Windows

Windows 2000 Extended Support ends: Your options as an administrator

In the course of administering a network, IT pros often end up with systems that they just can't seem to part with. Now that Windows 2000 extended support from Microsoft has come to an end, IT pro Rick Vanover discusses your options.

Today is an important day for the network administrator as Windows 2000 ends its extended support period. This means that security hotfixes will no longer be available for the operating system for both server and professional (workstation-class) editions of the operating system. While it is now a ten year-old operating system, many people surely have some straggling installations that are still on this popular OS.

For Windows 2000, this is effectively the end of the line for a popular era of server computing that can be looked at a number of ways. On one hand, it opened the door for sprawl of application servers throughout IT environments that was tough for administrators to deal with. Yet on the other hand, it was the first release of Active Directory and Group Policy; which in my opinion are the best products Microsoft has ever made. Windows 2000’s Lifecycle statement is listed below in Figure A: Figure A

Figure A

Click image to enlarge

The Microsoft Product Lifecycle site is an important resource to use in conjunction with operating system and application inventories. This determines a lot for infrastructure administrators in terms of when things should be removed as well as what should be implemented. Frankly speaking, I wish hardware vendors were this open about the lifecycle of products.

For administrators who have Windows 2000 systems in place and an upgrade path isn’t clearly visible, here are four accommodations you can make to protect yourself:

  • Firewall: Set up a private network for the antiquated operating system and secure the perimeter with a network firewall.
  • Turn it off: If the system is a virtual machine, have it powered on only when needed. This can easily be accommodated with VMware vSphere or Hyper-V permissions models, and the application owners can deal with the extra step.
  • Convert it to a virtual machine: If the system can be made a virtual machine, it can be a lot easier to preserve and isolate in this fashion.
  • Utilize Windows 2000 Custom Support services from Microsoft. There is an offering to have hotfixes made available on a case-by-case basis. This is available for large Microsoft accounts and is very expensive.

While the end result will usually involve upgrading to a new operating system, sometimes factors beyond the control of the administrator are involved. What are your strategies for Windows 2000 systems? Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

29 comments
LeonBA
LeonBA

We held onto Windows 2000 until the date past, but in the end (a few weeks ago) we upgraded all our 2000 servers to 2003. It was simple, relatively fast, and a very smooth transition. Coming in Monday morning, it was like nothing happened over the weekend. We do have an issue with one server, but we can keep it going for now and we'll rebuild it at our next convenience.

coolmark82
coolmark82

My ATXSTF MNT performance 1400 Shipped with Windows 2000 Pro, and as soon as XP came out, I upgraded it. As soon as Vista came out, I upgraded it. As soon a 7 came out, I upgraded it, and the hardware. I would like to see how my vintage PC can handle Windows 8 when it comes out in April 13, 2015-April 13, 2016.

farson
farson

All good things have to come to an end. I switched my small network from Win2K to WinXP SP3 2 years ago. No trauma, no wasted emotion. "In technology, there are but two degrees of freedom; forward and down. There is no backwards."

Ray Collazo
Ray Collazo

I'm an IT guy for a Very small factory with 45 employees which almost got swallowed whole by the GD2009 (Great Depression of 2009). I Have ZERO budget to upgrade Anything. I have 2 win2K servers, along with 15 win2k clients, which are still running our ERP software. While we do have 15 WinXPsp3 machines, it is Quite apparent that we are far, Far behind the current schedule in regards to Operating Systems and Hardware. And we're still chugging along quite happily. Just like the old Steam locomotives, Sure: You may no-longer have support from the Manufacturer, which is where you need to Internalize your support: Have someone handy who Has the history and background in maintaining the older machines, while at the same time building a Wish List of the new equiptment to get when things get better. We're running MS Server Update Services, and have the entire patch library of Win2K patches here on site, meaning that even if MS takes their online patches away, I still can bring the machines up to current patchworthiness on my own. I don't anticipate my budget situation getting any netter until at LEAST 2012, thus my proactive approach in managing my network firewall, Filtering all my web traffic, and maintaining my Email servers draconian rules are of utmost importance. Also, Configuring each machine with Least User Privelage has Majorly helped save my fuzzy butt!! (Why Yes! It was doable in Win2K as well, but most couldnt get to it easily so most left it alone) With said rules in place, I've been running said network since 2002 with NO Virus breaches whatsoever, and can easily anticipate surviving a few more years this way until things get better... IF/WHEN things get better, that is!!

Gis Bun
Gis Bun

Only people that SHOULD be using Win 2000 still are those with legacy apps that can't be updated. Anyone else who uses Win 2000 is incompitent.

dwdino
dwdino

Add VMware infrastructure with Microsoft Windows 2008 Datacenter. Bake with physical server retirement. No more windows 2000 and 2003 is on the chopping block.

dharper
dharper

I didn't know about the extended support dropping until just now, but I guess it's a good thing we're migrating our last 2000 DC today :D

lserchia
lserchia

We'll be upgrading to Server 2003 like our other servers...

reisen55
reisen55

It is for a 501c3 museum and they are functionally broke. I treat them with great care and they are my loss leader per se, but no upgrade now and for the future.

AV .
AV .

Because of budget constraints, the upgrade didn't happen as quickly as planned, so one of our critical systems is still running on 2000. In the next couple of months it will be upgraded to Windows server 2008. It can't happen soon enough for me. AV

amahan
amahan

and will probably always keep it around in some shape or form. In my opinion it is a very solid OS with an NT kernel and no extra BS (eyecandy, etc). I do realize that there will be security concerns now that patches are not being rolled out, but I will likely use one of Rick's suggestions to keep it alive!

b4real
b4real

I saw a small business totally happy with Windows 98. Their application works well, and things are simple. No worries about updates and patches. Are they at risk, yes.

anyamount
anyamount

What is your network firewall hardware and software?

1LUV1T
1LUV1T

Ray, I'm sorry but your comparison of W2K to a Steam Locomotive example sounds outdated and highly inaccurate. In this day and age, running an OS that is no longer supported by its Manufacturer is equivalent to riding a Ford Taurus in Iraq. You need something that's more modern, secure, and built to handle its environment. The whole reason for having support to your (Microsoft) OS is so that you have not just the latest bug fixes but also security patches which are a helluva lot more important given the amount of hackers and exploits out there. So in my comparison, I'm equating your corporate network connected to the public Internet (a very dangerous place) to Iraq, and your old, outdated, insecure server to a beatup Ford Focus. Now how likely do you think you will be attacked? And how easy will it be?

frwagne
frwagne

I purchased a personal IBM ThinkPad 1492 back in the spring of 2000, delivered with Win98SE, certified and upgraded to Win2K. Still running, within the last year replaced the Li-Ion battery, the CMOS battery and the NIC. I keep updated A-V on it, but with a 500Mhz pentium and 384M of RAM, it's not really a candidate for XP or Vista, but I may have to see if XP is doable, and affordable!

davidsaintamour
davidsaintamour

People who can't figure out how to use spell-check probably shouldn't be calling other people incompetent. The fact is not all of us administer a neat office environment and can upgrade OSs without complications, or have the money to upgrade legacy apps that require an older OS. There can be any number of other reasons to keep these systems. I still maintain a win200 server, win2000 systems, and even win98 systems. Not because I want to. Because I have to. It's a money thing. Micro$oft surely knows it. So unless you've got something interesting to add to the conversation, perhaps you could just shut up.

pgit
pgit

I deal with a few such 'loss leaders,' it is a great feeling to help, and I'm never so appreciated as I am there. (and yes, plenty of good recommendations) Of course your win2k machine will run safely until the hardware winks out, if it is not connected to the internet. If such machines are, I get someone to donate an old box gathering dust somewhere and set up a smoothwall firewall. I set one up on a 486DX with 32 MB RAN and a 3 GB HD once, and there was no slowdown in net traffic. Everybody should be able to land smoothwall-capable hardware for free. Might have to spring for some network hardware, switch, cables etc. But if speed is not an issue an old hub can be had for free as well. (I got a stack of 'em) So long as the policy is no scripts eg the firefox extention and never install anything, an unsupported win box should be good to go pretty much indefinitely. I once kept an unpatched, no-antivirus/antimalware win98 machine running like new for several years behind a smoothwall. It was a laptop, the old P-II finally gave out in '05 and they upgraded to a donated P-III 900 running XP.

Mad Mole
Mad Mole

Other project priorities have meant we've still got two critical servers left to virtualise followed by a gradual functional migration to 2k8. It'll be a shame to see 2k go but we'll still have one VM running it as the software is yet to be 2k8 certified. For me 2k has a level of simplicity that makes it a pleasure to use. Time will tell if 2k8 generates the same levels of affection.

b4real
b4real

Hope the upgrade goes well!

dlovep
dlovep

As far as I can see, Microsoft is getting back more money when you count on Terminal Service, Windows 2000 is the last version to provide "Special Terminal Service".... now no more...

tom
tom

I have a number of locations where W2000 Pro is acting as a server for up to 10 workstations, and it has been working perfectly for around 9 years. Because of the XP sessions limitations the "server" was never changed when the workstations were changed to XP. Other than spending to buy new hardware and Server 2008 what choices are there for what has to be a Windows box due to bespoke applications?

b4real
b4real

It will always be around. It will taper out of the ISV supported realm, but I'm somewhat sad about it as well. RIP Windows 2000

slm
slm

Your points regarding W2K security are well taken, but why would anyone want to attack a beatup old Ford in Iraq? There's probably nothing in it but a flat broke Iraqi.

b4real
b4real

But there are considerations to a lack up patches/updates becoming available.

cquirke
cquirke

Keeping old unpatchable systems off the Internet does reduce risk, but also means outdated antivirus and a reliance on USB for data transfers. Those two can come together with a vengeance, in the form of USB infectors. There are two effective methods of spread by USB. The first is via \Autorun.inf, and while I do recommend both NoDriveTypeAutoRun = DF or FF plus NoDriveAutoRun suppression of all drive letters (except optical?), in this case I'd go further and kill the Autorun.inf file interpretation by defining that file name as a "legacy .INI" and directing it to oblivion. The second effective method of USB spread, is facilitated by unsafe UI defaults. It's not USB-specific, but works very well... malware creates itself with the name and icon of an existing (or expected) file or folder, and hides the real material it is replacing in this way. When the victim "opens" the malware file, it chains through to the hidden material, so things appear to "work" but the malware is active. The fix is a combination of UI changes (show hidden and system files, show file name extensions) and human skills/policy (no code files on USB devices or in data set, be aware of hidden files and file name extensions).

Realvdude
Realvdude

Known as Server 2008 R2 Foundation, though I believe that it is only available preinstalled on new systems. I'm hoping to see a OEM software release.

mike
mike

If you only have 10 workstations and are looking for a file server my favorite product is windows home server. Its basically windows 2003 server without active directory and a domain controller. Best of all its cheap.

b4real
b4real

I'd favor a private network that isn't connected to anything over a USB track meet.