WIN2000 Not Patched

[nihil]

It seems that the recent TCP/IP fixes for Windows did not extend to Windows 2000 Server.

http://news.techworld.com/operating-...old-to-update/

Earlier today, Microsoft delivered five critical updates that patched eight vulnerabilities in Windows, including one that the company won't bother fixing in Windows 2000 Server SP4. The operating system's support doesn't end until July 2010; until then, Microsoft was supposed to provide updates.

[PatrickDickey]

So you don't have the Windows 2000 Server on an Internet facing adapter (at least not as your first server in line) and you have your router or gateway block Ports 139 and 445 from the Internet.

Then, you only have to worry about intranet related threats. Although with the ports blocked on the gateway, you shouldn't have an issue with that (unless there's malware created which uses a click to install from a website).

Have a great day
Patrick.

[nihil]

Well, unless it is some old ex-corporate server that someone has "inherited" there shouldn't be much of a problem.

I would imagine that any Win2000 servers that are still around will be there to support legacy applications and probably won't connect to the internet anyway?

[HTRegz]

The number of "in production" W2K servers would probably astound most people. I actually think this is a big issue and one that I find slightly concerning. As for blocking 139/445, since this is in the TCP Stack, that alone won't do very much for you.

What worries me even more is that on initial release of the advisory Windows XP was listed as not being affected in it's "default configuration", it wasn't until a couple of days later that Microsoft finally admitted that XP was affected, and that they weren't releasing a patch for it either.

[gore]

HT has as they say, hit this on the head:

Maybe they don't use Windows 2000 in some places the other members here visit, but even a typical college is still using this stuff (The ones who actually run Windows on Servers to begin with anyway) and a lot of Hospitals here use it too because they didn't like 2003, or 2008.

XP being affected is huge because I know ONE person who actually used it and kept it the whole time on their machine. The rest either use XP (A lot) or, some switched over to something else.

XP has incredibly heavy use still today because XP, and 2000, are not only cheaper (XP Professional here, when brand new had a price tag of 300 dollars, Vista, depending on what you're going for, was in some places a LOT more than this) and a lot of people I know who use Windows hated Vista enough that they were willing to drop it and NOT get new stuff as opposed to using it and have not only drivers, but support.

It doesn't shock me that 2000 Server and XP aren't being patched. How better a way to be sure that users will find out and be forced to "upgrade" to either Vista or 7 when it becomes usable.

Microsoft has to know about the numbers of people still using 2000 Server, and probably just said "That's it, we'll say we'll fix big ones, but really this thing isn't getting fixed" and then they have the option to upgrade, or switch to something else. Either way, they're probably sick of Windows 2000 updates.

Also of interest is the fact that this bug was present almost a decade ago and they just figured it out. If it wasn't, 2000 wouldn't need a patch to begin with. Which was released in 1999 along with Windows ME which we all knew and loved much like we did Vista.