The Future of SBS 2008

Microsoft Windows Small Business Server (SBS) 2008 is a bundle of server software products intended for small business networks that can be serviced by a single server (or possibly with a second server performing some specific task). It was released in 2008.

Different components of SBS 2008 have different support periods from Microsoft. The support provided is mostly software updates to correct security vulnerabilities.

As of 2015, it appears that SBS 2008 will become effectively unsupported in 2017:

• For Windows Server 2008, this support ends in 2020.

• For Exchange Server 2007, the email platform, support ends in 2017.

Additionally, some technology deficiencies in Windows Server 2008 may hasten its inability to operate safely. For example, Windows Vista/2008 only support up to TLS 1.0, which is rapidly becoming regarded as obsolete, despite its relative safety (as of 2015) as an encryption protocol. Modern systems support up to TLS 1.2 which is far superior.

SBS 2008 features such as Outlook Web Access and Outlook Anywhere are encrypted with SSL/TLS (depending on server configuration), so if TLS 1.0 support is removed from modern client devices in the next few years, these features will become unusable for some devices and unsafe for others. If “the Internet” makes a serious attempt to deprecate the use of TLS 1.0 in the same way that it acted against SSL 3.0 in 2014, it will mean that TLS 1.0 is seriously compromised and SBS 2008 will be very unsafe to expose to the Internet. (SSL 3.0 had been regarded as insecure for many years but it wasn't until a major flaw was discovered in 2014 that the big Internet companies finally took decisive action to deprecate its usage. In the case of TLS 1.0, any weaknesses will not be tolerated for as long. At the first sign of trouble, TLS 1.0 will be deprecated very quickly.)

Even though Windows 2008 support ends in 2020, it seems unlikely that should TLS 1.0 become seriously discredited, Microsoft will retro-fit TLS 1.2 support into it. If they had any ability or will to do so, they would have done it many years ago. So Windows 2008 may find itself obsolete prior to its official end of life.

But of more practical concern is Exchange Server's end of life in 2017. Typically, Exchange is exposed to the Internet to receive email via SMTP, and to provide mailbox services to remote devices via Outlook Anywhere (what used to be called RPC over HTTP). It is not easy to apply firewall restrictions to these services, because the whole point is to provide wide connectivity. So both of these will become unsafe due to lack of further security updates. But it will not necessarily happen immediately; security updates for these services are rare, so there's no reason to expect that there will be many unresolved security vulnerabilities waiting to be exploited. But nevertheless the risk is unacceptable.

There is also the possibility that so-called malicious actors have knowledge of vulnerabilities in Exchange 2007, but are not exploiting them yet. When Exchange 2007 drops out of support, there may be new zero-day attacks against it.

Additionally, Outlook 2016 no longer supports mailboxes on Exchange 2007, so this makes it difficult to deploy new systems if deploying Office 2013 is not possible.