Risk mitigation for legacy NT 4.0 systems

Arguably one of today's biggest risks for network security and compliance are lingering systems that are no longer supported by their vendors. The security flaws in these systems may have been widely known for years, as is the case with Windows NT 4.0.

Introduced in 1996, Microsoft's Windows NT 4.0 operating system was originally designated for obsolescence on December 31, 2003 but support was extended for an additional year. As of December 31, 2004, Microsoft stopped releasing security patches for Windows NT 4.0. That means that any vulnerability discovered in the platform after that date will NOT be fixed.

At least one vulnerability to a denial of service attack, MS03-010, is recognized by Microsoft as affecting NT 4.0 and received no hotfix patch. Microsoft cited the following in this instance: "The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability."

Full article at source...

News source: Help Net Security

Report a problem with article
Previous Story

Toshiba announces desktop HD DVD recorder

Next Story

Fedora to dump the 'Core'

26 Comments

Commenting is disabled on this article.

I seem to recall seeing a few articles mentioning that some Linux vendors were dropping support for some versions that weren't even 18 months old or so...

Part of the reason for that I suspect is the fact that Linux vulnerabilities seems to be constantly reported and patched much faster than Microsoft (although Microsoft is starting to realize the public relations value, be it extremely slowly). A Linux install from 18 months ago is so out of date with newer versions that when you do install it and perform an update, you're almost replacing the entire OS and support files. (Not that Microsoft is much better... take a new install of WinXP SP2 from CD, then run Windows Update, and you'll have well over 60+ critical patches and 10+ recommended patches to download. And that's even before you install Microsoft Office, where you can add an additional 10+ patches if you're lucky.)

It's just a fact of life today. Your OS (Linux, OS X or Windows) is so complex and complicated that patches are almost required the moment the OS is released. And you can bet that Microsoft WILL have patches ready for Windows Vista the day it's released, given the two month lead time they put in place with all their beta testers (read those who obtained the RTM copy of Vista).

I'm gonna have to disagree with that.

No matter how many patches exist for XP, the fact remains that MS is still patching it even if it's 5+ years old and will continue to do so for a couple more years still.

Yeah, anyone who installs an 18-month old OS needs to patch it immediately, but that doesn't mean the distributor should be free to [i]drop support entirely[i].

here's a question for everyone... If the OS works great for you and you never had a problem with it including security wise... then why upgrade something that ain't really broke to you?

Which we have seen alot... Like the xbox360 updates when there system just bricks out after installing that update..

People never thought that virus can destroy hardware.
Then they got CIH.
Times are changing. New threats are coming. Systems that were once secure break.

Remember LanMan network passwords in Windows (LMhash). They were secure. But now they can be cracked in minutes.

“The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.”

Somehow I have a feeling they never put a lot of effort into trying to fix it, if any. That's really just a polite way of saying "We aren't going to fix this, so you can either upgrade or go jump in a lake".

C_Guy said,
It's called 'Product Support Lifecycle'.

Maybe so, but when there are very critical flaws (Microsoft's f'up) then they should be required to fix them. I can see not having support for newer tech to be added but critical security flaws should be addressed.

It's called 'Product Support Lifecycle'.

The flaw in question is from 2003, which is well before the "product support lifecycle" ended.

You don't expect Ford to replace broken parts on your 1996 Taurus, for free, d'ya?

Why should Microsoft provide free lifetime (your lifetime, not the product lifetime) support?

Unfair? Then just sue them, and walk away with the money, if you could get it.

BTW, MS DOES provide paid support for their legacy products, like NT4. Then again if you have that much money it would be cheaper to just upgrade to 2003, or buy a new system + apps.

True. And there are quite a few instances of systems running out there that are working with older operating systems than Windows NT.

Take the Shuttle, for example. Most of the core systems are running on a modified Windows 95 OS, which has been specially modified for the job. Both the OS and the programs that run are rigorously tested to ensure that nothing will go wrong while the Shuttle is in flight. Besides, the Shuttle's computers are NOT connected to any networks. There is no need for the Shuttle's computers to connect to any network. They are stand-alone, dedicated systems designed to do one thing and one thing only... run the Shuttle. Not to do Excel spreadsheets, nor to surf the web with IE. They have hardened laptops with wireless connections into the communications systems to do that with.

This is where most of the folks here are completely missing the point. Vulnerabilities exist, yes, but only if you can take advantage of them. If you have a production network that is completely isolated from the Internet, then you don't have to worry about the latest threats as they won't reach the machines in question. And that's why companies sometimes won't upgrade their production equipment, as the costs to develop and install new control systems is much more expensive than maintaining a contract with Microsoft to support what is already in place.

So from a business perspective, they could care less that NT4 support is no longer there. As long as it keeps working and does the job which it was modified and designed to do, they'll keep letting it do that job until they absolutely have to upgrade.

This is not worth frontpage material.
There are just a few users who already know what they are doing if they are using old software.

BTW, I still use old versions of software like Acdsee 3.1 (and DOS and Win 3.1 in Virtual PC).

OMG, some hardwares get infected with Windows NT 4.0

Imagine, you just bought a brand new server with nothing on it, hard drive is clean. You leave it for one day, come back, and discover that Windows NT 4.0 insalled itself on it. How scary is that ...

We still have hundreds of NT4 workstations scattered around our factory floor. They do the job, they are well within and protected on our internal network, and many of the apps aren't supported (or untested at a minimum) on newer platforms.

You have to remember, not everyone is a home user who can upgrade to the latest and greatest software/hardware. Businesses who have 1000s of systems may still be making the upgrades from 2000, NT, of even the 9x series.

Hopefully no one is still using 3.1 for anything important...

There is nothing wrong with using old software, it still does the job it was designed to do. As long as you aren't on the internet there's no reason at all you can't continue using NT 4.0 or even 3.51. Many banks are still running OS/2 and a video store here in town is running MS-DOS on a 486 desktop. Their rental program was custom written years ago and still works as well as ever, no reason at all to spend money on a new computer and OS that they do not need.

You guys are all 100% correct. However, it is very foolish if someone (or an organization) that uses NT 4 (or older software) complains that new security fixes are not available. If you want to use software that Microsoft will actively release patches for then here's an idea: upgrade. It makes no business or logical sense for Microsoft to continue supporting old software.

Of course, if you are happy using old software then by all means continue to use it. Just don't complain that you don't have the "latest" security patches for a system that's over 10 years old.

Marshalus said,
You have to remember, not everyone is a home user who can upgrade to the latest and greatest software/hardware. Businesses who have 1000s of systems may still be making the upgrades from 2000, NT, of even the 9x series.

Hopefully no one is still using 3.1 for anything important...

Some hospital machines still run 3.1 and even dos........

peachey said,

Some hospital machines still run 3.1 and even dos........

And see I knew as soon as I posted that someone would say something like that :P

What I should have said was "Hopefully no one is browsing the using 3.1 for anything important that is connected to the Internet."