Netcraft's latest headcount for websites and their servers reveals an interesting statistic: about 175 million websites, or roughly 20% of those surveyed, are still running on the unsupported Windows Server 2003. Microsoft ended extended support for the venerable operating system last month, meaning that it will recieve no further security updates.
A portion of those websites aren't being run atop IIS 6.0 (Server 2003's default web server software), but that may be of little help—any new security vulnerabilities in the underlying operating system will probably go unfixed. Some companies may have extended support contracts with Microsoft, but those likely account for a small portion of the installed base.
Netcraft's analysis produced another interesting number: the actual number of machines running Windows Server 2003 is about 609,000, which accounts for over 10% of web-facing servers. The disparity in the figures is explained by the fact that a single web server usually hosts more than one site—sometimes even hundreds, in large hosting environments. Most of these are located in China and the USA, and their owners include high-profile companies such as Alibaba and LivePerson.
More worringly, Netcraft says that hundreds of banking sites are still on Server 2003, which is bad news for customers and banks alike—according to Requirement 6.2 of the Payment Card Industry Data Security Standard (PCI DSS), using an operating system with no available security updates may be grounds for an automatic failure in a quarterly security scan.