Be Proactive in 2015: Three Significant Opportunities for Success or Failure

The three biggest IT challenges for 2015 are all things you can start today, so there’s no excuse when you get asked about them a year for now.

We know the pace of change is accelerating, and looking ahead at 2015 there is reason to expect that to stop.  As we start a new year we get an excellent opportunity to leave behind the business practices that have not served us well. It is time to seriously work to cut the boat anchors slowing us down and try to build a fast and capable ship that our customers are proud to be associated with. Sooner or later, the organizations whose IT shops look like junkers from last century will decide to bypass them entirely if they can’t provide useful services or respond to their changing business needs. IT will no longer be able get away being a boat anchor on the business.

One of the key differentiators between highly-valuable IT organizations and impending-shipwrecks is their ability to proactively tackle major changes. 2015 is full of big challenges that, if approached now, can be successfully handled relatively easily.  Choosing to not handle these proactively means putting your business at significant operational, security, and financial risk. Even if that’s been the modus operandi of your group before, let’s try to do it better with a couple of these big challenges. Your effort (or lack thereof if you so choose) will be noticed by the organization you serve.

These are the biggest IT challenges for 2015, so get started on them right away:

Windows Server 2003 End of Support

Microsoft has been very clear for several years that Windows Server 2003 reaches end-of-life on July 14, 2015. With end of support, known security vulnerabilities in the operating system will no longer receive publicly available fixes—there will be no way to secure them against threats from even an unsophisticated attacker. If you do discover something that isn’t working right on those servers, you won’t be able to go through the normal support channels at Microsoft to get help fixing it. And Windows Server 2003 won’t be something that Microsoft tests changes in other products like Active Directory against. If something stops working with Server 2003, it won’t be something Microsoft will be likely to fix or help you with through Microsoft Support.

Quick Bullet Points of What to Do Today

  • Get a weekly tally going of Windows Server 2003 computer objects still in Active Directory.
  • Ensure someone owns each and every one of them and is actively working on migrating/decommissioning.
  • If you’re going to have stragglers, be ready to lock them away in jail until they can be executed.

For the exceptions that you just absolutely cannot make disappear by July 14th, you have two options which are defensible business decisions that can buy you time while you finish killing them off—and you need them in place before the deadline. You can 1) purchase a custom support agreement from Microsoft, or 2) isolate these machines like they have Ebola. For the second option, that means blocking all internet access (or all except specific sites that absolutely must be accessed), restricting inbound/outbound LAN traffic to only the specific hosts they have an express business need to contact them (all traffic except to LAN systems that absolutely must be accessed), and ensuring every other mitigating security tool is in place (all released updates installed, functioning and supported anti-virus, even the Enhanced Mitigation Experience Toolkit).

It will be a lot of work to keep these things alive, and it will usually be a much better business decision to invest that time/energy into getting rid of them today instead of struggling to keep them on life support in the future. Regardless, you’ll be happy you started working on this aggressively now instead of in a panic after July 14th.

Java 1.7 End of Life

If you have Java installed anywhere in your enterprise, you must keep it up to date. After April of 2015, there will be no such thing as an up-to-date version of Java 1.7 unless you are buying an expensive support contract from Oracle. If you have Java and are connected to the internet, then the update of Java 1.8 needs be installed by the time Java 1.7 is retired.

This is the time to get out of the version trap! Oracle has committed to a clear release schedule for some time now—there will be an update to Java every three months. Organizations must be able to test and deploy those updates as part of their regular business operations, not as major projects. When the vendor says in big red letters that you need to get upgraded, there is just no way to explain to a board of directors, senate subcommittee, or press conference why you didn’t do it.

If any of your internal developers or external software vendors ever try to give you something that is locked to a specific update of Java, you must not accept it!

Quick Bullet Points of What to Do Today

  • Get ready to deploy Java 1.8 with a whitelist using Ryan Ephgrave’s article.
  • Shove any really bad Java straggler apps into the data center, and access only through remote presentation.
  • Remove anything other than the current version of Java 1.8 from all devices (or remove their internet access).
  • Remove Java from all devices that do not have a significant and compelling business need for it to be there.

Oracle is still years away from being able to fix the Java security mess, so zero-day vulnerabilities are going to continue being a problem. You don’t have to patch Java if isn’t installed!

Windows 10 and Internet Explorer 11

Windows 10 is coming in the late summer of 2015, which came about three years after Windows 8.1, which came about three years after Windows 7, which came about three years after Vista. But, this is the last time when we get three years between releases. Microsoft will be moving to a faster incremental release model much more akin to what we see in the mobile operating system world, so they can compete with new features.

If you didn’t start your Windows 7 deployment in earnest until the Windows XP End of Support date was creeping up on you (and Windows 8.1 was already released [and, yes, your end users noticed]), this is definitely the time to change your business processes. Waiting until the end of life of an operating system or “skipping” an upgrade does not actually save you any effort.  That actions required to get from Windows 7 to Windows 8.1 are pretty much all still going to be required when you go to Windows 10. The only difference is that you could have invested those incremental updates several years ago and gotten more time value out of them.

It’s looking like the hardest part of Windows 10 upgrades for enterprises is something you can start with today on Windows 7 by getting ready for Internet Explorer 11. Internet Explorer 11 will be required by January 11, 2016.

While Microsoft is obviously not letting people’s ancient boat anchor web apps hold things up for everyone else, they are providing an easy way for enterprises to make the transition: Enterprise Mode. Most legacy web apps render just fine in IE11 as long as they are run in the legacy Enterprise Mode, and you can easily pre-emptively tell browsers about these sites using group policy. Steve Jesok has a great write-up here about collecting info about when individual users hit the Enterprise Mode button to make a website work so you can add it to your group policy list for all users:

Quick Bullet Points of What to Do Today

  • Start testing early—waiting will only postpone the work for later. You’re likely to find most things work just fine even this early in the development process.
  • Internet Explorer 11 Enterprise Mode can enable most legacy web apps to keep working.
  • In-place upgrades from Windows 7 and 8.1 to Windows 10 can be a viable solution.
  • Windows 10 upgrades from Windows 7 and 8/8.1 for consumer or small businesses will be free of charge if upgraded within the first year of Windows 10’s availability. Watch for more information on enterprise solutions.

And for fun, consider creating a “Wall of Shame” for tracking any Windows Server 2003 boxes, insecure Java apps requiring old versions or whitelist entries, or legacy webapps that need Enterprise Mode. Best of luck as you move your organization forward in 2015.