Microsoft's statement last week that it would not offer a version of a security patch for NT 4.0 has called into question an earlier promise to continue supporting the operating system through the end of 2004 and raised concern among its customers.
The new vulnerability could expose computers running the operating systems to a denial of service attack, Microsoft warned in its security bulletin, MS03-010, last Wednesday. (http://www.microsoft.com/technet/security/bulletin/MS03-010.asp)
The flaw lies in Microsoft's implementation of a protocol called RPC (Remote Procedure Call), which allows applications on a computer to call applications on another computer in a network. An attack on the RPC service could cause the networking services on the system to fail, Microsoft said in its bulletin.
Microsoft's security bulletin contained links to software patches for both the Windows 2000 and Windows XP operating systems. Regarding Windows NT 4.0, however, Microsoft said that "the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future."
Major changes to the architecture of RPC in Windows 2000 were behind the Redmond, Washington company's stance on patching NT 4.0, according to the bulletin.
"Due to (the) fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability," Microsoft said.
Windows NT 4.0 customers were advised to put affected systems behind a firewall that blocks traffic on TCP/IP (Transmission Control Protocol/Internet Protocol) Port 135, the port used by the flawed RPC Endpoint Mapper process.
That change would protect organizations from outside attackers, Microsoft said.
Despite efforts to encourage its users to migrate from the NT platform to Windows 2000, more than a third of the company's installed base still consists of machines running the NT 4.0, according to Al Gillen, research director of systems software at IDC.
In January, Microsoft responded to calls from its customers to extend support of NT 4.0, announcing that pay-per-incident and premier support for Windows NT Server 4.0 will run through Dec. 31, 2004, but that non security-related hot fixes would end as of Jan. 1, 2004. In its security bulletin Wednesday, Microsoft did not address the promise made in January to support NT 4.0.
The decision not to issue an RPC patch was probably not part of a move to withdraw NT 4.0 support, Gillen said.
"If Microsoft was interested in twisting its customers' arms, they wouldn't have extended support of NT 4.0 earlier this year. It's inconsistent to extend support then say 'We're not going to patch this', or 'We're not going to patch that' to try to twist their arm," Gillen said.
While the install base for NT 4.0 has declined steadily from one year ago, when it was more than half of Microsoft's install base, Microsoft will likely have to contend with the needs of its NT 4.0 customer for years to come, regardless of the availability of alternatives, Gillen said.
"I'm not of the opinion that Windows Server 2003 is going to create a surge in NT 4.0 upgrades. If these customers were so anxious to upgrade, they would have done it by now," he said.
Despite the Redmond, Washington's product road map, most companies follow their own schedules for upgrading computer hardware and operating systems. Often those schedules plan on using an operating system for four or five years, then upgrading to whatever the most advanced platform is at the time.
That's the case at The Beth Israel Deaconess Medical Center (BIDMC) in Boston, where half of the hospital's 200 servers and 4500 desktops run Windows NT 4.0, according to John Halamka, chief information officer of CareGroup Health System and the Harvard University Medical School.
Because of tight capital allocation budgets at the hospital, BIDMC plans hardware and software upgrades on a five or six year cycle, Halamka said.
That makes moving from NT 4.0 a practical impossibility for now on many of the hospital's systems.
"A lot of our desktops are still running on (Intel Corp.'s) Pentium 2's or Pentium 3's with 128 M-bits of RAM. Windows 2000 is not optimal from a memory and CPU standpoint for five year-old hardware," he said.
While BIDMC is planning to buy new hardware and migrate from NT 4.0, the process will take a couple years, according to Halamka.
BIDMC's network configuration is such that the hospital is unlikely to be affected by the RPC vulnerability. However, the decision by Microsoft to not issue a security patch for NT 4.0 is a concern, he said.
"I've had discussions with Microsoft personnel and told them that they need to understand the nature of lifecycle management in the health care and nonprofit sectors. (Microsoft) needs to think about a five or six year lifecycle instead of a two year lifecycle," Halamka said.
Despite the unpatched vulnerability, Halamka said BIDMC will continue using NT 4.0.
"NT 4.0 still has a couple years left in it," Halamka said.