Microsoft
MicrosoftMike_PisanoFile and print is one of the easiest server roles to replace. I would recommend spinning up modern replacements and getting them shipped out ASAP. I've never visited most of the sites where I've shipped per-configured servers. Usually we can find an onsite person competent enough to physically get the hardware installed, but if not we contract with a local third party resource to do so. That is not a hard problem to solve.
2003 has been end of life for so long that it's no longer reasonable to hold back security fixes for currently supported systems to placate users that refuse to properly maintain their infrastructure. It's a matter of priorities.
rocifierPriorities are what ensure a business does keep their systems patched and up to date. I've worked with clients that played the "can't afford to spend the money" card with me. This is usually a sit down meeting to start asking questions and educating the client. How well will you be able to conduct business if you didn't have computers at all? Are they critical to the operation of your business? How would your business fare if your data was stolen and used maliciously?
I could go on for pages here, but the point is that you guide the client to making the decision themselves that keeping their systems up to date (along with security) is one of the highest priorities in their business, and is a basic fundamental cost of doing business like taxes, rent, utilities, etc. It can not be considered an optional luxury. The modern security landscape does not allow it to be. Bottom line is that businesses can't afford NOT to keep their systems patched and supportable. When you break down the numbers, adding up initial costs along with ongoing maintenance, and present the cost as a Technology cost per employee per day, the numbers are tiny in the grand scheme of your business.
Rolling back to Windows 7 as a workaround seems like it would be a vastly more risky, complicated and expensive process than to replace a few dozen obsolete file and print servers that should have been replaced 10 years ago, which will still need to be replaced anyway. Depending on the number of workstations involved, the cost for the Win7 ESUs could exceed that of new servers. I would Never recommend that path for a client.
Back to Print Nightmare - fundamentally the main issue is that the print spooler, like many other system services, runs as the System identity. This legacy design was not great, but common practice 20+ years ago. Modern design would take a critical look at the printing subsystem and come to the conclusion that printing should run in a secure container where in order to break out, you would have to break the container technology. Printing is one of those services that has no need for higher than normal user level privileges. Containerizing it would cut the threat landscape down from Total System Compromise with nearly every little bug to a minor annoyance as any malware would be unable to easily escalate privileges or spread laterally due to that containerization. The legacy Print Spooler is akin to a boat being repeatedly dashed upon the rocks in a storm, engineers keep patching and bailing but that boat is going down. They can't fix it right without breaking compatibility because it's not just a few software defects that are getting addressed, it's the basic design that is flawed.
