Home > Windows > No XP SP2 Security Fixes for Win2k No XP SP2 Security Fixes for Win2k Eugenia Loli 2004-12-07 Windows 36 Comments Despite recent calls from customers and analysts, none of the security fixes built into Windows XP SP2 will be back-ported to Windows 2000, still in use by a majority of enterprises. But what about those organizations that can’t afford to upgrade? About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 36 Comments 2004-12-07 6:13 am But what about those organizations that can’t afford to upgrade? They’re SOL. Lock down the workstations, suck it up, and improve your access security. I recommend organizations move over to the Vic 20 platform 2004-12-07 6:15 am This sucks… windows 2000 was best widows I’ve ever used… that’s not saying very much. If only I could get my ATI 9800 to work under linux and HL2 2004-12-07 6:18 am what does linux, halflife, and your ATI 9800 have to do with anything? 2004-12-07 6:27 am Expecting backports of these things years after delivery isn’t reasonable for a $200 OS. Nobody does it — not even the OSS guys. (Though, with an open source OS upgrading is much less of an issue; you don’t have to upgrade everything and the important updates are available at little or no cost.) That said, this is a prime example of why a complete security policy should use but not require OS updates, firewalls, or other tools that have been shown to be breakable in the past. If you disagree…well…what can I say to convince you otherwise? I’ve tried here in the past only to be told I was in error. : 2004-12-07 6:35 am Yes OSS software does get security backports, take a look at the 2.0 or 2.2 linux kernels sometime. The 2.0-2.4 kernels are still getting security updates when needed. 2004-12-07 6:38 am <<But what about those organizations that can’t afford to upgrade?>> They made the consensus decision to use MS products. They have the advantage of ease of use, familiarly, and enormous application support but sacrifice security, relaibilty and knowingling enter into vendor lockin. No pity here, its just business. 2004-12-07 7:04 am “But what about those organizations that can’t afford to upgrade?” Well those organizations are probably small enough that a switch over to OSS won’t cost them $$$,$$$,$$$ since they won’t have as much devoted software written in-company, unlike a multinational corporation that sees a Windows Upgrade as costing pennies compared to a coding overhaul of their database software. 2004-12-07 7:49 am what does linux, halflife, and your ATI 9800 have to do with anything? Well you see some think we must always mention Linux in the comments section of any news item. Pax Vitae found a way to put “Linux” in this one But what Pax said is true, and I have never felt most comfortable in an OS as I did with Win2k. Pax you need to Win2kify your XP install. 2004-12-07 8:01 am It seems like people in the corp world are going to have several new desktops in the next couple of years. Since individuals patches don’t go through extensive testing (per the article) and could likely break other applications. Companies will have no choice execpt to upgrade. So it looks like the desktop will go from: 2000 to XP to Longhorn This is not a way to do business. Think about companies that have 100,000 desktops. I used to work for a major telecommunications provider which had over 120,000 employees. Now imangine having to do 2 upgrades in the next 2-3 years. That just doesn’t sound like a pretty picture at all. Glad I don’t work there anymore. 2004-12-07 9:17 am I don’t really see the problem. I thought MS Windows XP SP2 mainly had antivirus and firewall integration and some fixes for MS Internet Explorer. Replacing MS Internet Explorer would make those fixes for it unneeded. Antivirus and firewall also shouldn’t be impossible to use with MS Windows 2000. I’m not using MS Windows myself, so I could be missing something here. 2004-12-07 9:38 am I was about to say the same thing. Apparently nobody else read the article (and the author of the article intentionally used a misleading topic). According to the TEXT of the article (not the headline), Microsoft just won’t be backporting the new firewall and those other “enhancements” into Windows 2000. They will, however, still be supporting the security “fixes” for the OS. To quote the article: “At this point in Windows 2000’s life cycle, [customers want] stability on this product, not new enhancements,” the spokeswoman said, arguing that back-porting major code rewrites would lead to “substantial changes to their existing deployments.” “Microsoft will continue to supply patches. However, you won’t have to install rollups to get Microsoft support or as a prerequisite for new patches,” he said. “This makes maintaining your Windows 2000 machines in a supported configuration much easier once you have applied SP4.” So for Windows 2000 users, nothing has changed – they will still get the security fixes. 2004-12-07 9:58 am If there is enough demand for XP SP2 style fixes, some other company will gladly step up to the plate and sell them. If Microsoft would normally do so by changing their own code, other vendors will find a way to wrap Microsoft code in their own. Or if companies really want to smarten up, they will go with options which allow them to implent their own fixes long after the developers abandoned interest in a particular version of a particular product. It is called open source. And while rewriting some code may sound overkill for Joe Blow and his home PC, it may be practical for a corporation with hundreds or thousands of similarly configured workstations. “Upgrading” (actually replacing) an OS is a non-trivial task after all. 2004-12-07 10:14 am “But what about those organizations that can’t afford to upgrade?” Well those organizations are probably small enough that a switch over to OSS won’t cost them $$$,$$$,$$$ since they won’t have as much devoted software written in-company, unlike a multinational corporation that sees a Windows Upgrade as costing pennies compared to a coding overhaul of their database software. And what make you think large organizations don’t have in house solutions that may not work with, or is not tested with, the next version of windows? It is not only switches to opensource that may force rewrites. If you are unlucky that could happen between windwos versions as well. Switching OS version in a large organization could be a major PITA and the most costly things may not be the licence fee. 2004-12-07 10:18 am Well, I am not sure about your Ati, but you can play HL2 via Transgaming/Cedega now. That is what I take from their latest newsletter I just received via mail (obviously). 2004-12-07 10:38 am If you cant afford vendor lock in, dont be vendor locked in. Its very simple really, either you can afford the software – with support contracts, or you cant. This is where OSS is a good alternative. It doesent leave you when you are no longer a money cow and wont be milked anymore . Most smaller organisations ive been at has a mixed network of Windows 98, XP, DOS (for their custom system, think doctors office). This is sometimes controlled by Novell Netware to make sure it all interacts – this can be easily replaced with Linux, the dos emus for Linux is of sufficient quality to make the DOS apps run. Then you can throw out the Novell Netware server thats collecting dust, and have a homogenous network again. Thats how i fix my upgrade headaches 2004-12-07 10:41 am I still can’t understand why Windows 2000 would need security fixes like those seen in Windows XP Service Pack 2. There is no security issue on Windows 2000 that cannot be worked around and/or locked down, as they were with Windows XP before SP2 was released. Most are IE-related anyway. There are third-party solutions for firewalls and browsers and mail clients. Mozilla Firefox and Mozilla Thunderbird, both reaching 1.0 recently, are some prime candidates. I guess if your company is dependent on IE and Outlook (and never migrating to anything else, even if retraining is minimal), you might want everything you can get, but still I don’t think any of these are requirements. Nice? Maybe. But far from necessary. What I find interesting is how Windows 2000 is priced higher than Windows XP Pro in my neck of the woods. Microsoft wants everyone on XP, and this is another way to push them over. 2004-12-07 11:29 am Exactly. SP2 was not necessary to lock down a computer beforehand, and it isn’t now either. Thankfully some people will always be able to look after themselves. I’m styaing with Win2k until the bitter end. I have it all safely secured and am quite happy with it. I’m one of those people who never felt comfortable in XP. 2004-12-07 12:04 pm Or if companies really want to smarten up, they will go with options which allow them to implent their own fixes long after the developers abandoned interest in a particular version of a particular product. It is called open source. And while rewriting some code may sound overkill for Joe Blow and his home PC, it may be practical for a corporation with hundreds or thousands of similarly configured workstations. “Upgrading” (actually replacing) an OS is a non-trivial task after all. What makes you so sure paying programmers to fix old code is cheaper than upgrading ? Software is _cheap_. *People* are expensive. 2004-12-07 12:05 pm Yes OSS software does get security backports, take a look at the 2.0 or 2.2 linux kernels sometime. The 2.0-2.4 kernels are still getting security updates when needed. And, as noted in the article, Microsoft are similarly going to continue releasing security updates. 2004-12-07 12:12 pm I still can’t understand why Windows 2000 would need security fixes like those seen in Windows XP Service Pack 2. There is no security issue on Windows 2000 that cannot be worked around and/or locked down, as they were with Windows XP before SP2 was released. Most are IE-related anyway. Which problems are you thinking of that can be locked down with Windows 2000 that can’t with XP ? What I find interesting is how Windows 2000 is priced higher than Windows XP Pro in my neck of the woods. Microsoft wants everyone on XP, and this is another way to push them over. Of course they do. It’s a more capable, more featureful, more up to date product with lower support costs for them. 2004-12-07 12:12 pm John: “What I find interesting is how Windows 2000 is priced higher than Windows XP Pro in my neck of the woods. Microsoft wants everyone on XP, and this is another way to push them over.” John, You can buy Windows XP licenses and orden de media for Windows 2000. So Windows XP cost the same as W2K… 2004-12-07 1:47 pm Ok boys and girls, listen very carefully because this gets complicated: 1. Install a Firewall – free ones available from Zonelabs, Sygate, and Kerio 2. Install anti-virus and turn on the auto-update feature 3. Don’t use Internet Explorer unless absolutely necessary Service Pack 2 = The ‘dumbass user’ patch. 2004-12-07 3:18 pm I’m personally never going to switch from 2k to xp. And probably not to longhorn.. Windows 2k has worked better for me than xp… Say what you will, but in my experiences XP isn’t as stable as windows 2k pro. 2004-12-07 4:00 pm What makes you so sure paying programmers to fix old code is cheaper than upgrading ? What do you think is a patch or bugfix? Adding additional (a part of upgrading)features is not the same as fixing old code. Of course they do. It’s a more capable, more featureful, more up to date product with lower support costs for them. What streams more money in the lawn, licences or sold packages? 2004-12-07 4:42 pm By drsmithy (IP: —.nsw.veridas.net) – Posted on 2004-12-07 12:12:28 Which problems are you thinking of that can be locked down with Windows 2000 that can’t with XP ? —- None, which was my point. Maybe my wording could have been better there. 2004-12-07 5:02 pm “I was about to say the same thing. Apparently nobody else read the article (and the author of the article intentionally used a misleading topic). According to the TEXT of the article (not the headline), Microsoft just won’t be backporting the new firewall and those other “enhancements” into Windows 2000. They will, however, still be supporting the security “fixes” for the OS. […]” That’s exactly as they said in their support plans they posted earlier regarding WinNT / 2000 / XP. IIRC they said Windows 2000 will be supported until 2005 (but i’m not sure, i’m sure its at least this) which includes security fixes (thats something different than features). Nothing new here. If anyone has an article about the timeframe regarding support and EOL then i’d like to read that so i get the facts straight. 2004-12-07 5:56 pm This might be interesting: http://arstechnica.com/news.ars/post/20040526-3814.html: In related news, this means Windows 2000 will make it to 2010, the year we make contact. The updated policy will provide customers with a minimum total of 10 years of mainstream and extended support for business and developer products Extended support includes all paid support options, as well as security-related hotfix support which is provided at no charge. Non-security related hotfix support requires a separate Extended Hotfix Support contract to be purchased within 90 days after Mainstream support ends. 2004-12-07 6:06 pm What about all the people out there that have old computers dont patch and most of all cant afford to upgrade. Im talking about your grandma’s and grandpa’s. I cant wait for game developers and drivers to be nativly ported to linux and unix environments. Time for microsoft to take note… Their customers want 1 Security 2 Stabiltity 3 Low profile The only reason I am currently running XP again is because of a flopy falure so I could not set up on the raid. copy didnt work well. Pagefile.sys error. 2004-12-07 6:26 pm There could be more often a better clear reason why one should upgrade.This is between the competing propietaries very well OS independant , to keep this software rat-race going. 2004-12-07 6:36 pm I think and believe the best ways to increase security on a system are: Learning the platform you are working with, in this case – Redmond W2K3, the best one can and with resources one has; and Hardening the host servers using proper configurations and setting reasonable policies; and Enforce proper system logging with user permissions according to need. These acts and those mentioned by others will generally reduce the need to constantly patch or update a server or client constantly. 2004-12-07 8:07 pm Very appreciated. Microsoft will not accept requests for warranty support, design changes, or new features during the Extended support phase. Is an appropriate quote in relation to this article; hence i don’t see anything got changed. So this is not news, they’re just sticking to what they said. 2004-12-07 10:51 pm I don’t see how upgrading is so terrible for Windows users, and why some of you bash XP SP2. It’s one of the best service packs ever for Windows, The updated firewall works as said, I’ve used it as my primary firewall since SP2 came out and it’s stopped pretty much 99% of spyware/malware getting in. Once in a while i’ll get some little tracker cookie, but that’s so rare now, i’ve cut back on my Ad-aware scans since i basically don’t find anything anymore. Upgrading is normal and a good thing. Win2k is a great OS one of the best moves MS has made and a step in the right direction. XP IMO is also the same, with Win2k3 even more so on the server side. SP2 did more then just fix security, it also made XP more stable and none of my apps broke. Even if you hate the way MS upgrades Windows and switch to another OS like Linux, you’ll still be upgrading and lets face it wint any linux distro, and i’ve used quite a few personally, depending on how many packages you decide to install, you’re going to be upgrading them all at some point. and linux upgrades/patches come out faster and more frequent then anything MS does. Just thing of that cool new feature in linux that needs you to upgrade to the newest kernel to work. then enjoy compiring and tell me that’s not like moving from win2k to xp? It’s all similure to an extent. If you think you can stick for Win2k for another 3 or 5 years then that’s great, but once things advance and something fancy catches your eye that you just want to have or use etc, you’ll be upgrading with the rest of us. 2004-12-07 11:40 pm ” Microsoft Screws thir users at every corner. I think this is just hillarious, for those of you crying today because of the news I have one thing to say to you, Congratulations you have just been screwed over. Microsoft doesnt care about its customers or its user base. Thats where Linux will win, we dont need corporate support we provide our own fixes we are a community. Microsoft has no community. This is the perfect example why I refuse to use or develop software for the Windows platform. I hope Windows 2000 Corporate users finally smarten up and drop the dead legacy platform created by a 2 bit company that will be bankrupt in a year ” OK, normally I don’t support MS, but how exactly are they screwing their customers over? They are still providing security patches for win2k, they are just not backporting the SP2 features (firewall and such) to win2k. Get a third party firewall, an antivirus scanner and use firefox, like you have had to for years (minus the firefox part, it hasn’t been around for years). If you took the time to either read the article or other people’s comments you would know this. I also very highly doubt Microsoft will be bankrupt in a year. Next time you go to elementary school (I’m assuming you are a little kid based on the maturity of your post) ask everyone if they have heard of Linux. A great number of them won’t have (unless the school uses it or something) and therefore will only know to buy MS Solutions. ” This is just sub-par. I mean, the LinSux losers think that by bashing Windows users every chance they get, they’re going to convert people to their religion. Well, you know what? Fuck you and the OS you rode in on. Even if Windows were to cease to exist today, I would never switch to Linux just because of little pissants like you, have no absolutely no fucking clue about what you are talking about. Trust me, if Linux met all of our needs, we would have switched a long time ago. But that isn’t the case, and it’s too bad that you can’t get your head of our your ass long enough to figure that out. ” Oh great, seth makes an idiotic comment and all the friggin tards have to come out…. 2004-12-08 1:15 am That Microsoft has decided not to backport some of the security fixes to Windows 2000. They have not updated Media Player for Windows 2000. I still have widespread deployments of Windows 2000 nothing that Kerio and Avast 4 wont cover fior me. Since I use Firefox and Thunderbird I havent had many problems with spyware or viruses. 2004-12-08 4:07 am ” Ok Seth I will put this in simple terms for you…… This is for a ‘Corporation’ not a public school in which you are inrolled in special ed classes there. Another thought, I am from India and I think (I know), you are greedy, fat and lazy. I am living in the United States, but I hope all of the Technology job leave your country and leave you serving slushies in a 7/11 watching Jerry Springer. There will be NO need for Technology sector jobs anymore in the USA. WE are taking them everyday in India leaving your fat, lazy Americans having to take paycuts and work at ‘service jobs’. Seth take a note, please get ready to wear your smock at your new 7/11 job, WE own the Technology Sector now, (India) and you are sub-par at anything. E-mail me if you think this is wrong. ” Why would you say something stupid like this? I very highly doubt everyone is going to work at 7-11 in the States. Not all Americans are fat and lazy (yes, some are, but not all). That’s all I have to say to you you racist waste of life. 2004-12-08 2:58 pm And in related news neither Debian Potato or FreeBSD 4.7 are officially supported now. Of course, though, it’s different when Open Source projects drop support, so you might still want to switch to them because their obviously better than MS. After all backporting fixes from 2004 operating systems to 2000 operating systems is such a trivial task everyone should be doing it.