Depending on which study you look at, the percentage of attacks on IT infrastructure perpetrated by insiders is somewhere between 20% and 30%.
As with any sort of research into this area, it’s difficult to get accurate figures when it comes to security breaches because not all breaches are successful, not all are detected, and not all are reported.
The take-away from these figures is more that you shouldn’t assume that all of the baddies are on the outside of the perimeter network. That there is a not-insubstantial number of baddies that are on the internal network. Perhaps even in cubicles near yours. Though it’s always been a theory of mine that having to work from a cubicle leads to taking the first steps on the path to the dark side.
Just putting Windows Server 2003 behind a firewall won’t be enough to keep it safe. If you’ve got an OS that’s no longer receiving updates and 1 out of 5 attacks against your infrastructure is coming from inside the network, then those servers are going to get compromised. Servers need to be hardened against attack whether they are on the perimeter network or on the internal network. The best way to harden Windows Server 2003 is to upgrade it to Windows Server 2012 R2.