Disposition of Windows Server 2008 Software: IT Policy Implementation Notice (ITPIN)
Note to readers
The Disposition of Windows Server 2008 Software ITPIN is no longer in effect. It was migrated to Appendix H: Standard on At-Risk Information Technology as of May 04, 2022.
ITPIN No:
Date:
On this page
1. Purpose
The purpose of this ITPIN is to direct departments to migrate to Windows Server 2012 by . Consistent with ITPIN 2015-03, departments are also directed to ensure that they have discontinued use of Microsoft server operating software prior to Windows Server 2008.
2. Effective Date
This ITPIN is effective immediately.
3. Application
This ITPIN applies to all departments that are subject to the Policy on Management of Information Technology.
Departments, agencies and organizations in the Government of Canada not subject to the Policy on Management of Information Technology are encouraged to abide by this ITPIN.
The heads of the following organizations are solely responsible for monitoring and ensuring compliance with this ITPIN within their organizations:
- Office of the Auditor General
- Office of the Chief Electoral Officer
- Office of the Commissioner of Lobbying of Canada
- Office of the Commissioner of Official Languages
- Office of the Public Sector Integrity Commissioner of Canada
- Offices of the Information and Privacy Commissioners of Canada
4. Context
Microsoft announced as the end of extended support for Windows Server 2008 Service Pack 2 (WinS2008 SP2) and Windows Server 2008 R2 Service Pack 1 (WinS2008R2 SP1) operating system software. All other variants of Windows Server 2008 are unsupported. Windows Server 2008 SP1 is based on the Vista codebase and supports x86 architectures, while Windows Server 2008 R2 SP2 supports only 64-bit platforms and is based on the Windows 7 codebase.
Mainstream support for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 ended . Servers operating Microsoft Windows Server 2008 software are used to support a wide variety of Government of Canada business applications, web services, databases, and file and print services.
Use of software past the mainstream support date presents challenges for organizations as hardware support diminishes and the complexity required to continue functionality on newer hardware becomes more challenging. Additionally, after mainstream support has ended, newer functionalities are not introduced.
As stated in Treasury Board Secretariat's (TBS) Operational Security Standard (OSS): Management of Information Technology Security, Section 9.4 , the department's Chief Information Officer (CIO) is responsible for ensuring the effective and efficient management of the department's information and IT assets. Server management is a shared responsibility between departments and Shared Services Canada (SSC), with departmental CIOs responsible to evergreen applications and services such that the operating systems of the technologies on which they reside can be maintained and evergreened. Lifecycle management of IT is a critical strategic goal, per the Government of Canada Information Technology Strategic Plan .
Given the large inventory of Windows 2008 servers managed by the GC, a custom support agreement (CSA) with Microsoft may be implemented by Shared Services Canada (SSC), to ensure that support exists for GC infrastructure past . The CSA will provide GC Departments with updates for critical and important security vulnerabilities, and will mitigate security and operational risks to some degree. However, Windows Server 2008 software is aging and not all vulnerabilities will or can be resolved under the CSA, which will lead to increased security and operational risks to the GC.
Costs for the CSA will be shared among GC Departments which have not completed their Windows Server 2008 retirement and will be prorated based on servers remaining. The cost sharing model will be reassessed by SSC and TBS if it is determined that additional time is required to complete the retirement process.
5. Direction
Effective immediately:
- Departments must be running WinS2008 SP2 or WinS2008R2 SP1 for all servers operating Windows Server 2008 software. No support exists for any previous versions, including the release of security patches.
- Per ITPIN 2015-03 Disposition of Windows Server 2003, departments should not be running Microsoft server operating software older than Windows Server 2008. Departments must identify and report immediately to the Treasury Board Secretariat (TBS) Office of the CIO at ZZCIOBDP@tbs-sct.gc.ca if the department is running servers with unsupported versions of Windows Server 2008 software. Unsecured operating systems pose great risks to Government of Canada (GC) infrastructure.
- Departments are required to participate in migration efforts organized by Shared Services Canada (SSC) and TBS and to report on their ongoing migration progress and status.
By :
- Departments must migrate servers to Windows Server 2012 software or other newer, supported operating systems.
- In the event that departments cannot migrate all their servers to Windows Server 2012 by the required date, departments must obtain approval in advance from the GC Enterprise Architectural Review Board (GC EARB) to continue operation of those servers, subject to the following conditions:.
- Servers operating Windows Server 2008 software that are required to meet operational needs after are to be isolated and contained within a tightly controlled network environment with no access to GC networks or to the Internet.
- This is to be considered a temporary measure and the ongoing operating strategy is to be submitted to TBS Office of the Chief Information Officer (OCIO) each year in the IT Risk section of the GC Department’s IT Plan, in addition to regular migration progress reporting.
- GC Departmental Chief Information Officers or equivalents are directed to implement holistic measures with their infrastructure partners to protect and isolate access to these servers, including active IT security measures. The Communications Security Establishment Top 10 Security Actions provides guidance on these measures and other preventative security activities.
- GC Departments are not to put in place unilateral Windows Server 2008 Custom Support Agreements with Microsoft.
6. Enquiries
Please address any enquiries you may have by email to the CIOB-DPPI IT-Division-TI <ZZCIOBDP@tbs-sct.gc.ca> .
Marc Brouillard
Chief Technology Officer of the Government of Canada
Office of the Chief Information Officer
Treasury Board of Canada Secretariat
7. References
Additional information may be found in the following resources:
Microsoft Support Product Lifecycle
Policy on Management of Information Technology, July, 2007, Updated
Government of Canada Information Technology Strategic Plan 2017 – 2021, November 2017
Page details
- Date modified: