Maintaining Windows 2000 for the Long Term?

MarkWatson asks: "I keep two Windows machines: a Windows 2000 laptop (bought with XP, but installed an old Windows 2000 license and Linux) and a desktop with XP (dual boot to Linux). I would like to avoid ever buying a PC with Vista, a situation that looks good because I believe both my Windows systems are reliable, fast, and will service my Windows needs for the long term. My problem is this: I like Windows 2000 better for a few reasons, but mainly because the license is transferable. I would like to still be using Windows 2000 5 years from now in a secure and reliable way (again, just for when I need Windows). Since I am far from a Windows expert, I would like to know your strategy for archiving Microsoft's latest Windows 2000 updates, and generally dealing with security issues. My strategy is to set my firewall up to run in stealth mode and not use Windows for general web browsing. Any suggestions will be appreciated!" How would you keep an old Windows OS (like Win98, and WinXP in another year or two) running long after official support for it has ended?

Support ends but....

[walterwalter]

MS does discontinue support but the updates and whatnot are still available after they discontinue support. They just stop putting up new updates. You can "update" a fresh 98 install up to the point where they discontinues support and this seems to be what you are worried about.

Accept the realities

[SuiteSisterMary]

Eventually, new patches will stop coming out for it. Sure, some people will hack up XP patches, where they can, but eventually they'll stop coming.

So, what can you do? Make sure that you're running what patches do exist, make sure you never ever expose it live to the Internet, make sure that all of your apps are patched, make sure that you're running fully up-to-date antivirus. Don't install any software which is at all questionable, don't visit any questionable websites. Turn off what you can; if you don't use WSH, turn it off. Turn off autoassociations for it, at least. Turn off as much of ActiveX as you can, javascript and so on. There are lots of guides to hardening Win2000/IIS and so on, and most of the reccomendations here are ones that you should be following anyway.

If you wait long enough, of course, people will be targeting Vista rather than Win2000/XP, and you won't have to worry about it; kind of like how Win98 is actually a fairly safe operating system to be running these days.

Oh, and scan it with an up-to-date BartPE disc every once in a while, just to be sure. Make sure you grab the module for Spybot from the Spybot website.

Two different approaches

[megabyte405]

Win2k - Offline Updates: http://www.heise-security.co.uk/articles/80682 [heise-security.co.uk] . From a post here on Slashdot a while ago, it's a pretty slick tool. Just keep running it until they stop making updates for Win2k, then burn it to multiple high-quality archival CD's for safety :D A firewall (or even consumer router) never hurts, unless it's the Norton firewall.

Win98 - I'll agree with another poster, virtualize it. VMWare Player is your friend. (and why is Win98 your friend too? I suppose it's not WinME ;D )

Long-term: virtual; short-term: be careful

[davidwr]

Others have already made good suggestions for the short-term, such as minimizing exposure, installing all patches, using non-IE browsers when necessary, etc.

If it's at all possible, block all traffic, incoming and outgoing, except what you need. If it's possible, only allow certain processes, such as firefox, to access the Internet at all.

Also, make a full-image backup plus frequent additional backups so you can restore your system if it gets compromised.

The long-haul solution is to go virtual. Get a lightweight Linux with your favorite VM and install Win2K on it. Back up the image frequently. This way if your laptop dies you can replace it and not worry about driver issues. Heck, you can even do all "Internet" traffic on the Linux side and restrict the Windows network to a private-virtual-lan with the host system. Even then, block all traffic except what you really need, such as for file transfer and for printing.

2k is under extended support until 2010

[RingDev]

Windows 2k retired from mainstream support on 6/30/2005. It is currently under extended support until 7/13/2010.

So for the next 3 1/2 years you will continue to receive security and critical patches, and you will be able to pay for support if you need it. So there's nothing to panic about yet.

After 2010 though, if MS doesn't extended support, you may want to look in a new direction. Possibly an emulator for Linux to run what ever 2k app you need, or a replacement for those apps you are using. Worst case scenario, (2k support ends and numerous viruses are released for it) you can still run it, you just have to take into consideration the extra security concerns.

Here is the page for MS's support life cycle info: http://support.microsoft.com/gp/lifeselectindex [microsoft.com]

-Rick

Use a Virtual Machine

[Natales]

I have lots of customers who had this same concern about Windows NT. Virtually everybody had that beige box in the dark corner of the datacenter with a sign on top saying "don't touch" running some critical app in Windows NT, where registry modifications and tweaks go back years and couldn't be replicated. Newer hardware wouldn't support NT so they kept it running.

The ideal solution is a VM. At least if you use VMware ESX, the virtual hardware exposed by the VMM (virtual machine monitor) is always constant regardless of the physical hardware, and the virtual I/O devices are rather old, so any old OS would support it. In fact, in most cases this solution runs faster than the old beige box regardless of the virtualization tax due to the speed of the new processors.

You can keep a system running for years and years with this method, even backup the full VM as a file.

Disclaimer: I work for VMware, but I see this all the time with actual customers.

Re:Two different approaches

[cbirkett]

http://www.mam-a.com/products/gold/index.html [mam-a.com]

HD 137 GB

[rlp]

Windows 2000 does not support drives > 137 GB. I just reinstalled Win 2000 on an (older) box with a 200 GB drive. It reported the drive size as 137 GB. The C partition (20GB) was fine, but the D partition (180 GB) was inaccessible. It suggested I run diagnostics. Fortunately I did NOT do this. Instead I installed Service Pack 4 and then did further upgrades on-line. It first required me to manually upgrade to IE6, and then install the MS BITS update package followed by 50-60 patches. Several reboots were required. After that partition D was fine. I did a quick Google and learned that running a file system check before the SP4 install would have completely corrupted the partition. So, maintaining Win 2K systems is already somewhat painful. As MS removes support, it will become more so.

Safe Windowsupdate

[silicon not in the v]

As someone pointed out, the old updates and patches for Win98 and Win2K will still be available for a long time on WindowsUpdate. They just won't be releasing new ones. I have had to do re-installs for myself and friends several times, and I know can get owned before it finishes downloading the updates. So here is a pretty basic sequence to safely install and update. Preferrably this would all be done behind at least a basic consumer router, though.

Preferred software to have first--1. Your Windows install CDs 2. I have a utilities CD-R for new installs that has a bunch of stuff on it (Zone Alarm, Firefox, Thunderbird, Flash, Quicktime), but the two you really need are Zone Alarm and Firefox. Zone Alarm will control incoming and outgoing connections. 3. If the system is XP, hopefully have the Service Pack 2 on CD-R since it's a huge beast to download through WindowsUpdate.

Steps with the computer unhooked from the net:
Wipe the hard drive and do the basic Windows install.
Install Zone Alarm, Firefox.
Configure IE--it actually has a cool feature that I haven't seen in other browsers, where you can set the overall security settings, but list particular domains as exceptions. I turn up the overall settings to high/paranoid, and then list *.microsoft.com as lower security so it can run the WindowsUpdate ActiveX control.

Then plug into the router/internet.
Start into the repetitive patch and reboot sequence of WindowsUpdate. Zone Alarm will ask for permission whenever IE tries to access it, so you can just click "Allow" each time it asks, without setting it to permanently have permission.

You're fairly safe from that point, using Firefox for your browsing and keeping good control with Zone Alarm of which programs you want to have net access and when you want them to. You can continue pretty safely this way for many years, or as long as your hardware holds up. About the only danger vector is if you use a separate email client. Email attachments get downloaded, and you have the responsibility to be careful of what you accept and/or virus scan them. I just use Yahoo Mail, so everything gets virus scanned before it gets to my computer. I think most other web mail sites do that too.

Re:Virtualization?

[just_another_sean]

This is also what I do. I run an XP, 2K and 2k3 Server in a vmware session if/when I need them.

Other then the lack of 3d graphics support (which I was hoping would let me run a few Windows games without
messing with wine) it works really well. All my business/job needs are met by this setup. Games... I'm still
working on that. ;-)

Re:Slightly more useful

[supremebob]

There were a bunch of security patches released after the Rollup, so you need to install those as well. IE 5 isn't supported anymore, either, so you might want to upgrade to IE 6 for those few sites that don't work right with Firefox.

Re:HD 137 GB

[greg1104]

It supports larger drives just fine; I have a 750GB drive happily running on my Windows 2000 box. To fully use a hard drives that's >137GB, Windows 2000 requires service pack 3 or later and a registry hack [microsoft.com]. You didn't need the IE and other extra patches just to be able to use the other partition.

Windows XP requires service pack 1 and a registry hack [microsoft.com]. It's possible for OEMs to upgrade the copy of XP they ship to have this feature by default.

For people who just have to format the entire hard drive as one big partition, then this limitation in Windows 2000 can be annoying. Those of us who prefer to keep the OS drive on the small side, separating out data files onto a separate partition, are barely effected by it. I'm already going to install SP4 on any new Windows 2000 system anyway, so I just need to remember which registry key to tickle after that's done and this problem goes away.

Re:No - Windoze

[eln]

It still has to be configured. Most of the security software you need for Linux comes with the distribution, but it still has to be configured if you want it to do any good. My point is that Linux needs work to make it secure, just like Windows does. The difference is that with Linux the software is there and needs to be configured, while with Windows the software needs to be downloaded and configured.

Re:Consider virtualization

[Lproven]

Sounds like you don't know Mac OS very well. Pretty much all the stuff you cite - OpenOffice, Firefox, whatever - could have been run natively under OS X. You can even run many xNix apps from the Fink or OpenDarwin projects, tho' native OS X versions are usually much preferable.

Including running W2K under Virtual PC.

I see no need for what is effectively a triple-boot machine - OS X (with Classic, quadruple-boot), Linux /and/ Windows - when you could easily have made a simpler system by removing a whole OS from the equation.

There's not really much good reason for running Linux on a Mac - there are fewer drivers & proprietary apps in PPC form than x86 and OS X provides pretty much all the Unix goodness one could want.

The virtualisation idea isn't bad, but run W2K with up-to-date A/V and antispyware and so on, behind a hardware firewall, and it's pretty safe even today. Remove & replace all the MS internet apps and it's not bad at all.

Offline Updater

[Bastardchyld]

Heise Security released an script called Offline Updater.

This script will allow you to create all-inclusive, fully-automated update cds for the English and German versions of Windows 2000, Windows XP, and Windows 2003. The script will create a CD .iso for each OS and/or it can also create an all-inclusive DVD .iso for all of the above versions. You then burn the .isos you created and the installation is entirely automated (some reboots required but automatically continues with the install).

Here is an short and sweet write-up on this - http://www.heise-security.co.uk/articles/80682/3 [heise-security.co.uk]
Here is where you download the file (.zip) - http://www.heise.de/ct/ftp/projekte/offlineupdate/ ctupdate302.zip [heise.de]
Here is Heise Security's Forum on the script - http://www.heise-security.co.uk/forums/go.shtml?li st=1&forum_id=108277 [heise-security.co.uk]

Why

[gravis777]

Why bother? Yeah, so the license is transferable. Yeah, so 2000 has lower system requirements.

Do you really think your laptop will still be working in 5 to 10 years? Do you remember what we had 5-10 years ago?

5 years ago, my system was top of the line. 500 MHz. 192 meg of ram, an insane amount for the time.

10 years ago, had a pentium 90 MHz, with a whole 16 meg of ram, running the newest Windows 95 operating system.

Really, do you think you are going to keep your laptop that long?

So your license is transferable. Chances are, unless you are buying laptops from eBay or third party refurbished stuff, your laptop will come with a license for xp or vista. Why bother with your unpatched 2000 that has a transferable license?

What is up with all these people who say that they will never consider using XP or Vista? I think too many people are thinking of XP back when it was first released. Yes, there were all kinds of issues with it. It was a major rewrite of Windows - in a good way. Software vendors had to write better code, new drivers had to be made, and microsoft released some service packs..... and the result is that 5 years later, xp is not a half bad operating system. Yes, the OS is unforgiving to the ignorant, but patch your OS, run Spybot and the TeaTimer (the beta fixes the graphical glitches), and you ALREADY HAVE AN XP LICENSE ON THIS MACHINE!

Vista, in my testing enviornments, is proving to be a pretty freakin awsome operating systems. I would still say wait before upgrading for at least a few months, to let some of the security patches come out, but if you are going to buy a laptop with vista preinstalled, leave it on there. I mean, why purposely cripple yourself with an unsupported OS?

I have seen a few people complain how there are no longer updates for 98. The operating system is freakin 9 years old, 2000 is eight years old. Shoot, you would not have been trying to run Dos 3.3 on an computer in 1995 or 1997 and be complaining that you do not get new features and stuff like that would you? You would be laughed at.

Its 2007, dude! Windows 2000 came out at the end of 1999. Five years from now this operating system will be 13 years old!

If you are going to run a Microsoft OS, just run the one that comes bundled with your new computer. Shoot, Apple feakin releases a new version of their Operating System practically every year. Thank God that Microsoft's life expectancy for an OS seems to be hovering around the 6 year mark.

Even Linux distros stop supporting their old distros after a while. I am too lazy to look for this, but there was an article on Slashdot a couple of days ago that Fedora was going to stop updates for its early versions.

Its not like I am telling you to upgrade - the new OSes are already installed on your system, you have a freakin license. Why are you creating all this trouble DOWNGRADING your operating system, limiting your functionality, limiting your access to software, and limiting yourself from getting updates? You like 2000? Fine. Right click on your start bar in XP / Vista, goto properties, choose the custom start bar. Right click on your desktop, go to wallpaper, and turn off the windows bliss wallpaper. Then go to the Appearance tab and change the button layout and style from XP or Vista to Windows Classic. Whalla, you now have an operating system that looks like the Windows you know and love, but will recieve security patches. Your recycle bin just may be a different icon.

I am going to end this with stating what I have said over and over again in this reply - stop crippling yourself. Microsoft, in this case, did not screw you over by making you buy an upgrade, and its not like you are running some legacy hardware that will not run the new OSes. You already have them, you have the licensces, they came preinstalled on your machine, you were in no way inconvienineced by XP being preloaded on your system as that you do use Windows. YOU are the one who uninstalled it, YOU are the one who created thes