How will Windows Server 2012 EOL affect Cyber Essentials?

Posted on by Anna

Windows Server 2012 and 2012 R2 have been among Microsoft’s most successful and widely used server Operating Systems since its release 11 years ago, writes Lead Assessor Jason McNicholas.

Server 2012 and Server 2012 R2 will reach their end-of-life on 10th October 2023. This means that Microsoft will cease to provide security updates, bug fixes, and technical support for these operating systems beyond this date.

While the software will continue to function, any vulnerabilities or security flaws, discovered post-end of life, will not be addressed by Microsoft, leaving systems susceptible to cyber-attack. Failing to address this fast-approaching date, or leaving it until the last moment, could have a serious impact upon your organisation’s security and could jeopardise Cyber Essentials renewals and Cyber Insurance claims.

Mitigation Strategies.

To navigate the challenges posed by the end-of-life for Windows Server 2012 and ensure compliance with Cyber Essentials, organisations should consider the following strategies:

  • Upgrade: The most effective approach is to upgrade to a supported operating system, such as Windows Server 2019 or newer.
  • Network Segmentation: Isolate Windows Server 2012 systems from critical parts of the network to minimize potential damage in case of a breach. For Cyber Essentials this would involve moving the unsupported servers to a separate “sub-set”, which is described by the National Cyber Security Centre as: “A part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN”.
  • Extended Security Updates (ESU): Microsoft are providing Extended Security Updates for Server 2012 much like they did with Server 2008. These must be “opted into” and may have charges associated, please see here for more information on this

If an unsupported Server 2012 device is found to be on the same network subset as in scope devices during a Cyber Essentials Assessment, this would result in an immediate failure.

Achieving and retaining Cyber Essentials certification requires a commitment to cyber security best practices, including the use of supported and secure operating systems.

By recognizing the impact of this transition and taking proactive steps to upgrade or secure your systems, your company can continue to protect its digital assets, and maintain a strong cyber security posture, in an ever-evolving threat landscape.