Licensing Expert Warns of Pricey Windows Server 2003 Custom Support
Microsoft doesn't explain its CSAs publicly in great detail, so it's left to consultants to lend a helping hand.
This month, licensing expert Paul DeGroot offered his analysis of Microsoft's CSAs and how it relates to the end of official support of Windows Server 2003. DeGroot, a senior consultant with Software Licensing Advisors Inc. and owner of Pica Communications, offered some sobering numbers for those considering CSAs. Organizations could face CSA enrollments fees of $3.1 million in the first year just to get Custom Support for 100 servers, according to one of the charts he presented.
CSA costs are tallied up based on the number of devices under support. In the first year, the per-device cost will be approximately the same as the price of the original Windows Server 2003 license, or around $600 to $700 per license for the Standard edition. In the next year, that price will double. In the third year, Microsoft doubles the second-year price.
If an organization started the first year of a CSA paying $600 per device, then it will be paying $2,400 per device by the third year, according to DeGroot's calculations, which used 2014 pricing information.
In response to a question, DeGroot explained that the $600 per license price was based on a customer's experience. Exactly what Microsoft actually charges for CSAs isn't generally known.
CSAs are agreements that organizations establish with Microsoft via its Premier Support services at the end of a product's lifecycle. Microsoft's enterprise software has two product-lifecycle support phases of five years each, which are known as "mainstream support" and "extended support." When extended support ends, the software is considered to be "unsupported." It means that no security patches for the software will be arriving from Microsoft. The exception to this rule is the CSA, which DeGroot described as an "expensive" option for organizations.
Windows Server 2003 will exit its extended product-support phase next month on July 14, 2015. It's not a deadline that organizations are casual about, DeGroot indicated, but they could be stuck from upgrading their servers for various reasons.
In some cases, organizations may have custom applications that can't be rewritten that depend on Windows Server 2003. Possibly an application upgrade may be too costly for an organization to implement. And, in some cases, upgrading a server operating system could void a warranty for those using a custom app or device.
On the other hand, organizations may be compelled by regulatory requirements to upgrade Windows Server 2003. Examples include meeting HIPAA or PCI requirements.
What a CSA Covers
CSAs provide access to Critical and Important software updates from Microsoft beyond the end of the extended support date. Microsoft provides some problem resolution support, too. While hotfixes are provided, Microsoft only provides them for Critical issues. A Critical issue is something that could cause a loss to the business or cause products to crash.
Critical patches are defined as addressing remote code execution threats, or security issues that can cause escalation-of-privilege or denial-of-service types of attacks. Important patches are issues where confidential information could get comprised.
A CSA typically has an enrollment fee. One Critical hotfix is included at a fixed price. However, additional hotfixes will cost extra. The overall costs go down as systems are taken out of service, DeGroot said.
What To Do
DeGroot commented during the Q&A that some customers have said that the only reason they are getting off Windows Server 2003 is the loss of product support from Microsoft. It's a bit of an "artificial crisis" for them. He recommended that organization consider reducing their risks when considering a CSA.
Servers with .NET apps should be upgraded first. IT pros should not use Windows Server 2003 consoles as general purpose PCs. DeGroot noted that 85 percent of all Critical security updates issued in 2010 were released in response to attacks facilitated by the console users doing something, such as opening a file. He also recommended turning off unnecessary services such as Telnet that can expose the server to potential attacks.
Organizations looking at a CSA can try negotiating with Microsoft. They can go through a list of past Critical updates and talk to Microsoft about whether the CSA will be cost effective for them.
Organizations can defer purchasing a CSA immediately as a CSA can always be purchased later. It's based on the number of devices, so when it's purchased later an organization's costs may have gone down. However, a CSA is "not retroactive," so an organization can't buy it and expect to get a hotfix that was previously released.
A potentially lower cost alternative to a CSA is something called "Custom Support Essentials." It's about one third the cost of a CSA. DeGroot said that organizations can ask Microsoft about a Custom Support Essentials Agreement but the company doesn't advertise it.
If people take chances without signing up for a CSA, it could affect CSA pricing. DeGroot noted that seemed to have been the case with Windows XP's end of support, which had high CSA costs initially.
DeGroot's June 17 talk on CSAs is available on demand. It's accessible at this page at the Software Licensing Advisors site (but sign-up is required).
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.