Legacy Operating Systems Hanging Around Isn’t Just Bad for Security

Adam Bertram
3 min readJul 1, 2019

When the grim reaper comes for an operating system we all know what that means; no more security updates, software vendors stop supporting it and essentially it’s a forgotten soul in the Microsoft ecosystem.

It’s obviously important to keep your server infrastructure current not only to continue getting security updates but for all the reliability improvements and features that new operating systems can get you. This is the most obvious benefit but sometimes the biggest benefit for getting servers current is standardization.

Ahh, beautiful standardization. Standardization nirvana is that moment when all your servers are running exactly the hardware with the same firmware, the same OS, have exactly the same configuration and you’re using Powershell DSC to ensure they all stay that way. When you make a change to one you know with 100% certainty that the change will behave in exactly the same way on all your other ones. Just take it all in for a moment…..

OK, back to reality. No one lives in standardization nirvana but we all strive to get there. What some people don’t understand is that not prioritizing server upgrades and focusing more on standardization not only affects security but also makes you pull your hair out when you try to roll out a change to all your servers. I love examples and I’ve got just the one for you.

Today I am planning to deploy an application to a few hundred servers. This application requires some registry tweaks, files copied and a Windows feature installed; perfect for a Powershell script, right? Yes; a 20 line script maybe, but this script, when fully tested across the 7 different Windows OSes and different architectures turned into a 100 line beast! Why? Read on…

First, it needed a Windows feature installed. If I had Server 2012 across the board it’d just be a simple matter of:

Add-WindowsFeature FEATUREHERE

However, I have Server 2008 RTM which requires:

Import-Module ServerManager Add-WindowsFeature FEATUREHERE

A small change yes, but nonetheless a difference. I then have Server 2003 which is completely different:

Start-Process 'sysocmgr.exe'
Adam Bertram

A 20-year veteran of IT, crypto geek, content creator, consultant and overall problem solver.