And now, from the no-duh department...

[zencoder]

Source
Windows NT4 Holdouts Open to Security Hole

Hundreds of thousands of web sites that continue to run the Windows NT4 face a security dilemma, with no public patch available for a vulnerability in a key Windows networking protocol. The critical flaw in the Server Message Block (SMB) protocol could allow remote attackers to seize control of servers.

Microsoft addressed the SMB issue in its February security update. But the monthly Windows patches no longer include fixes for Windows NT4, which is beyond its end-of-life and remains vulnerable to SMB exploits, according to an advisory from eEye Security.

Microsoft retired NT Server 4.0 on Dec. 31, and now only offers custom paid support for the eight-year old OS. But about 1.1 percent of web-facing hostnames continue to run on Windows NT4, according to this month's Web Server Survey. Thousands of those hostnames are on SSL-enabled web sites which may be conducting e-commerce.

The SMB protocol allows Windows computers to share files and printers on a network. A flaw in the way SMB handles incoming data provides an opening for hackers. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft says in its advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

"If your organization is unlucky enough to still have Windows NT 4.0 systems ... then you do not have a whole lot of options," wrote eEye's Marc Maiffret, who noted that enabling SMB signing could offer additional protection for some NT4 servers, but might also interfere with existing applications.

Microsoft has been urging Windows server customers to update to Windows Server 2003, citing security as a motivation to migrate fropm NT4. "Windows NT Server 4.0 was developed before the era of sophisticated Internet based attacks. It has reached the point of architectural obsolescence," said Peter Houston, Microsoft's senior director of Windows Serviceability. "It would be irresponsible to convey a false sense of security by extending public support for this server product."

I'm sorry...if you're still running NT4 BY CHOICE you deserve whatever you get. I know, some organizations have restrictions, regulations, or other impositions that force them to continue with NT4. I have sympathy for them, and offer my services readily my rates are decent :wink:

[morganlefay]

I have one site that runs NT 4...on workstations cause...it works fine.

They are not servers..exposed to the internet, or authenticating users or running critical apps.

they are behind 2 firewalls, have av on them and are very task specific.

Until they fail...we see no reason in replacing them. They are working just fine.

As for running publically exposed web sites...or critical apps\databases...I would always choose a supported OS and applications ...where you can get patches, updates regularly...and advanced tech support when needed.

MHO

MLF

[zencoder]

Roger that, and you are correct. Sorry, I should have clarified. "If you are running NT4 in a public or exposed role..."

[morganlefay]

no worries..

Some sites dont have the resources to update hardware\software every year..and depending on the task...do not require a P4, 512MB, ram 256mb nvidia card 120gig harddrive, XP pro...to run a legacy database, process email, print documents...and play solitaire

MLF

[ZT3000]

Not exactly on subject but....

I don't mind working on NT 4.0 as long as it's SP4, but those dinosaur Pentium II/s they are installed on are waaay over retirement age. I find myself straining just waiting for mouse clicks to be responded to and screens to draw. If it don't end soon, I'm gonna get a hernia.

I agree with the other posters. NT 4 is still usable in certain situations and if it's a web facing machine it should be replaced or you deserve what you get.

Lots of companies -need- to replace their hardware/software but won't until their workers scream loud enough for long enough. I see too many of these monthly.

[zencoder]

Well, that was my point "... other impositions ..." If you ain't got the IT budget, then NT4 it is.

That happens more than we care to admit, I know; been there, done that, pawned the t-shirt for a can of brew.

[dinowuff]

Originally posted here by ZT3000


I don't mind working on NT 4.0 as long as it's SP4,

Humm you mean SP 6 Right?

I have a NT 4 Domain whos owner refuses to upgrade. Oh well, users will be users

[ZT3000]

I think SP5 broke some TCP/IP things, and SP6 was problematic with something or other (can't remember back that far anymore)
At least SP4 was stable I remember.

[morganlefay]

SP 6 was problematic...they replaced it with 6a...


SP5 was to fix the issues with SP 4..although SP 4 allowed you to use newer hardware, eg AGP graphics cards.

I have a site that still runs 98

Although I did convince them to replace thier NT 4 WS (used as a server) with a Dell and 2000 OS ....they were having connectivity issues...15 users

Anway after 2 years of telling them that MS is going to discontinue support, 98 wasnt developed for a business environment, you are going to have to update eventually... new apps wont run on this platform, I cant install one license of office on all your machines...may as well start now blah blahblah....they asked for a quote to update 12 machines to XP...wait til I tell them thier one license of office 95 wont do

At least they have the last 5 newer machines properly licensed (through me...although the first couple they ordered were XP Home...and couldnt connect to the domain...I had them sent back. Now they ask me before ordering stuff)...finally

MLF

[RoadClosed]

I too run protected NT servers. But in the overall security model (perimeterless perhaps?) it's getting difficult to keep ignoring the security threats documented via internal audits. Especially when you can pickup the passwords quite easily and new exploits will shine "red" on internal scans audits and effect internal security posture.