“Arguably one of today’s biggest risks for network security and compliance are lingering systems that are no longer supported by their vendors. The security flaws in these systems may have been widely known for years, as is the case with Windows NT 4.0. In this article, we’ll examine the risks associated with continuing to run these systems as well as provide some countermeasures that can be used to mitigate these risks.”
Risk Mitigation for Legacy Windows NT 4.0 Systems
About The Author
Follow me on Twitter @thomholwerda
2007-01-03 7:05 pmtspears
I’m almost ashamed to admit it, but I work for a bank and we still have 2 NT servers running major applications…
Coming from a NetWare background I can appreciate legacy support, but jesus christ!
2007-01-03 8:53 pmtomcat
Coming from a NetWare background I can appreciate legacy support, but jesus christ!
What does Jesus have to do with it? ;-p
2007-01-04 4:55 pmelektrik
Usually ’cause they’re praying to Him when something goes wrong with their systems =]
2007-01-04 5:15 amdnstest
Not uncommon to find NT4 and/or even OS/2 running in the banking/financial world to this day. At least with OS/2, IBM let a 3rd party keep it up to date for customers who still need it (eComStation). NT4 users are out of luck. Time to move on anyway, 2000 was a much better product and personally my favorite release.
2007-01-04 5:12 pmrcsteiner
And don’t forget that IBM’s formal support for OS/2 Warp 4 was literally just dropped on 31 December 2006. Those who were able and willing to pay for support were able to get it directly from Big Blue until a few days ago.
2007-01-03 7:29 pmrcsteiner
Heh. I’ve seen unsupported applications, OSes, and even compilers in use at major companies. Not always in key areas, but sometimes you’ll find such things in surprising places.
Of course, a compiler which is unsupported by the vendor (but for which you have the source code as well as the in-house expertise to fix) might not really qualify as “unsupported”…
Edited 2007-01-03 19:30
2007-01-04 10:03 ambiteydog
Like the man says in the article, sometimes you just need that app that wont run on something new. OK, we’re a small business, but we still run a W98 box (in an otherwise 100% Linux shop) because there are no drivers for our large-format scanner that work on anything later, and it’s not worth renewing the equipment – a financial, not technical, decision. Scale this up to an expensive piece of software in a large company and you have the same situation.
Of course we don’t let it be connected to the internet, though it can talk to the company server (in a restricted way – no root access) for file transfer. The company server doesn’t talk to the internet either, BTW.
Before I even got to page 2, I knew they were going to sell Vmware as the solution. The problem with hardware/software is that some managers do not understand that it is not a piece of furniture that you buy once. What you’re buying is a long term commitment to spend money over and over and never get what was advertised in the first place. Virtualization is not the solution. Understanding hardware/software lifecycle is.
2007-01-03 8:57 pmtomcat
Right, and another thing: Running obsolete operating systems under virtualization doesn’t eliminate the underlying problem of security vulnerabilities. It’s still possible for VM’d OSes to experience the same kinds of unauthorized information disclosure, denial of service, etc. So, really, what have you gained? Stability, sure. But not security.
2007-01-04 5:13 pmrcsteiner
…unless the OS running in a VM can be used without enabling its own native networking. That might result in a more secure situation.
With due respect, NT is a dinosaur. Leave it be. We got rid of our final NT systems this past year in favor of 2003/Linux solutions. We had too after the cost was too much for us.
2007-01-03 9:22 pmfrik85
You were speaking of WinNT 3.x or 4. But speaking of WinNT in general, please remember the following:
Win2000 = WinNT 5.0
WinXP (32 bit) = WinNT 5.1
Win2003 and WinXP (64-bit)= WinNT 5.2
WinVista = WinNT 6.0
NT 3 and 4 are unsupported and outdated, but later versions are still around us and more or less up-to-date.
2007-01-03 9:48 pmAmigaRobbo
NT 4 worked well then, and if the truth be told works now. If it does what you need it to do, and has been stably doing for so many years how it outdated?
2007-01-03 9:58 pmfrik85
It becomes outdated because Microsoft don’t support it anymore. That means no security patches, Service Packs nor any other updates.
WinNT 4 has no USB support, no FAT32 support (without adding it yourself), old NTFS FS-driver, limited DirectX 5 & 6 support.
Several newer WinAPI functions are not in-place or unsecure.
On the other side, WinNT 4 is not really outdated, most code is still in use in WinNT 6 aka Vista.
Microsoft just tries to convice almost all people to switch to Vista.
Most modern applications still work fine in WinNT 3+.
So using WinNT 3 & 4 on back-end computers is still a good idea, but connected directly to the internet might be a bad solution.
2007-01-03 10:31 pmZoidberg
That’s true but is any of that stuff needed on a server? DirectX certainly isn’t and I doubt any machines still running NT4 even have USB ports. The only real problem is security. As you said if the machine is isolated from the internet NT is perfectly fine. If they are online though I agree upgrading would be a good idea (although I have to wonder how many NT 3.x exploits are still out in the wild. Security through obscurity?)
2007-01-05 7:25 pmAmigaRobbo
As a matter of intrest why didn’t someone write something to make USB work on NT4 or even Windows 95, after all if they can get it to work on Amiag OS 3.1, and a big old heap of other pre-USB OS, Unix for exampel why not that?
But I can understand why Microsoft wouldn’t have wanted it to work
2007-01-05 8:36 pmrcsteiner
Microsoft produced USB drivers for Windows 95 OSR2 and OSR2.1, and Windows 95 OSR2.5 had USB support in the box.
Don’t know about vanilla Windows 95, though. I’ve never seen or used it (my “Win95” boxes were all OSR2).
2007-01-05 11:16 pmAmigaRobbo
Back in the day when we used Windows 95 as a client OS (oh, the nightmairs!) we always used a verion of 95 with USB support. Never got any of them to work sucessfully with USB though, ever!
“The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.”
I’d love to be able to think in that kind of language, and get my mind all warm and fuzzy.
is it me or does the layout of that site just completely suck? wasn’t a bad article though.
Well Imagine our problem, i work for a big company in our country, as our economy always is a problem and even that we are a Telco sometimes the gerence don’t believe that the computers are a kind of process that every certain time you must invest again.
We have more than 17 servers, some domain controllers and the others terminal services platform running an old citrix version, in nov-dec a kind of virus attack us and just as the blaster hit down the rpc and also load a lot of CMD.exe process until they’re (the processes)ate the resources.
Just now in the middle of dec and after some AV policies, and a host prevention system the problem disappear.
Now in january we gonna buy the servers and the software too migrate the platform.
that’s the way in country as ours.
Course for me is just experience and there’s sometimes (like this time) that sadly i couldn’t do anything.
Or, at least, made more secure.
Malware writers are not nearly as interested in legacy system. No a lot of new stuff being written.
There are well known vulnerabilities. But, because the vulnerabilities are well known, they may be easier to protect against.
As far as being “supported” who cares? XP is supported, how secure is that? I can’t tell you how many XP boxes I’ve seen that are *loaded* with adware and spyware.
Take NT 4.0, put a good firewall on it, good antivirus, and anti-spyware, software software on it: how much more vulnerable would that be than XP?
Wow, I know businesses often like to stay pretty far behind, but I’ve yet to run into one that goes so far as to run unsupported software. (At least, major businesses.)
Sounds like the “biggest risk for network security and compliance” are stupid people. No big surprise there.
That said, good summary analysis of the actual risks involved in running a legacy/unsupported system. It’d make a good document to show (stupid) management why running unsupported systems is a “Bad Idea” ™.