XP servers still powering 6,000 websites

XP servers still powering 6,000 websites

Summary: Operators behind hundreds of thousands of websites apparently couldn't care less that they're running an unsupported operating system.

TOPICS: Windows, Security

Windows XP is a more exotic choice for hosting a website than the dominant platforms such as Linux Apache and nginx, but XP servers running an early version of Microsoft's Internet Information Server (IIS) web server suite exist in large enough numbers — more than 6,000 to be precise, according to UK web security firm Netcraft.

Netcraft's April figures show that a third of websites hosted on XP servers (1,869) are located in the US, while it's only three percent in China — the reverse of the trend seen on the desktop, where China is home to the largest number of XP machines, the company noted.

Netcraft noted that 14 US government websites are among those that run on XP, including a .gov webmail system that services government organisations in Utah.

2014-04-09 12.23.00 pm
Image: Netcraft

In its April report, Netcraft noted that IIS stands alone this year as the only web server platform that has yet to be affected by a publicly-known security issue. The same can't be said for XP, which has featured in the four Patch Tuesdays that have happened so far this year.

As Microsoft noted in one of its many XP end-of-support warnings: "Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8."

And just as Microsoft predicted XP will become especially targeted once it no longer receives patches, servers running the OS are likely to draw similar attention, according to Netcraft. 

"Unsupported web-facing Windows XP servers are likely to become prime targets for hackers, particularly if any new Windows XP vulnerabilities are discovered, as no security updates will be available to fix them," it noted.

But it seems that it's actually common practice to run websites on old, unsupported versions of Windows, including extremely busy ones. For example, the website of Australia Post, the country's national postal system operator, is still running on Windows NT4 — a predecessor to Windows 2000 — as it was 13 years ago. It's also used for Australia Post's online bill payment service, Postbillpay.

Netcraft noted that 500,000 websites are hosted on Windows 2000 servers, which shipped with IIS 5.0, while there are 50,000 running on Windows NT4 with IIS 4.0. Windows Server 2012 and Windows 8.1 ship with IIS 8.5.

In April, Netcraft's survey covered just under one billion websites. It found half of all active websites running on an Apache server, and 11 percent of these running on various versions of Microsoft's IIS.

Read more on the end of support for XP

Topics: Windows, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Linux

    Don't let the FUD (fear uncertainty doubt) trolls lie to you. It is the perfect time to switch to linux!
    • The most obvious upgrade would be to a later version of Windows.

      • Not particularly true for the scenario described

        since there's no actual "upgrade" process available for anyone who's decided to use XP as a web server (IIS on XP is not licensed for or intended for production use.)
    • Is it

      Is it the year of Linux again? ;-)
      • That was 2013.

        And 2014. And 2015. And 2016. And 2017. And 2018. And 2019.

        Every year is the year of desktop Linux.
        • Year of Linux?

          You don't give them enough credit. I seem to remember hearing about the "Year of Linux" back around '98.
          Max Peck
    • Linux?

      There's a place for Linux, no doubt.
      Perfect time?
      It's never a perfect time.
      Linux servers need love and care, as much or more than Windows-based servers.
      Not everyone has the expertise, and there are server-based WINDOWS applications, in case you did not know.
      • Not everyone can be a system administrator either.

        Nor a doctor, lawyer, or even a brick layer...

        Linux handles over 50% of the internet servers, 90%+ of the supercomputers, 75%+ of cell phones... and the list goes on.

        There is always a perfect time... as every time is perfect.
        • You ignored him on porpose because...?

          "Linux handles over 50% of the internet servers, 90%+ of the supercomputers, 75%+ of cell phones"

          And according to Jesse, they're all managed by lawyers, and brick layers...
        • Yes the perfect time

          to ditch Linux and move to something that's user friendly and doesn't require a Phd to do basic stuff.
  • Whu....?

    Government websites running on a client operating system? I hope these things were just set up by desk jockeys hoping to share LOLCat pictures!
    • I've seen this myself

      and sadly, it was actual websites. Using Access as the database and Windows XP Pro as "server". Sure, it works, sort-of, but both have a ten user limit and I wouldn't expect a client OS to be as robust as a server OS--and it isn't.
    • dsf3g, bear in mind these servers have a lot of proprietary protection

      The article is full of FUD, not taking into account what's written AROUND the Windows server to make it protected. They did it long ago, keep patching it themselves, and what they have is better than what they can migrate to. So why change? I'm really tired of all these shill articles claiming that if you stay on XP, you are suddenly at risk, as if the XP updates ever really protected you. They didn't. They caused more problems than they fixed. My crashes on XP have stopped, ever since the EOL warning began a year ago. Now I suffer Win7 crashes so often, my main internetting Win7 machine has had to be cloned back SIX TIMES. Thank God I won't network.

      No network in an enterprise or Government lacks proprietary programming 'surrounding' the OS. So all this hype about end-of-the-world due to MS no longer supporting the patches, is just nonsense.

      MS has always written mediocre software, to begin with. It's like the Catholic Church, claiming to be the one true faith, but cannot even count to three (Good Wednesday, per Bible, mistaken as Friday, because the 'fathers' couldn't tell the difference between a high sabbath in John 19, versus a regular one).
      • And we're tired of you shills with your phoney businesses and stories

        The more you say, the more evident it becomes.

        like how would you know that " what they have is better than what they can migrate to"
        You're not there, you have no idea what they're running, or what the scoop is.

        the EOL warning began a year ago? your Win7 crashes so often, your main internet Win7 machine has had to be cloned back SIX TIMES.

        You have issues far beyond anyone else I know in small manufacturing facilities

        Something doesn't feel right about your stance.....
        • Says it all in the signature...

          His brain is out. That is obvious from the exaggerated problems he claims to experience. And what in the world comprises a "main internet machine"? The guy has so many problems trying to run Windows I really don't know why he doesn't join the other trolls, shills and over-paid computer engineers and just stick to LINUX. That would terminate all his problems and is totally free.
          The Heretic
  • Sky is not falling

    "still running on Windows NT4"

    OMG, they must get thousands of hackers attempting to break in every day. No? Thought not.

    The real problem here is that some people still refuse to obey when told to shell out money to replace something that still works, and that makes Micro$oft wrathful. By the time 3rd party vendors stop supporting anti-virus/-malware, hackers will have moved their focus to Windows 9.1 SP3, at which point Micro$oft will be screaming about people who haven't moved to Win 10.

    There are perfectly sane reasons not to replace a working OS. I believe that one might assume that the system managers have it in hand.
    Liam SWz
    • Well, on a web server

      Running NT 4.0 actually is rather a dumb idea.

      Personal computers doing personal things is one thing. But you really don't want a web server out there accepting traffic unless it is totally hardened.
      • I'm almost wondering if age might start to become a good thing again

        I genuinely don't know the answer to this...but I'm wondering if the relative obscurity of NT 4.0 as a web server might give it a certain level of obscurity such that it becomes a less lucrative target for hacking.

        Now if you want a REALLY obscure way to do things, try Lotus Domino on OS/2 running PostgreSQL. A bizarre stack that will likely be a pain to write for, but it will provide no shortage of 'wtf' to anyone trying to pry...

      • It depends.

        We run a few older POS systems with XP as the backend running SQL Server 2000.

        It has one internet connection to a payment portal, with firewall rules in place that only allow communications between the two IP addresses of the payment server, and the XP machine, with all other non essential ports closed.

        No credit cards or things like that are done on the system, so in that instance XP is doing fine.

        All the newer systems are running Sever 2008 or 2012, and SQL 2008 for the back end.
  • hold on - XP Servers?

    XP is a client OS, not server.

    Are you talking about Windows 2000 Server?