I am dissolving my business as a Web Developer, and handing over all continuous work to successors.
For one client for whom I have developed a number of web apps over the years, I set up a Windows 2003 virtual server a few years ago. That server contains the Subversion repositories with all the code for the web apps, and makes frequent nightly backups of all the client's web apps (which are hosted elsewhere).
Only two ports are open on that server: RDP for remote administration, and SVN for checking code in and out. Windows is set to automatically install updates daily. The IP of the server is not publicly known.
The machine has been running without incident for years. It is not critical to operations 24/7 (it serves as an additional backup layer, the web apps are backed up by their hosting companies as well) so in case of it failing, there is time to find emergency assistance without the business halting. But obviously, it contains sensitive data and must be protected.
For a number of reasons, I would like to keep the machine running. It has proven a straight-forward solution for all tasks at hand, and is set up nicely. However, nobody has been identified yet who will take care of its maintenance and administration in the long term.
My questions:
Is leaving such a server behind a responsible thing to do at all? (Of course, the client would be informed of the risks.) From a professional sysadmin viewpoint, is the machine reasonably safe with the settings described? I am aware that a security hole in the SVN server could cause trouble, and there is no way to auto-patch that like Windows can. That is my one big worry that can't seem to be solved without manual intervention.
Apart from the potential of an unpatched hole in the SVN server, are there other things that make the idea of having this server run unattended for some time a total no-go?
Does anybody have some other genius idea how to solve this long-term without shutting the machine down or hiring an administrator? Are there any highly trustworthy server management services around that can perform maintenance and emergency tasks?
The ultra short answer (I'm sure someone else will come along and write a small book) is: Hand it off to the client (or primary stakeholder for it's functionality) or the consultant that takes care of their network. Make sure all the important systems are well documented and make sure the client has access to that documentation.
Even if nobody is currently taking care of their administration needs, make sure they have the documentation. That documentation is key to keeping the server running and adapting to small changes in the longer run.
tldr: Document, document, document. Documentation to stakeholders