When a business gets breached, the cause is rarely exotic. It’s usually something that’s been sitting in the environment for a long time — a server running an operating system past its end-of-life, a device that fell off the patching schedule, or a remote access tool that was set up for a contractor two years ago and never removed.
This is legacy debt: the accumulated risk of systems that were once fit for purpose but have outlived their supported life. It’s invisible on a good day and catastrophic when exploited.
Here are the three most common categories we find when we audit an SMB environment — and what to do about them.
1. End-of-life operating systems
Microsoft Windows Server 2012 R2 reached end of extended support in October 2023. Windows 10 reaches end of life in October 2025. After these dates, Microsoft stops issuing security patches — meaning newly discovered vulnerabilities will never be fixed.
In practice, this means an attacker who finds a vulnerability in an EOL system has a permanent, unpatched entry point. There’s no fix coming. The only protection is compensating controls (network segmentation, monitoring) until the system is replaced.
End-of-life operating systems are consistently among the most exploited vectors in ransomware incidents. The attackers know which systems are unpatched; vulnerability data is publicly available and actively monitored by criminal groups.
What to find: Run a full inventory of your server and desktop environment. Check every OS version against Microsoft’s official lifecycle dates. Flag anything EOL or approaching EOL in the next 12 months.
What to do: For servers, start a migration project — typically to Windows Server 2022 or a cloud equivalent. For desktops, Windows 11 upgrades or hardware refresh. Where replacement isn’t immediately possible, isolate EOL systems from the internet and from your production network, and add enhanced monitoring.
2. Unpatched software and firmware
Patching operating systems is a known discipline. What gets missed are the layers above and below: application software (browsers, Office, Adobe products, line-of-business apps) and firmware (network devices, switches, firewalls, storage).
Firmware is particularly underappreciated. A switch running firmware from 2019 may contain known critical vulnerabilities that an attacker on your network can exploit to pivot laterally. Network device firmware updates rarely make it onto standard patch schedules.
Application software is the entry point. Browsers and PDF readers remain the most common vectors for client-side exploitation because they process untrusted content constantly. Out-of-date versions are known targets.
What to find: An automated vulnerability scan (or your RMM platform’s patch reporting) will identify software and firmware versions across your environment. Pay particular attention to network infrastructure — switches, firewalls, and wireless access points are often overlooked.
What to do: Establish a monthly patching cadence for endpoints and servers. For network firmware, add a quarterly review. For third-party applications, enable auto-update where it’s available and safe. For unsupported software (applications whose vendor has dropped support), treat them the same way as EOL operating systems.
3. Abandoned remote access
During the rush to remote work, many organisations stood up VPNs, remote desktop services, and third-party remote access tools quickly — and didn’t always clean them up properly when circumstances changed.
Exposed Remote Desktop Protocol (RDP) is still one of the most scanned-for and exploited attack surfaces on the internet. Misconfigured VPN services are a regular source of credential stuffing and brute-force attacks. And forgotten third-party remote access tools — installed for a contractor, an IT vendor, or a one-off project — can sit running indefinitely, often with credentials that were never rotated.
If it accepts connections from the internet and you’ve forgotten it’s there, an attacker will find it before you do.
What to find: Scan your public IP ranges for exposed services. Check firewall logs for inbound connections on common remote access ports (3389 for RDP, 1194 for OpenVPN, 443 for SSL-VPN). Review installed software for remote access tools that shouldn’t be running. Audit active VPN user accounts against your current staff list.
What to do: Close everything you don’t need. For what remains: put it behind Conditional Access (ideally, require a managed device and MFA), use non-standard ports where practical, and log all access. For legacy VPNs, evaluate whether Microsoft Entra ID’s built-in remote access capabilities can replace them.
Running the audit
None of this requires specialist tooling to get started. A combination of your existing RMM platform (or a free vulnerability scanner), a firewall config review, and a systematic OS lifecycle check will surface the most critical gaps.
What matters is doing it — and doing it regularly, not once. Legacy debt accumulates between audits.
If you’d like help running this assessment, or want to understand how your environment stacks up against the ACSC Essential Eight, get in touch. We’re happy to do a no-obligation review.