Found a Windows 2003 Server - now to Remediate

I've always known that we have a handful of Windows 2003 servers.  And with the retiring of Windows 2003 on July 14th I started beating the drum towards migrating to newer (supported) servers.  When I last looked, I think that there was two or three servers left in existence.  Flash forward to today, and our weekly external vulnerability scan.  One of the scans picked up a Windows 2003 server in the publicly facing DMZ, and flagged the finding as critical.  I can support that, it's a pretty serious finding.  The scan also noted IIS 6.0, another finding.

After consulting with the Sysadmins, we found that there are only two applications being utilized on the server.  Off I went to query the application owners as to migrating the applications off the server to something supported.  Here's one of the responses:

I will speak with my management regarding making the migration of what's on there a priority to move. The wrinkle is that some of the code is old and needs to be rewritten/ported into the current project and that is an effort that I have yet to get permission to put the hours in on.

So for now, we need to leave it where it is and I'll try to get everything off of there as soon as possible.

Sigh.

Security education only goes so far.  The fact that there are exploits out there does nothing for the application owners...they're willing to take the risk.  I have their acceptance of risk in writing; but a lot of good that will do if/when something happens to the server.