the stupidest thing I've ever read.

Reply

[-]

konoo@reddit

Employee to Boss: "We can either upgrade the software or we can stop accepting government work because I am not signing a piece of paper that lies to the government".

Reply

[-]

FreedomTechHQ@reddit

You’ll need to place a reverse proxy or TLS termination gateway in front of the server. Tools like stunnel, HAProxy, or NGINX can accept TLS 1.2 from clients and then downgrade to TLS 1.0 when connecting to the backend server. It's not ideal, but it's your best option without upgrading the OS.

Reply

[-]

BarefootWoodworker@reddit

Go get drunk with it to dull the pain of not passing the audit. That’s my advice.

Reply

[-]

eoinedanto@reddit

Firstly you are way out of your depth and need some risk management help. You’re approaching this problem like a technical challenge but it’s much more than that, it’s a business problem. Audits can have exceptions as long as they are documented/approved exceptions to a policy that’s been approved by the appropriate level. Yes, you need to retire this OS but maybe there’s some multimillion upgrade that needs to happen to some industrial system. Figure out the dollar cost of an outage caused by this system, the risk of that, new controls you can put in place to reduce that risk (highly segregated network, allow listing like AppSense) and compare all that to the cost of an upgrade. And get management to sign off on the approach. Technically you are asking the impossible; if you disable an obsolete protocol then it’s no longer available for clients to connect to. So figure out a workaround.

Reply

[-]

pdp10@reddit

Your best option is a reverse HTTP proxy or a Layer-4 proxy. This can be installed locally on the Server 2003, or on a separate VM, container, or server. If it's not installed locally, you need to ensure that clients can't reach the backend 2003 server, or else you'll still have an audit finding. A Layer-4 proxy that will run on Windows is Stunnel. Be aware that the maintainers don't make official 32-bit builds any more, so you need to find a trusted third-party build, or compile it yourself. Or you can run Stunnel on a separate machine; we run most of ours on Linux. Sometimes legacy systems require legacy Windows. If it's easier or better to just upgrade the machine than to engineer a proxy solution, then just upgrade it. But the proxy solution is excellent and sustainable if upgrading is not really an option.

Reply

[-]

Izual_Rebirth@reddit

We did have a client we were doing an audit for a number of years ago that had a a Server 2000 box. Internet facing... doing payments... WTAF. We refused to take them on as a Managed Services Client unless they committed to a plan to migrate away from it but they declined stating budgetary reasons. Lucky we didn't take them on as they did get hit not long after that and I believe went out of business. So yeah. Glad we didn't take them on in the end! `Some things I’ve considered:` I know this was probably a mistake and you forgot to put in your considerations but I think this sums up the whole thing lol.

Reply

[-]

ITBurn-out@reddit

Dmz it to death.

Reply

[-]

Dave_A480@reddit

Hacky, but: 1) Switch IIS to only accept connections from localhost 2) Build as-modern-a-version-of NGINX as will complile on Windows 2003 & configure it to run on said ancient Windows dinosaur, as a reverse proxy. Clients would connect to NGINX, which would handle TLS (supporting all modern versions of such), and NGINX would connect (on localhost) to IIS to get the actual content.

Reply

[-]

allw@reddit

Did I accidentally r/shittysysadmin

Reply

[-]

joeykins82@reddit

If you've been trying to get this server upgraded but you've been experiencing resistance or pushback, the correct response is to tell the auditors that you cannot secure connectivity with TLS 1.2 because the underlying OS is Windows Server 2003. Then ensure you've got your paper trail showing that you've been trying to address this, and then enjoy suddenly getting the budget and resources you need to get up to a supported version. If you're the one who's been obstructing the upgrade, you should resign immediately.

Reply

[-]

techw1z@reddit

dude wtf. you could isolate it completely and put a reverse proxy in front of it but if you didn't know that already you really shouldn't deal with servers or security audits at all. are you really a sysadmin? if yes, step up your game bro and tell your company that a 2003 server is just a ticking time bomb that may very well void all your cyber insurance agreements if something happens with it.

Reply

[-]

moonenfiggle@reddit

That’s the neat part, you don’t!

Reply

[-]

JayTakesNoLs@reddit

Thought this was a shittysysadmin shitpost. Upgrade the server dawg there is no other solution.

Reply

[-]

ConsequenceWestern97@reddit

No. Don't even consider a reverse proxy. They won't protect the server from almost every possible attack anyways. Once the auditor realizes your running Server 2003, it's gonna be an instant fail anyways. I do not care what the excuse is, it's not valid. Replace the server.

Reply

[-]

Extension-Bitter@reddit

You should just fail your audit. Simple. The reason why an audit is to find issue like this, not going around it. I would use this failed audit for management to move their fucking ass.

Reply

[-]

Immediate-Serve-128@reddit

Downgrade all other servers and fawn it off as a museum piece?

Reply

[-]

No_Resolution_9252@reddit

You may be able to get away with offloading SSL onto a load balancer or proxy, then isolating the server, but that will require buying an appliance of some sort. Someone in top level management would have to write an acceptance statement and describe the mitigations. There are probably bigger compliance problems with the server if you can't even use a VPN to work around the tls 1.2 issue

Reply

[-]

Advanced_Vehicle_636@reddit

Don't necessarily need an appliance. Some firewalls (Fortinet, Palo Alto, and Cisco definitely. Possibly other brands like Checkpoint as well) will support SSL offloading. For small scale stuff this is probably fine. Larger scale projects should be using dedicated appliances like F5 or Kemp.

Reply

[-]

No_Resolution_9252@reddit

My assumption is any place sleazy enough still running server 2003 with these requirements, probably doesn't have anything like that

Reply

[-]

kuldan5853@reddit

> Edit: Just to be clear though, assuming this isn't a joke. You're screwed in this audit anyways. A server 2003 box in prod will never pass an audit. That's not a problem - I speak from experience. As long as the machine is not on the network / heavily isolated to only allow the application talk to it from approved IPs and on a very specific port or something, that is enough. Source: Working for a highly audited company, running stuff like Windows 2000 / NT 4 in "production".

Reply

[-]

Valdaraak@reddit

>an audit requires all client connections to use TLS 1.2 for security compliance. You're not going to pass that audit when you have a 2003 machine *on the network* and in active use.

Reply

[-]

Peter_Duncan@reddit

Out of curiosity... how old is the hardware? ie... motherboard/cpu

Reply

[-]

rose_gold_glitter@reddit

You know this is going straight to r/ShittySysadmin, right? As other said, reverse proxy is your only hope - but there is no chance you can pass any kind of audit with a server which last saw a patch in mid 2015. ISO27001. PCI. I don't know what the audit is but there is no way this server is passing it, proxy or no proxy. If you need to pass this audit, someone is going to need to update this server.

Reply

[-]

kuldan5853@reddit

I can tell you from experience that you can pass ISO27001 etc. with servers like this - even older. They just need to be properly isolated and proxied.

Reply

[-]

cats_are_the_devil@reddit

Yeah, the difference is someone asking this on this subreddit is so far out of depth... They are for sure not passing an audit.

Reply

[-]

chum-guzzling-shark@reddit

im sure its not the sysadmin's fault in these circumstances. Sometimes we gotta deal with shit. /r/ShitOnSysadmin

Reply

[-]

OurManInHavana@reddit

P2V the server and place it behind a reverse-proxy that handles TLS for it. Isolate it from your main network so the only thing it can talk to is that proxy. Document that it will now forever live in it's own little pocket-universe. And explain to the business that this is a more expensive way of complying with the audit, and has an increased ongoing support burden. And that they can save money if they allow IT the time to fix things properly (and upgrade the OS).

Reply

[-]

jackoneilll@reddit

I couldn’t help but laugh at “support burden”. Not once in 30 years has any of my leadership given a shit about how much burden any piece of tech is.

Reply

[-]

OurManInHavana@reddit

My team also tried to explain the concept of "technical debt" (as in: not-falling-behind in the first place). Same thing. Deaf ears.

Reply

[-]

cats_are_the_devil@reddit

Bro, there's no auditor that is going to look at your server 2003 machine and say yep looks fine. Regardless of if it is accepting TLS 1, 1.2, or 1.3 your best option is failing that portion of your audit and writing a report of why it failed and get some funding.

Reply

[-]

1a2b3c4d_1a2b3c4d@reddit

Let them fail their audit. Then, the bossman will magically find the money to upgrade\ swap\change\replace this outdated server.

Reply

[-]

oaomcg@reddit

have you considered just failing your audit? because that's what is going to happen, no matter what TLS voodoo you end up cobbling together...

Reply

[-]

BobWhite783@reddit

Server 2003???? Holy shit. I say you take off and nuke the entire site from orbit. It's the only way to be sure.

Reply

[-]

TheKelseyOfKells@reddit

> Unfortunately, upgrading the server OS is **not an option** at the moment Well you better start looking at making it an option pretty darn quickly if you want to pass that audit

Reply

[-]

rynoxmj@reddit

You can't. Simple as that. The technical debt you have with a Server 2003 O/S still in your environment should be your biggest concern. If this security compliance require TLS 1.2 I would be shocked if the same security compliance is going to be cool with this relic of a server.

Reply

[-]

HoochieKoochieMan@reddit

2003 was EOL in 2015. It hasn't seen a security patch in a decade. Ask the auditors specifically if they're ok with this. Then it becomes a matter of the paid, outside auditors telling management it needs to be updated instead of you.

Reply

[-]

tristand666@reddit

You wont pass any compliance with a 20 year old server that no longer gets security patches.

Reply

[-]

stupidic@reddit

You record this as an exception. An audit is done to ensure that you don't have any tech debts you're NOT aware of. This is one you are aware of. Note the exception, write up a justification, describe compensating controls and that's pretty much it.

Reply

[-]

compu85@reddit

This is where you get a risk acceptance statement signed off by your CIO. Use another mitigating control to offset the risk if possible.

Reply

[-]

linux_n00by@reddit

put nginx in front of it :D

Reply

[-]

Virtual_Low83@reddit

I hate that I woke up to this.

Reply

[-]

ninjababe23@reddit

Figure out a way yo upgrade

Reply

[-]

Traditional-Sector75@reddit

Windows 2003? We still have Windows 2000 in production...

Reply

[-]

LeTrolleur@reddit

I'm over 30 and have literally never seen or used server 2003 in my entire 12.5 year career, I swear this sub makes me audibly say "HOLY SHIT!" Every single day.

Reply

[-]

Rehendril@reddit

You cannot force it to use something it doesn't support. What you need to do is write up an explanation as to why this server cannot be upgraded, including the known risks involved and how they are being mitigated. Then, get the business leadership to sign off on this as an accepted risk. Once that is done, give it to the auditors and hope they say okay or when they say nope, not going to pass you can go back to leadership and say our only option is to figure out how to upgrade or replace what is running on that server.

Reply

[-]

New_Set7087@reddit

You need to allow the clients to negotiate 1.0 but force 1.2 as your default. This allows 1.0 when you need it but negotiate 1.2 forcibly with other connections.

Reply

[-]

Aegisnir@reddit

If upgrading is not an option at the moment, postpone the audit until you can complete your upgrade. Server 2003 is going to have so many other vulnerabilities that the TLS won’t even matter from a security perspective.

Reply

[-]

malikto44@reddit

At a previous job, I dealt with this. An internal appliance that had SSL (not even TLS 1.0), and the appliance maker refused to upgrade saying that if they want an upgrade, the client is free to pay for the dev team to put it in, and either deal with it, or find another product. Being the only game in town, tossing them onto the street wasn't really doable. The fix? HAProxy or nginx on a hardened machine, with the antediluvian appliance being on its own VLAN. If you can turn SSL/TLS off, maybe even throw it behind a load balancer that doesn't mind the machine being to its own space.

Reply

[-]

destroyman1337@reddit

You are going to fail the audit unless you upgrade that server.

Reply

[-]

LVorenus2020@reddit

Infosec department will force you to use a newer OS. They will ban the known MACs from the network and send/or demand someone to physically unplug/disable/remove the node. The latter was one of my tasks years ago.

Reply

[-]

wrosecrans@reddit

You can stick a proxy server in front of it so connections from clients to the proxy use modern TLS. But if that server only supports TLS 1.0, the actual connections _to that server_ will only be TLS 1.0. If your audit forbids that, this server will not pass that audit. Period. If you do set up a proxy, make it clear to everybody that this is a temporary bandaid, and only deploy that mitigation with a clear plan for how and when you will replace the server running software so unsupported that it is old enough to have voted in multiple presidential elections.

Reply

[-]

MalwareDork@reddit

> temporary bandaid Stakeholders are going to declare this to be just as permanent as the structural duct tape keeping one of the warehouse walls propped up.

Reply

[-]

wrosecrans@reddit

Hence you do not deploy the bandaid until you have absolute clarity about the subsequent steps. Passing the audit is your leverage. You give them a clean audit only when you are sure you are getting what you need.

Reply

[-]

MalwareDork@reddit

Agree 100%, albeit I'd personally strike out the band-aid option entirely since in my experience, the client will renege unless the system(s) are already purchased and ready to be deployed.

Reply

[-]

Dekyr78@reddit

Sounds like the server needs to have a "mechanical failure and the backup went missing "

Reply

[-]

CodeGrumpyGrey@reddit

Tell your boss that the audit requires that you replace the old .Net Framework 1.1 application that is driving the need for the server to remain. Then get rid of the server...

Reply

[-]

Sir_Fog@reddit

You've made me feel better about the 2012R2 instances I have hanging around.

Reply

[-]

astrofizix@reddit

Replace the server.

Reply

[-]

burkey_biker@reddit

Use common sense. Just intentionally break the server, its backups and anything the can be used to recreate it.

Reply

[-]

SomeCar@reddit

Why is this on you? The team that owns the server, and refuses to upgrade, should be the ones accepting the risk and need to answer to the audit team. If you are the one refusing to upgrade, then stop it, stop it right now and put that server out to pasture.

Reply

[-]

dnuohxof-2@reddit

/r/sysadmin and /r/shittySysadmin are getting harder and harder to tell apart….

Reply

[-]

jcpham@reddit

Daily it’s freaking hilarious

Reply

[-]

rswwalker@reddit

An OS that old needs to isolated in its own VLAN and access to it through a proxy server, which can do TLS 1.2/1.3 on frontend and TLS 1.0 on backend. By isolating it, it then it should pass audit.

Reply

[-]

protocol@reddit

I know you're looking for help here, but did the audit not identify that server 2003 should, in 99.999% of scenarios, not be used?

Reply

[-]

DontTakePeopleSrsly@reddit

There is simply no excuse for an unsupported operating system when EOS dates are roughly a standard 7-10 years across most vendors. When I see something like this, it’s usually an indicator of a much larger problem within the organization’s application development/procurement processes.

Reply

[-]

Inuyasha-rules@reddit

It doesn't sound like the audit has happened yet, and they got a punch list of things that will be checked. I wouldn't consider an os that's old enough to vote a punch list item, but definitely should be a failure.

Reply

[-]

KickAss2k1@reddit

First of all, how are you going to pass an audit with that OS?

Reply

[-]

_azulinho_@reddit

Place a reverse proxy in front of it and restrict access from only that proxy. This is the same as fronting a http website with a proxy doing ssl termination.

Reply

[-]

AuroraFireflash@reddit

Put a firewall / SSL termination device in front of it with the Win2003 server on its own network segment behind said device.

Reply

[-]

irrision@reddit

Fail the audit, then you'll get the money to upgrade the server finally. Don't kill yourself trying to prop up stupid.

Reply

[-]

the_doughboy@reddit

Then you're out of compliance and you need Business sign off to accept the risk.

Reply

[-]

MFKDGAF@reddit

Your only option is to quit and find a better job that takes security seriously. In all seriousness, I know companies don't have money to replace servers as soon as they become EoL or have some kind of legacy application that can only run on that OS but server 2003. Come on now. That is just either plain laziness or they don't take security seriously. Server 2003 EoL was in 2010 with EoL of extended support in 2015. So you are looking at running an unsupported OS for either 15 or 10 additional years.

Reply

[-]

ersentenza@reddit

I guess passing the audit is not an option then. Having a Windows 2003 Server will make you fail the audit by itself. Sorry.

Reply

[-]

BadSausageFactory@reddit

Turn that server off during the audits.

Reply

[-]

greyrat300@reddit

Secure communication- like TLS will require both server and clients to have common protocol (tls version) and ciphers. If server 2003 can’t run the tls 1.2 protocol and/or doesn’t have common tls 1.2 ciphers with the clients - you won’t be able to establish a secure tls connection.

Reply

[-]

molliekirk@reddit

Windows Server 2003 went EoL almost [10 years ago](https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2003-). That's 10 years with no security updates. [TLS 1.0 and 1.1 shouldn't really be in use at this point](https://www.rfc-editor.org/rfc/rfc8996.html). If you need to for now, offload the SSL via a service such as [CloudFlare](https://www.cloudflare.com/). Put your Server 2003 infrastructure on a roadmap for getting upgraded, and if your software does not work on a newer version, you should be chasing that vendor for updates. If updates aren't available for their software, maybe there should be a roadmap to replace that too.

Reply

[-]

CharcoalGreyWolf@reddit

You’re likely to fail the audit. On the other hand, this might mean that those with actual power to change the system that should have been changed ten plus years ago will. Do a reverse proxy that shows you’re doing your best, but failing is your best option. If you barely pass, the powers that be will decide this server is fine to keep around another ten years. I assure you and them, it is not. This should have been planned for, an upgrade process implemented, and done long ago and now this audit is like a homework assignment your teacher has given you two extensions on that you’re still three weeks late on hoping you’ll get a C- (you will fail).

Reply

[-]

pipesed@reddit

If it's a critical service, they should have the money to upgrade the software so it can run something modern. If there a solid reason to have to run 2003, then treat the server as a virulent contagion. Completely isolate it from the rest of the network. Deploy a separate front end server at the network edge running a proxy with modern authentication, such as nginx+ whatever idp you use. tls1 is deprecated for very good reasons.

Reply

[-]

thomasmitschke@reddit

Do not tell the auditor, you are still running 2003, or tls 1.2 will be your least problem

Reply

[-]

jdptechnc@reddit

You don't. You prepare your leadership for 2 audit findings: - Having an unprotected 22 year old operating system - Unable to enforce TLS 1.2 If it is within your area of responsibility, you can perhaps propose a project to deal with one of the above. I would also say simply upgrading Windows is unlikely to solve anything. Any app of that vintage is itself unlikely to accept TLS 1.2 clients regardless of what OS it is installed on.

Reply

[-]

jcpham@reddit

The answer is you can’t. Turn off the 2003 Server to pass the audit (funny not funny) or replace. I’m in ShittySysadmin right now or this is candid camera 🎥 right? Right?

Reply

[-]

shelfside1234@reddit

I’m seeing lots of suggestions for a reverse proxy, but at the end of the day you should still fail as only one part of the transaction will be TLS1.2; no point securing the client to front-end when front-end to back-end is still vulnerable

Reply

[-]

kuldan5853@reddit

Doesn't really matter if the proxy to backend communication happens in an isolated network / vlan that has no connection to the outside world.

Reply

[-]

Brufar_308@reddit

Leverage the failed audit to get that machine migrated to a supported platform.

Reply

[-]

rileyg98@reddit

You won't be passing your security compliance with 2k3... whether or not it's TLS 1.2

Reply

[-]

TMS-Mandragola@reddit

Hello This is not an implementation problem. This is a priorities problem, it should be your leadership’s responsibility to address the business/resourcing issue gating you from passing that audit. Unfortunately, you looking for technical solutions to this is letting them off the hook. You can’t do that, yet you’ve been doing it for 10y. Stop enabling your shitty management. This is a hill you die on. There’s lots of hills not worth dying on, but running a a 22 year old OS in prod is absolutely one. I understand that it’s probably expensive to deal with this thing; but a ransomware attack succeeding will absolutely cost the business more. In addition, the longer you wait to deal with it, the less straightforward dealing with it becomes. Consulting that understands the product you’re clinging to is disappearing. Upgrade paths are also becoming increasingly difficult. Putting this thing in jail is a mitigation measure to be used only while you upgrade it, not to further avoid migrating. If you don’t (or can’t) succeed in being persuasive on this point, brush up your resume and seek another, less senior role, as you are absolutely not cut out for the one you’re in. Alternatively, your org is in such poor financial shape they’re having a hard time just making payroll. If the choice is not maintaining critical business systems to make payroll, get out. Whatever is keeping you clinging to the place (equity?) is about to become worthless. Get off the ship before it sinks.

Reply

[-]

OffenseTaker@reddit

put a reverse proxy in front of it

Reply

[-]

-Copenhagen@reddit

Just take the audit finding and use it to leverage the server upgrade.

Reply

[-]

Papfox@reddit

You could install nginx on the box, get it to serve the site and let it do the encryption but, as others have said, this is like putting a stocking plaster on a sucking chest wound. It doesn't fix the other problems the unsupported OS has. It needs to go

Reply

[-]

whiteycnbr@reddit

Load balancer that accepts the client connection on TLS.1.2 and offloads TLS to the server on 1.0 then lock down communication to it outside of the load balancer.

Reply

[-]

Professional_Ice_3@reddit

Hey Mods, please forgive [tkr\_2020](https://www.reddit.com/user/tkr_2020/) they must have gotten lost somehow? Your applications need to become virtualized and hidden by at least two reverse proxies and you need to upgrade the OS to something receiving security updates in 2025 otherwise please head over to r/ShittySysadmin if your actually going to try passing this audit without a properly secured configuration.

Reply

[-]

mczplwp@reddit

Use Firefox and change the settings to allow tls 1.0. I had to do that recently to attach to an old ass printer. And yes that printer is being replaced lol.

Reply

[-]

Cozmo85@reddit

You would make a business exception and pay a higher insurance rate.

Reply

[-]

skydiveguy@reddit

Why is the audit requiring TLS 1.2 but not requiring getting rid of Windows Server 2003? That think has been EOL for 10 years even with extended support. Honestly, you either need to replace the server or tell the auditors it needs to stay and make sure it's well documented that management is the reason it cant be updated. I had to deal with this when I worked for a bank (management refused to spend $20K to update one of their services because it would require having someone convert all the data that was there which would've been a 6 month job) and they made us do stupid shit like blocking it with ACLs and VLANs which made managing access a nightmare.

Reply

[-]

Fire_Mission@reddit

Hiw did the audit not require you to stop using a server that is WAY past its end-of-life date?

Reply

[-]

Soggy-Camera1270@reddit

As a fellow victim of lack of proper investment, the real answer is to do nothing so that you fail the audit. This puts the system into the highest possible spotlight so that the right money is spent on replacing it.

Reply

[-]

Sgt_Trevor_McWaffle@reddit

I’m sure there are if’s and but’s here; but have you considered letting audit fail? Honest response. Yes it’s possible to solve your technical problem with a simple reverse proxy. But perhaps a warning/failed audit would help you get funding for a more sustainable solution.

Reply

[-]

Inuyasha-rules@reddit

https://preview.redd.it/u9ffwjg550re1.jpeg?width=367&format=pjpg&auto=webp&s=377d9a2995cc2ebb821ab1f88dd14f18564101b2 This is how I see that going down

Reply

[-]

twr-92@reddit

invite the CFO out for coffee present the findings of the audit and what it means to the business. you either get the funding to upgrade, or you have moved responsibility to the person who blocks the upgrade.

Reply

[-]

cubic_sq@reddit

Assume it is a web server? Put it behind a reverse proxy - cloudflare / entra app proxy / etc

Reply

[-]

iball1984@reddit

>Assume it is a web server? What a horrific thought.

Reply

[-]

cubic_sq@reddit

Likely isnt publicly accessible or the system would have bene compromised long ago and better security wrapped around it.

Reply

[-]

iball1984@reddit

A **former** employer ran a Server 2K3 as a web server. The bloody thing hadn't been restarted in over 5 years... Yes it was compromised, but they just covered their ears and went "lalala" when it was mentioned.

Reply

[-]

cubic_sq@reddit

🤐 and prob many others around the world too

Reply

[-]

Knotebrett@reddit

2003 without the option to upgrade is not a web server. This has to be specialized software. Like CNC or something even more specialized.

Reply

[-]

rose_gold_glitter@reddit

it's probably worse than you think - like it has software installed it which they no longer have the license for and can't reinstall, or the license is tied to hardware/machine profile (like a lot of CAD software used to be) and can't be regenerated for free, because it's 20 years old and they simply don't want to move to the newer, and therefore charged, version?

Reply

[-]

Enog@reddit

Upgrading the OS is always an option; your server/network, your rules. "Dear \[system owner/supplier\], server X running application Y is currently on an outdated OS that we are no longer supporting from the end of the month. We are happy to carry out an OS upgrade for you, otherwise from the 1st of next month we will be shutting the server down. Please let me know which option you would prefer. Have a nice day, Sysadmin"

Reply

[-]

ZAFJB@reddit

They can't. Upgrade you server.

Reply

[-]

Barrerayy@reddit

Just migrate it to a new server bruh what. It's a disaster waiting to happen

Reply

[-]

DheeradjS@reddit

Your best bet to to give your company owner the choice of either turning it off or get them to sign a RAF. (Risk Acceptance Form)

Reply

[-]

extremetempz@reddit

I understand you say it's not an option? I guess it's because the supporting app developers are gone? App Company doesn't exist ect. I had 2 app servers VMs and 2 SQL database VMs like this on 2003 32bit, I migrated to Server 2019 and 2022 both of them had licences bound to the Mac address (In VMware I just hard set it on new VM) I had the installation files for everything so it made it a little easier. 2003 - > 2008 R2 (New VM) -> Inplace to 2012 R2 -> Inplace to 2019 -> Inplace to 2022 (One stack broke so I went back to 2019) I had to use Windows Compatibility mode on one of the apps to Windows 7 to get it to launch. Both of the SQL boxes had 2005 installed in which I inplaced at the same time as Server versions and I ended up on MSSQL 2017 for both with SQL 2014 Compatibility. Once the new boxes were validated by me quickly (not full PVT) I then built 2022 and 2019 VMs from scratch and migrated hostnames ect and then users tested it (this was just because I don't like Inplace upgrades). This took me 1 month for each app stack to get working. these apps are read only as archive data and I'm sure the underlying app is a ticking timebomb but at least the OS is not a concern from me. I suggest you try and do a similar undertaking if you can if you no longer have support from the vendor

Reply

[-]

quiet0n3@reddit

Proxy with SSL termination. Something like nigix. Proxy accepts the connections then passed them back to the server on TLS 1.0.

Reply

[-]

bridgetroll2@reddit

Sir running a 22 year old server OS is not an option at this moment.

Reply

[-]

ArtisticLayer1972@reddit

Point is you shouldnt run system old as this

Reply

[-]

godspeedfx@reddit

You either die fully patched or live long enough to become the reason for a failed audit.

Reply

[-]

aXeSwY@reddit

You are trying to do CPR on a skeleton remains, even if TLS 1.2 issue is solved, the server being connected to the network is itself a risk. I doubt a auditor will let it slip. Whatever service being running I bet it can be replaced with something more modern.

Reply

[-]

povlhp@reddit

Proxy in front of it. Like NGINX.

Reply

[-]

fragerrard@reddit

Why not traefik?

Reply

[-]

KaptainSaki@reddit

Old habits die hard

Reply

[-]

fragerrard@reddit

Fair enough.

Reply

[-]

Xzenor@reddit

You can't. That server will not support TSL1.2. The only way to fix this is putting a proxy that can do TLS1.2 in front of it but I'm not sure if your auditor will approve of that.

Reply

[-]

theoreoman@reddit

Your 2 options are to either upgrade or fail the audit.

Reply

[-]

ORA2J@reddit

I think there's an update for xp and ws2003 to get tls1.2 on the NT 5.1/5.2 kernel. You might want to look that up.

Reply

[-]

Brazilator@reddit

You know TLS 1.0 and 1.1 is being deprecated from August this year right? The real answer is to just use HTTP and fucking send it

Reply

[-]

wrt-wtf-@reddit

Seen this kind of thing in both banking and healthcare providers, and windows is the least offensive product to work with, but also the most cringe for CVE’s. The data and the software have somehow gotten into a time bubble because the organisation chose not to migrate their data while the full workforce of integrators was focused on that particular migration. All the tools to do the job, the developers, the dba’s, and even the vendors no longer exist - but for some reason - patient or customer lifetime + 10 years ( can’t remember) means the data has to live on because of regulation. It starts as a risk issue and continues to be a risk issue, rinse and repeat every couple of months ad-nauseam… The cost gets higher and higher as the system sits there - oddly being used in-spite of any reason that would say put another system in front of it and only pull and migrate data as needed - as a minimum. The old system remains as the reference as the updated systems aren’t the official system of record for the old data, just the new data. Things get fun when you’re four generations on and the old system is still in the heart of the solution somewhere but no one knows absolutely anything about it. Including super user or system accounts. So, standing on a soapbox saying it’s wrong - lol - yep - everyone knows that. But the decision to not progress was probably made in 2005 by someone that is now dead and buried probably before most current IT generation got out of nappies. It’s not totally unusual to have to deal with systems that date back to the 1980’s or 1990’s. I had to do work with systems that went EOSales in 1979 - that got migrated and shutdown post 2015. We were repairing boards and subsystems like you would an expensive stereo system - pulling boards, testing, and replacing components old school using multimeter and soldering iron. There’s almost always someone riding their way out to retirement on the back of these systems - and you can never find them to get proper answers about the systems. One place we worked we figured out the guy ran maintenance scripts in cron, when he went on holidays he disabled them. That way he was always taking calls to rescue the business and reaffirm his importance - but these are different stories and the advent of Linux has bought in a whole truckload of additional talent in the *nix space. I’ll stop now before I really start ranting about this entire space… but to say yes, it’s a bugbear for a lot of people.

Reply

[-]

Lost-Droids@reddit

Stunnel will allow you to proxy the port and use latest TLS, but it's 2003.. the version of TLS is the least of the problems

Reply

[-]

firemarshalbill@reddit

You need to have an upstream proxy that can handle it

Reply

[-]

Squik67@reddit

Put a reverse proxy between server and client, Apache, nginx, or corporate tool

Reply

[-]

techvet83@reddit

Prepare to explain to the Auditors that you're running an operating system that went completely end of life 10 years ago and which also doesn't support TLS 1.2.

Reply

[-]

TheMcSebi@reddit

Lock down everything using the windows firewall, setup Nginx reverse proxy somewhere on a vm and only allow connections from this vm to the IIS. Then just use the Nginx vm for connecting to the server.

Reply

[-]

mikeyflyguy@reddit

Get ready to fail that audit. Your only possible hope is to stick that box behind a hardened firewall and some type of reserve proxy solution and that *might* be enough of a compensating control but your auditor (depending of type of audit) is going to want to see a upgrade plan/path documented and you’re gonna have a fixed window to get rid of this.

Reply

[-]

wrt-wtf-@reddit

They live behind a firewall and you use an sslvpn to tunnel traffic into them.

Reply

[-]

ptinsley@reddit

I would bet the audit also requires you be using supported operating systems that can receive security fixes. You either figure out the upgrade or fail.

Reply

[-]

knightress_oxhide@reddit

Just use plaintext passwords.

Reply

[-]

devlincaster@reddit

I love this

Reply

[-]

BattlePope@reddit

> Some things I've considered `null`

Reply

[-]

Dadarian@reddit

Who could have ever of seen this coming?

Reply

[-]

strongest_nerd@reddit

Use a reverse proxy where the frontend accepts TLS 1.2 and sends it out with TLS 1.0 to the backend. stunnel, nginx, haproxy, etc.

Reply

[-]

team_jj@reddit

The clients won't be able to connect if you disable TLS 1.0 on them. If you can't upgrade the OS, my suggestion would be to put a reverse proxy in front of the server to handle TLS 1.2 and proxy the connection to the 2003 server.

Reply

[-]

zombiesunlimited@reddit

We’ve tried nothing and we’re all out of ideas!

Reply

[-]

mwdmeyer@reddit

lol

Reply

Reply to Post

290 Comments