Slashdot Mirror
Maintaining Windows 2000 for the Long Term?
MarkWatson asks: "I keep two Windows machines: a Windows 2000 laptop (bought with XP, but installed an old Windows 2000 license and Linux) and a desktop with XP (dual boot to Linux). I would like to avoid ever buying a PC with Vista, a situation that looks good because I believe both my Windows systems are reliable, fast, and will service my Windows needs for the long term. My problem is this: I like Windows 2000 better for a few reasons, but mainly because the license is transferable. I would like to still be using Windows 2000 5 years from now in a secure and reliable way (again, just for when I need Windows). Since I am far from a Windows expert, I would like to know your strategy for archiving Microsoft's latest Windows 2000 updates, and generally dealing with security issues. My strategy is to set my firewall up to run in stealth mode and not use Windows for general web browsing. Any suggestions will be appreciated!" How would you keep an old Windows OS (like Win98, and WinXP in another year or two) running long after official support for it has ended?
Prayer?
What if the entire Universe were a chrooted environment with everything symlinked from the host?
MS does discontinue support but the updates and whatnot are still available after they discontinue support. They just stop putting up new updates. You can "update" a fresh 98 install up to the point where they discontinues support and this seems to be what you are worried about.
Eventually, new patches will stop coming out for it. Sure, some people will hack up XP patches, where they can, but eventually they'll stop coming.
So, what can you do? Make sure that you're running what patches do exist, make sure you never ever expose it live to the Internet, make sure that all of your apps are patched, make sure that you're running fully up-to-date antivirus. Don't install any software which is at all questionable, don't visit any questionable websites. Turn off what you can; if you don't use WSH, turn it off. Turn off autoassociations for it, at least. Turn off as much of ActiveX as you can, javascript and so on. There are lots of guides to hardening Win2000/IIS and so on, and most of the reccomendations here are ones that you should be following anyway.
If you wait long enough, of course, people will be targeting Vista rather than Win2000/XP, and you won't have to worry about it; kind of like how Win98 is actually a fairly safe operating system to be running these days.
Oh, and scan it with an up-to-date BartPE disc every once in a while, just to be sure. Make sure you grab the module for Spybot from the Spybot website.
Vintage computer games and RPG books available. Email me if you're interested.
So ok, its not a perfect solution and might not fit as you didn't specify what you windows needs are, but what about running Win2k virtualized inside a vmware world? Both my laptop and desktop run Ubuntu only these days, but I do have an XP virtual machine on the desktop to "boot up" should I need something which requires Windows. I don't really find much of a reason to do that these days though.
...
If you do need to keep Windows natively on the hardware, I would advise setting up a hardware firewall between the machine and the internet, and browse securely with an up to date browswer (Firefox or Opera). Disable MS Filesharing if you don't use it.
Over the long term, you might want to consider why you're keeping Windows and find an alternative (Linux/OS X, whatever). I can't imagine that anything after Vista is going to be any better and well, you will have to upgrade your machines someday
Win2k - Offline Updates: http://www.heise-security.co.uk/articles/80682 . From a post here on Slashdot a while ago, it's a pretty slick tool. Just keep running it until they stop making updates for Win2k, then burn it to multiple high-quality archival CD's for safety :D A firewall (or even consumer router) never hurts, unless it's the Norton firewall.
;D )
Win98 - I'll agree with another poster, virtualize it. VMWare Player is your friend. (and why is Win98 your friend too? I suppose it's not WinME
I recognize people by their sigs. Is that a bad thing?
My concern would be that some sort of hardware failure will necessitate a software upgrade at some point in the next 5 years, especially with a laptop. I know you mentioned liking that the Win2k license is transferable so you could transfer it to new hardware, but good luck finding drivers for your new touch pad, or even display device that still support an EOL'd operating system.
I guess to answer your question as to how to keep Windows 2000 running for the next 5 years? Very carefully.
Check out the cave on the east side of lake Hylia. Strange and wonderful things live in it.
Others have already made good suggestions for the short-term, such as minimizing exposure, installing all patches, using non-IE browsers when necessary, etc.
If it's at all possible, block all traffic, incoming and outgoing, except what you need. If it's possible, only allow certain processes, such as firefox, to access the Internet at all.
Also, make a full-image backup plus frequent additional backups so you can restore your system if it gets compromised.
The long-haul solution is to go virtual. Get a lightweight Linux with your favorite VM and install Win2K on it. Back up the image frequently. This way if your laptop dies you can replace it and not worry about driver issues. Heck, you can even do all "Internet" traffic on the Linux side and restrict the Windows network to a private-virtual-lan with the host system. Even then, block all traffic except what you really need, such as for file transfer and for printing.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Windows 2k retired from mainstream support on 6/30/2005. It is currently under extended support until 7/13/2010.
So for the next 3 1/2 years you will continue to receive security and critical patches, and you will be able to pay for support if you need it. So there's nothing to panic about yet.
After 2010 though, if MS doesn't extended support, you may want to look in a new direction. Possibly an emulator for Linux to run what ever 2k app you need, or a replacement for those apps you are using. Worst case scenario, (2k support ends and numerous viruses are released for it) you can still run it, you just have to take into consideration the extra security concerns.
Here is the page for MS's support life cycle info: http://support.microsoft.com/gp/lifeselectindex
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
I have lots of customers who had this same concern about Windows NT. Virtually everybody had that beige box in the dark corner of the datacenter with a sign on top saying "don't touch" running some critical app in Windows NT, where registry modifications and tweaks go back years and couldn't be replicated. Newer hardware wouldn't support NT so they kept it running.
The ideal solution is a VM. At least if you use VMware ESX, the virtual hardware exposed by the VMM (virtual machine monitor) is always constant regardless of the physical hardware, and the virtual I/O devices are rather old, so any old OS would support it. In fact, in most cases this solution runs faster than the old beige box regardless of the virtualization tax due to the speed of the new processors.
You can keep a system running for years and years with this method, even backup the full VM as a file.
Disclaimer: I work for VMware, but I see this all the time with actual customers.
When my daughter wanted a system for college, I convinced her to get an iBook. "But that won't run Office!" she protested.
"Yes, it will," I answered, and purchased Office 2004 for her.
"But how about these other things I use all the time?"
I threw her a bonus: I configured a nice Kubuntu Linux system with all the apps that a student would need, including OpenOffice.org, Gimp, Evolution, Firefox, etc.
Then I threw her a second bonus: On the Kubuntu system, I installed VMWare, and installed Windows 2000 to run on it. Win2000 doesn't use as many resources as XP, but apps written for XP run fine on it. In addition, as the OP mentions, the license can transfer.
What about viruses? Well, I did not configure the virtual network interface for W2000. Anything she needs to run on Win2000 has to be downloaded first onto Kubuntu, and then through a shared drive, installed onto the Win2000 process. Viruses just have no vector to get into Win2000, except from trojans.
Now, this isn't the perfect situation, and there are some apps that just won't work for her (Internet Exploiter, her previously-favorite IM client, etc.). However, for those things that she just HAS to run on Windows for her schoolwork, she can run the programs at nearly full speed with just a little hassle. Over the last few months, she figured out how to streamline the process of getting files to/from Win2000, but she also figured out how to make do with the OS X applications, and to a lesser extent, the Kubuntu native applications as well. Since Firefox and a lot of the applications she runs on Kubuntu also run on the iBook, she has an easier time with Kubuntu coming back from the iBook.
Windows 2000 is now a distant third for her, and she is considering "retiring" that system after the next semester if she can get through the next semester without needing Win2000. (Probably won't happen, but back in September, that wasn't even being considered!)
She's happy, and if she just HAS to run something on Windows, she has the ability to do so.
She managed a 3.9 GPA this semester, so this setup didn't hurt her.
"May I have ten thousand marbles, please?"
Windows 2000 does not support drives > 137 GB. I just reinstalled Win 2000 on an (older) box with a 200 GB drive. It reported the drive size as 137 GB. The C partition (20GB) was fine, but the D partition (180 GB) was inaccessible. It suggested I run diagnostics. Fortunately I did NOT do this. Instead I installed Service Pack 4 and then did further upgrades on-line. It first required me to manually upgrade to IE6, and then install the MS BITS update package followed by 50-60 patches. Several reboots were required. After that partition D was fine. I did a quick Google and learned that running a file system check before the SP4 install would have completely corrupted the partition. So, maintaining Win 2K systems is already somewhat painful. As MS removes support, it will become more so.
[Insert pithy quote here]
As someone pointed out, the old updates and patches for Win98 and Win2K will still be available for a long time on WindowsUpdate. They just won't be releasing new ones. I have had to do re-installs for myself and friends several times, and I know can get owned before it finishes downloading the updates. So here is a pretty basic sequence to safely install and update. Preferrably this would all be done behind at least a basic consumer router, though.
Preferred software to have first--1. Your Windows install CDs 2. I have a utilities CD-R for new installs that has a bunch of stuff on it (Zone Alarm, Firefox, Thunderbird, Flash, Quicktime), but the two you really need are Zone Alarm and Firefox. Zone Alarm will control incoming and outgoing connections. 3. If the system is XP, hopefully have the Service Pack 2 on CD-R since it's a huge beast to download through WindowsUpdate.
Steps with the computer unhooked from the net:
Wipe the hard drive and do the basic Windows install.
Install Zone Alarm, Firefox.
Configure IE--it actually has a cool feature that I haven't seen in other browsers, where you can set the overall security settings, but list particular domains as exceptions. I turn up the overall settings to high/paranoid, and then list *.microsoft.com as lower security so it can run the WindowsUpdate ActiveX control.
Then plug into the router/internet.
Start into the repetitive patch and reboot sequence of WindowsUpdate. Zone Alarm will ask for permission whenever IE tries to access it, so you can just click "Allow" each time it asks, without setting it to permanently have permission.
You're fairly safe from that point, using Firefox for your browsing and keeping good control with Zone Alarm of which programs you want to have net access and when you want them to. You can continue pretty safely this way for many years, or as long as your hardware holds up. About the only danger vector is if you use a separate email client. Email attachments get downloaded, and you have the responsibility to be careful of what you accept and/or virus scan them. I just use Yahoo Mail, so everything gets virus scanned before it gets to my computer. I think most other web mail sites do that too.
We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
There were a bunch of security patches released after the Rollup, so you need to install those as well. IE 5 isn't supported anymore, either, so you might want to upgrade to IE 6 for those few sites that don't work right with Firefox.
It supports larger drives just fine; I have a 750GB drive happily running on my Windows 2000 box. To fully use a hard drives that's >137GB, Windows 2000 requires service pack 3 or later and a registry hack. You didn't need the IE and other extra patches just to be able to use the other partition.
Windows XP requires service pack 1 and a registry hack. It's possible for OEMs to upgrade the copy of XP they ship to have this feature by default.
For people who just have to format the entire hard drive as one big partition, then this limitation in Windows 2000 can be annoying. Those of us who prefer to keep the OS drive on the small side, separating out data files onto a separate partition, are barely effected by it. I'm already going to install SP4 on any new Windows 2000 system anyway, so I just need to remember which registry key to tickle after that's done and this problem goes away.
It still has to be configured. Most of the security software you need for Linux comes with the distribution, but it still has to be configured if you want it to do any good. My point is that Linux needs work to make it secure, just like Windows does. The difference is that with Linux the software is there and needs to be configured, while with Windows the software needs to be downloaded and configured.
Heise Security released an script called Offline Updater.
.iso for each OS and/or it can also create an all-inclusive DVD .iso for all of the above versions. You then burn the .isos you created and the installation is entirely automated (some reboots required but automatically continues with the install).
/ ctupdate302.zip i st=1&forum_id=108277
This script will allow you to create all-inclusive, fully-automated update cds for the English and German versions of Windows 2000, Windows XP, and Windows 2003. The script will create a CD
Here is an short and sweet write-up on this - http://www.heise-security.co.uk/articles/80682/3
Here is where you download the file (.zip) - http://www.heise.de/ct/ftp/projekte/offlineupdate
Here is Heise Security's Forum on the script - http://www.heise-security.co.uk/forums/go.shtml?l
$diff terrorists hippies
$
$rm -rf *terrorists *hippies
What's your public IP?
"Flyin' in just a sweet place,
Never been known to fail..."
I suspect that after Win2k is EOL'd, there wouldn't be many people using it anyway. Heck, I'd be surprised if there was much support for the hardware of 2010 in Win2k; it's already a pain to get currently new hardware working properly.
As a result of not many people using it (most of the poeple using Win2k will have upgraded/bought another computer by then - 8 or so years seems a bit long for your average home internet user to stick with an OS), there'd not be many people writing malicious stuff for it, simply put. Look at all the legacy OSes out there which people still use and don't have a proliferation of viruses or worms.
On the other hand, it may be MS who writes a malicious virus for Win2k when it's EOL'd - if there are still a significant number of people using Win2k, to attempt and force their hand.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Why bother? Yeah, so the license is transferable. Yeah, so 2000 has lower system requirements.
Do you really think your laptop will still be working in 5 to 10 years? Do you remember what we had 5-10 years ago?
5 years ago, my system was top of the line. 500 MHz. 192 meg of ram, an insane amount for the time.
10 years ago, had a pentium 90 MHz, with a whole 16 meg of ram, running the newest Windows 95 operating system.
Really, do you think you are going to keep your laptop that long?
So your license is transferable. Chances are, unless you are buying laptops from eBay or third party refurbished stuff, your laptop will come with a license for xp or vista. Why bother with your unpatched 2000 that has a transferable license?
What is up with all these people who say that they will never consider using XP or Vista? I think too many people are thinking of XP back when it was first released. Yes, there were all kinds of issues with it. It was a major rewrite of Windows - in a good way. Software vendors had to write better code, new drivers had to be made, and microsoft released some service packs..... and the result is that 5 years later, xp is not a half bad operating system. Yes, the OS is unforgiving to the ignorant, but patch your OS, run Spybot and the TeaTimer (the beta fixes the graphical glitches), and you ALREADY HAVE AN XP LICENSE ON THIS MACHINE!
Vista, in my testing enviornments, is proving to be a pretty freakin awsome operating systems. I would still say wait before upgrading for at least a few months, to let some of the security patches come out, but if you are going to buy a laptop with vista preinstalled, leave it on there. I mean, why purposely cripple yourself with an unsupported OS?
I have seen a few people complain how there are no longer updates for 98. The operating system is freakin 9 years old, 2000 is eight years old. Shoot, you would not have been trying to run Dos 3.3 on an computer in 1995 or 1997 and be complaining that you do not get new features and stuff like that would you? You would be laughed at.
Its 2007, dude! Windows 2000 came out at the end of 1999. Five years from now this operating system will be 13 years old!
If you are going to run a Microsoft OS, just run the one that comes bundled with your new computer. Shoot, Apple feakin releases a new version of their Operating System practically every year. Thank God that Microsoft's life expectancy for an OS seems to be hovering around the 6 year mark.
Even Linux distros stop supporting their old distros after a while. I am too lazy to look for this, but there was an article on Slashdot a couple of days ago that Fedora was going to stop updates for its early versions.
Its not like I am telling you to upgrade - the new OSes are already installed on your system, you have a freakin license. Why are you creating all this trouble DOWNGRADING your operating system, limiting your functionality, limiting your access to software, and limiting yourself from getting updates? You like 2000? Fine. Right click on your start bar in XP / Vista, goto properties, choose the custom start bar. Right click on your desktop, go to wallpaper, and turn off the windows bliss wallpaper. Then go to the Appearance tab and change the button layout and style from XP or Vista to Windows Classic. Whalla, you now have an operating system that looks like the Windows you know and love, but will recieve security patches. Your recycle bin just may be a different icon.
I am going to end this with stating what I have said over and over again in this reply - stop crippling yourself. Microsoft, in this case, did not screw you over by making you buy an upgrade, and its not like you are running some legacy hardware that will not run the new OSes. You already have them, you have the licensces, they came preinstalled on your machine, you were in no way inconvienineced by XP being preloaded on your system as that you do use Windows. YOU are the one who uninstalled it, YOU are the one who created thes