My company is (amongst many other things) responsible for a small network with a few servers and about 50 workstations. They want me to help out the current administrator of that network.
The network consists of Windows NT 4.0 and Windows 2000 Servers, the clients are Windows 2000 and Windows XP. The only reason for all the legacy systems is license costs. The network is NATed and the workstations access internet through a (linux) proxy.
The admin seems not to be worried about the security of the network. His argument goes like this:
Windows NT and Windows 2000 have no known vulnerabilities and it's highly unlikely new ones are discovered because no one will put energy into those old systems anyway. Even if there would be a vulnerability it wouldn't be a problem because the workstations don't have a direct connection to the internet.
Can you give me some solid arguments why upgrades to windows versions that are still supported by Microsoft are inevitable from a security standpoint?
If you think the admin is right an I am wrong I also would like to hear about that.
Windows NT, Server 2000 and Windows 2000 are now regarded as end of life by Microsoft. This means that if any new security vulnerabilities are discovered for these operating systems, Microsoft will make no effort to create a security patch.
While I agree that yes, it is unlikely that a virus will be specifically developed to target anything less than Windows XP/Server 2003, since they all evolve from the same code, it's certainly possible that a "modern day" virus designed for Windows XP/Vista/7 can also successfully attack Windows NT/2000. Indeed there was a security vulnerability in September 2009 which affected a whole array of operating systems (including Windows 2000) and they all got a patch except Windows 2000.
Aside from vulnerabilities in the core Operating System, you are also lumbered with Internet Explorer 6 at best. Internet Explorer 6 is known to not implement various protection features that later versions of the browser do, and you're more likely to get attacked by a "surf and get owned" type virus. Then you've got browser plugins (Flash Player, Adobe Reader etc) - these might still release updates for Windows 2000 at the moment, but you're walking on thin ice. Sooner or later, they will do what the rest of the world is doing and stop supporting a 10 year old Operating System. Then you'll have vulnerable browser plugins, and believe me - they are the most documented and exploited, because it's such an easy and effective attack vector.
Third party applications will also become a security problem (if they're not already, they will) as vendors stop patching older versions of the software that work only on legacy Operating Systems.
As an example, Office XP was the last version to run on Windows NT and Office 2003 the last version to run on Windows 2000. These products will become end of life soon (if they're not already) - and Office frequently features in the monthly security updates.
Then you've got all your other software. This won't necessarily cause you security problems, but rather maintainability problems. The majority of software was stopped being tested against Windows 2000 long ago. This means that if one of your applications breaks, the vendor is quite likely to say to you "Well you're running Windows 2000.... what do you expect?".
As an aside, make sure all your Windows XP workstations are on Service Pack 3, as anything lower than that is not supported by Microsoft, and won't receive security updates.
I can see both sides of the argument tbh.
Go out today and install Windows 2008 and get all the clients onto Windows 7 and you're still faced with a multitude of monthly patches from Microsoft.
Then go install Adobe Flash Player and Adobe Acrobat reader and repeat the entire patch process every month.
Then do the same with Java - you get the point, having the lastest versions is always helpful but I'm not convinced that you're automatically worse off solely through the fact you're running NT, it's all to do with layers (Firewall, User Lockdown, Antivirus etc.).
Also there's the rather telling statement "The only reason for all the legacy systems is license costs" - if they can't afford to upgrade regardless of how much sense it would make, what would you have them do?
The only machines that are safe from attacks are those that are shut off. All systems that are powered on, in use and connected to a network in any way will encounter malicious code. If anyone thinks otherwise then they have not been paying any attention to exploit vectors over the past 20 years. Administrators have to acknowledge that there are vulnerabilities and balance the risks they represent with the cost of mitigating them. You may choose to live with a particular set of risks that includes things like Operating Systems that are no longer supported but you should only do so if you understand the risks properly. I don't believe your SysAdmin friend does.
The statement that XP and NT have no known vulnerabilities is complete rubbish. Here are three examples of recently published vulnerabilities that affect all Windows versions, are being actively exploited, and where there will not be any patches released for NT or Windows 2000 to remove the vulnerabilities.
http://isc.sans.edu/diary.html?storyid=8023 (NTVDM vulnerability) http://isc.sans.edu/diary.html?storyid=8995 (Windows Help\VBScript vulnerability) http://isc.sans.edu/diary.html?storyid=9445 (.LNK Shortcut Icon handler vulnerability)
As you go back further there are many vulnerabilities where there are patches for W2K and XP but not for Windows NT e.g.
http://www.microsoft.com/technet/security/bulletin/ms08-063.mspx
There are hundreds of these for Windows platforms that are now out of support at this point in time and the list will continue to grow.
That last one is a particularly severe one as it allows an attacker to remotely take control of an affected system (ie any Windows NT machine) if they are on the same network and not separated by a good firewall. Your external firewall will prevent an external attacker using that exploit directly but that does not mean you are safe, just that they need another way to get in first.
Most attacks now involve exploits aimed at first compromising client systems via their web browsers and similar complex applications that are fed data from external sources (E-Mail\Flash\PDF ..). Once a user's machine has been compromised a series of further exploits can then be launched to try to distribute attacks aggressively within a LAN.
An early example of this combined vector approach was the NIMDA worm - that had attack vectors that included direct assaults on web servers (exploiting a file filter in IIS if I recall correctly), it would then inject code into web pages hosted by that server to spread itself to clients connecting to that web server, it also used an older version of the DLL hijack method listed above to spread infections via file shares and it could spread via E-Mail. NIMDA was particularly nasty as it could (and did) spread by infecting files stored on Linux servers - those servers were not direclty vulnerable but Windows systems mapped to them were and NIMDA would infect files and directories on those shares too. And that was 9 years ago - the combination of attacks is now much more sophisticated. Firewalls and other network security kit can protect against some of these but only if you are updating your rule sets very diligently and they are not enough on their own.
If you have users on old systems like those you are concerned about that are actively browsing the web\receiving e-mail and so on then they will encounter malware that will be able to take control of their machines. No responsible admin should be happy to ignore the fact that by running these systems they are significantly increasing the risk that malware will get a foothold inside their networks. You may have no choice - but at least understand and honestly acknowledge the risks associated with the decision to keep such things in production.
Hosts are protected from the Internet, but are they protected from the LAN? LAN virus spread as fast as gun powder.
If those servers have shared folders or require NetBIOS (ports 135-139 etc) or other service provided by the OS then they're doomed.
Moreover, whatever server software they run, it's very likely that vendor will drop NT support, and they'll get stuck in an old unsupported version (if they care about that).
Nowadays a lot of viruses are spread by email or by users visiting hacked websites. Your proxy would have to be very well configured to prevent these attacks, and you don't specify what mail system you are using. If it is of similar age to the rest of the kit, then you might have a huge hole there.
The 2 major issues with this are:
Windows NT has an extensive list of known and unpatched vulnerabilities, to the extent that when testing corporate networks, if we came across NT servers we knew we could get anything we wanted off them and use them as a platform to gain access to over areas, especially in a mixed NT and 2k environment. It will undermine your patching elsewhere.
The vulnerabilities in NT are actively scanned for - the bad guys know that old kit is often unpatchable so it is worth it. The extra effort to identify NT4 in an initial scan is negligible, so you should expect it to happen.
You want to talk to your admin and point out the mistakes in his thinking :-)
Just unleash Blaster (http://www.mac-net.com/346484.page) into the environment and that should invalidate that statement very quickly.
My first concern is that win2k as a client means they are likely using IE6 as a web-browser. That alone is reason to upgrade to more modern OS.