IT Dept says Windows NT must go...

[Turczinator]

Had a discussion with our IT department at work today when I was informed that all PC's running WinNT in my test lab must be upgraded to Windows XP. They stated that after the first of the year Microsoft will no longer be supporting this OS (WinNT) with patchs/hotfixes and leaving the PC's with WinNT will cause security issues on their network. These PC's have been running flawlessly with WinNT for the past three years and have the most current service pack installed. The IT department is informing me that leaving WinNT machines on their network will pose a security risk from possible viruses and attacks. Virus scan software is already installed on these machines and they are not used to surf the net or e-mail, these machines control my servo hydraulic test machines and are dedicated to that single task and no others. My stand point is if it ain't broke don't fix it and the whole security issue is a load of BS. The IT department was illustrating the most recent viruses as one reason for the upgrade, but I seem to remember these viruses were tailored to Win XP(/2K) and that the virus software stops those attacks. IT has stated that if my PC's were to stay at WinNT then they would no longer allow them to be contected to their network because of a security risk they would pose. But, how could leaving these PC's with WinNT on the network cause a security risk? Has there been that many patches and hotfixes for WinNT since SP6a and what kind of vunerabilities would be left open if these PC's were left with WinNT and on the network? I bring this up because the control software does not run under WinXP (even in emulation) and migrating to a new OS would cause to many problems. The makers of the software do support Win2K (not WinXP) which I have conceded to, but would leaving the PC's at WinNT really cause that much of a security risk?
I need to have some good arguements against this upgrade if it is not required, because I have other machines that have software that will not operate under Win2k or WinXP and there is not a likelyhood of any software upgrade to provide support beyond WinNT.

My only arguements are: Virus software is already installed and WinNT is not a security risk, because Win2K/XP are built off of NT and if they are not risk, then NT should not be a risk. But I need a good arguement why it is not a security risk to the network. I think IT is wrong, ...or am I.

 

[Barnaby W. Füi]

I agree with them 100%.

WinNT is not a security risk, because Win2K/XP are built off of NT and if they are not risk, then NT should not be a risk.

Except that NT is no longer going to be supported. 2k and XP are safe because MS still supports them and supplies patches when problems come up. When a problem comes up for that NT box after NT is EOLed, then you're screwed.

 

[AmphibSailor]

:disgust: Same thing I'm going thru...however all of ours will be upgraded to 2000. XP has not been evaluated and probably won't until eol for 2000. Such is life...when working for the federal government...


AmphibSailor

 

[NuclearFusi0n]

They are right.

 

[AnonymouseUser]

Have you considered running an NT virtual machine on XP? It may be expensive but it would allow you to run that NT-only software.

 

[drag]

First off virus software is mostly worthless when it comes to real security. It's only known threats that it works against and then only a certian type. (viruses, worms, some trojans etc)

NT with nobody bothering to fix it over time will expose the network to serious issues when it comes to security...

That being said:

JUST take the damn things off of the network!!! If you want NT so bad then just stick a hub and link them all together on a local lan and do not allow any outside physical connections onto your NT lan.

They can't pose a menace to the rest of the network when they are not physically connected to the network in any way. If you need big files transfered to a fro from them, use a MO disk and promise to scan the disk every time you transfer the files from the NT stations.

Of course while this is going on, you have to realize that these computers are not going to last forever. They are about to the end that you can depend on them. They may last another 3 years, maybe 1 year, maybe they start popping off after a month one by one. The software may last for ever, but hardware doesn't and NT is only going to work on a very limited range of computers.

So maybe start finding a programmer or program that can provide you with the functionality that you need. By the time you NEED to switch, you'll be ready. Like the boyscouts say: "Always be prepared"

(of course in my biased nature (i am a linux fan) any program developed to be used on a Unix workstation that long ago, can easily be ported to run on Linux or any other newer Unix machine, so this wouldn't of been a issue. But if you like windows, by all means stick with MS.)

 

[AndyHui]

The software may last for ever, but hardware doesn't and NT is only going to work on a very limited range of computers

This is precisely why we are in the middle of transitioning from Windows NT to Windows 2000. WinNT just doesn't like the newest hardware that we have coming in.

USB support anyone?

 

[Epsil0n00]

I hate to tell you this Turczinator, but I agree with your IT department. I work in IT as well and we are currently in the process of "eradicating" NT (as I like to put it). Having old, unsupported and possibly unpatched OSes and hardware in your organization can be very problematic and a very serious security risk. I think the idea of running a disconnected LAN is the most plausible... but be prepared to promise that you will never ask your IT department to support those machines ever again. They will likely tell you that since you wanted to stick with NT, that you are on your own.

just my $.02...
good luck
epsil0n

 

[mikeford]

IT isn't supposed to be smart, and they live up to it.

No point in fighting it, if MS tells them to jump off a cliff, by Monday thats the new gospel.

 

[Barnaby W. Füi]

Originally posted by: mikeford
IT isn't supposed to be smart, and they live up to it.

No point in fighting it, if MS tells them to jump off a cliff, by Monday thats the new gospel.

Agreed that IT people aren't usually the greatest minds around, but I think it's pretty obvious that they are right about this one.

 

[Sunner]

Originally posted by: BingBongWongFooey

Originally posted by: mikeford
IT isn't supposed to be smart, and they live up to it.

No point in fighting it, if MS tells them to jump off a cliff, by Monday thats the new gospel.

Agreed that IT people aren't usually the greatest minds around, but I think it's pretty obvious that they are right about this one.

Yep.

I work in an IT dept as well, and I definately agree.
Upgrading old servers that just stand around and "just work" is another matter, but for workstations it's a no-brainer.

 

[Unforgiven]

as much as i love nt and completely hear your argument, they have a valid point. i mean lets take that blaster worm that came out a few months ago as an example. say someone codes the same kind of thing or something more specific for ANY os running on an nt kernel and nt isnt supported? that my friend = you out of a job and all your data compromised. i mean you really dont have many choices. although i dont think upgrading to windows xp is the best thing to do, i think that an upgrade to at least 2k would suffice. i mean i am working for a company that is in the same boat in that we have 7 servers, 6 of which are running nt server and we are gonna be forced to upgraded even though they have had the same install for over 3-5 years now. not much you can do bro, sorry. its just from a logistics standpoint you dont have a strong enough argument to win a battle with an IT individual based on pure opinion

 

[Ramses]

I'd just take them off the network and tell IT to take a flying leap.

I love NT..

 

[InlineFive]

Originally posted by: AmphibSailor
:disgust: Same thing I'm going thru...however all of ours will be upgraded to 2000. XP has not been evaluated and probably won't until eol for 2000. Such is life...when working for the federal government...


AmphibSailor

Ouch, I feel sorry for you. We use the government program for direct deposits at work and it's ancient. I think it's Win95-era based with an awful G.U.I. and we are supposed to get it to work properly with WinXP. :disgust:

 

[dnuggett]

There are your pure NT fans and your XP fans. Personally I prefer XP, and agree completely with your IT department. NT wil no longer be supported, and why would you expend time, $ and compromise data when a problem pops up (and it will) just so you can have your NT? Go with the times, get XP and I think in time you will prefer the OS over NT.

 

[NogginBoink]

Nobody is "right" or "wrong" here.

The IT guys are correct that MS will stop support for NT4 in the near future, and that means no more security fixes.

However, a blind "all NT4 machines must go" policy is as blind as not caring about the supportability.

Reason needs to win out here; both sides are taking black-and-white approaches to a situation that's neither black nor white.

 

[StraightPipe]

your IT dept is completely valid for wanting you stricken fom their netwrok once your software anitquates.

i would reccommend asking if they would allow you to do a dual boot. one HD will boot to NT andhave no internet connection setup, and the other HD for XP (alowing use of the net : )

you can even do it with one HD, but tyou'll have to format it, and then partiion the drive. Ideally you just add another HD, load NT, and connect to internet. then remoe your internet connection from the NT boot.

since you will still be able to run NT while on the net they should be happy with that.

Hope this helps.

 

[KF]

The arguments the experts presented here are very thin, practically nonexistent. So here is something from a novice.

There is nothing about any OS that will prevent a virus that is simply a program that has a malicious intent, if it is run intentionally, or by a person being tricked into running it. If you can erase and alter files, so can a program you run, and so can a virus. If that program is malicious, it can do whatever harm you can do. Now suppose there are things which you are not allowed to do. A virus can possibly do more than you would be allowed to, by tricking the OS. Patches that prevent these tricks would then increase security. Once MS quits making patches, any new tricks found can no longer be prevented. OTOH, it could be that NT, being so obsolete and comparatively little used, is less likely to have screwballs designing viruses for it than XP is, and is therefore more secure than XP. And having been around longer, the holes have already been plugged.

Programs like Blaster come in over the network, and work by tricking the OS (Windows XP) into running them. In order to do harm, the little program needs to be able to do things it should not be allowed to do. MS makes patchs to circumvent the trickery that gets in, and/or keeps it from being allowed to do much. Since you are not hooked to the Internet, Blaster would have to come over the network to you. That means the other side of the network is a danger to you, and you are no danger to them. You would have to get Blaster on your computer before they did somehow, but how would that happen?

In short, the danger is mostly to you from the network, and not from you to them, or so it appears to me. As long as they keep their computers safe, you are protected. No one has explained how these viruses and worms are going to get on your computer without getting on the others first. Maybe there could be a saboteur. IAC, if patches for XP are supposed to be a protection, and they use XP, then they are protected from you. It is you who are in danger from them.

But it hardly matters. If there is a security problem down the line, the IT people have their butts covered if you convert to XP, and not if you don't. That is all you need to know. Hopefully they are firewalled against hell, because XP is the most dangerous OS that ever existed to have on your computer.

Let the flames begin.

 

[Venomous]

If you even have to ask this question, im amazed you have a job.

Win2k - XP = No Brainer.

Win95, i mean NT 4.0 is DEAD... move along.

 

[Turczinator]

1) 80% of my current software will not run under XP and no planned porting of the software to operate under XP is planned by the developers. Zero, zip, nada... Tested and verified, even with my IT Department and virtual does not work.
2) My PC's perform a single purpose task, have no Office applications (no e-mail) and internet explorer is disabled (policies to run only approved applications)
3) Virus protection in place.
4) If NT has been running flawlessly for the past three years, why on 1 Jan 2004 do they become a security risk? Thin excuse for no longer being supported, they have never been a risk in the past. NT has not had major service packs since 2K hit the streets.
5) The machines must be tied to the network so information can be retrieved.

I see only three avenues for security issues on a PC regardless of the OS installed. (Yes there maybe a couple more)
1- User
2 - Internet
3 - Externel hacks

For 1 and 2 I have policies in place that lock the user down to approved applications to run and virus software that my IT department continues to update so security issues coming from my PC with WinNT is the same for any other OS connected to the network.
For item 3, if that happens then it's my IT Departments fault that they would allow an external hack past their firewalls and not the fault of an OS on a workstation.

How is an unsupported OS a security risk? It's not had a major update since 1999! Sorry but unsupported is not a reason. I'm not bashing an upgrade to XP, if my software worked I'd do it in a heart beat. It's just that the excuse given seems thin. Sorry but IT wants change for change sake and thats not the way to go. NT is not dead and the latest and greatest OS is not always the best OS for the job.

 

[VTEC01EX]

Security is a two-part solution - hardware and software. Having the hardware out there is a necessary step - properly configured firewalls. However, if something gets into the network in the form of, say, your secretary opening an e-mail containing a trojan horse... that's obviously not going to get stopped at the wall. Now we've got her machine compromised, and looking anywhere it can to replicate. IT pushes down the patch to all affected workstations once they realize what's happened, solving the problem... well, except for all of the machines in your lab that are still spewing garbage traffic all over the network because they cannot be fixed. I agree with you COMPLETELY - I've got my dad using an NT4 box for certain tasks around his office, but the difference here is that the machine is only networked to one other machine, not to the rest of the network, and definitely not the internet. You need to find a way to acquire the data on your own network. One you build yourself. Something IT can't control. If need be, build a private lan with all of the NT machines on it, and get a standalone machine to acquire data from them. Then kick it to removable media and do whatever you like with it.

EDIT: I almost forgot... speaking from experience, IT staff never does work just to do work... we slack off as long as humanly possible. Blame the higher-ups.

 

[mikeford]

So what was the last big security problem with NT, same question for XP?

Yeah real smart move.

Reminds me of Y2K when IT decided to get rid of all macs and standardize on the PC. Get rid of the OS with absolutely no Y2K issues or action required. Doesn't make sense until you realize that without bugs and support issues we wouldn't need much of an IT dept.

 

[Barnaby W. Füi]

Originally posted by: mikeford
So what was the last big security problem with NT, same question for XP?

Looks like about 3 weeks ago.

 

[drag]

For those of you that operate under the misconception that since NT is old that it is a well proven and "fixed" OS with very little vunerabilities.

Look thru this database. Select the vendor "Microsoft" and the title "Windows NT Server"

One example that has been found of late is the infamous DCOM vunerability that MS has had to patch several times lately in order to try to fix. Since NT 4.0 Server is still has offical support they have supplied a patch to fix it. However since support was dropped for NT workstation they never released a patch for that. You can try to use the patch for server, but if that doesn't work (since it's not designed for that OS there seems little reason to assume that it does.) then your OS will still be easily hacked.

A worm has been created for this, of course, we all know that and that would relatively easy to stop.

However a hacker could use this to gain direct control over your OS. This is very serious. Anybody with the skill needed on any operating system of this network could possibly take these machines over.

Doubtless several more serious security flaws will be found in the comming years and because MS stops supplying patches for it, doesn't mean that you will be safe using it.

As a IT person (I am not, but if I was) it would be part of my responsablity to try and protect the network thru sound security policies. Since security is like a chain in that it is only stong as it's weakest link, it would negligent to allow NT machines on the network after MS's support for them is dropped.

Of course I wouldn't care if they were completely isolated....

 

[redbeard1]

You cannot use logic on those who are so sure of their illogic. Everything you have used in your explanations would seem to be reasonable. In their blind rush, have they offered any help for your problem, such as a budget and the labor to convert them to 2000?

I had to do some work for a company that had a virus get past their security. The only systems that weren't affected were the NT4 and win98 computers. An odd end result? Probably. But it goes to show that the newest isn't the best, all of the time.