Microsoft: Killing NT Softly?

New vulnerabilities in popular operating systems seem routine. As they're discovered, companies have to scamper to install hot fixes to help secure their systems. If they don't, they may as well send maps and leave the porch light on for all the hackers and script kiddies wanting to enter their systems.

Microsoft isn't making it any easier for companies that are installing Windows NT 4.0 to keep up with the security patches published in the past 18 months. The company whispered that it wouldn't be publishing the long-anticipated Service Pack 7 for Windows NT 4.0. The software company posted a bulletin [http://www.microsoft.com/ntserver/sp7.asp] stating that NT users are getting along just fine with SP 6a, released in November 1999, and that SP 7 is not necessary.

SP 7 was expected to be published in November 2000. But then the company said it would postpone its release until third quarter 2001, before recently nixing it altogether.

"Based on discussions with our customers, we have come to the conclusion that Service Pack 7 is not needed, but that an easy way to deploy our publicly released security fixes would be appreciated by many of our customers," the bulletin reads.

Some Microsoft customers at NetWorld+Interop in Las Vegas this week think differently. "I'm getting the impression they're slowly killing NT," says one network administrator from a major trucking company who did not wish to be named. "We are planning on deploying NT in one of our divisions, and this is going to make it a huge hassle tracking all of the hot fixes that need to be installed." The network administrator will have to wait a little while, yet again, for an easy way to update all of the security vulnerabilities since the publication of SP 6a. Microsoft says they're planning to release a "comprehensive roll-up of all Windows NT 4.0 security vulnerabilities as a single package in Q3 2001."

In the meantime, Microsoft has made available, as separate downloads, the NT 4 Active Directory client as well as international editions of the Internet Explorer High Encryption Pack.

While it may be a greater burden for new NT installations, analysts say it should be a minor encumbrance for those with existing NT networks. "Multiple hot fixes are a greater administrative burden than one service pack. But if a hot fix is critical, companies will bear that burden anyway when they deploy the hot fix ahead of the service pack schedule," says Forrester analyst Frank Prince.

Gartner had expected Service Pack 7 to be the last pack issued, says analyst John Pescatore. He adds that if Microsoft does release the promised comprehensive hot fix roll-up, its approach is "good enough" as long as it doesn't mean everyone will end up "having to run around and find all the post 6a security hot fixes that are out or will come out."

As for Windows 2000 users, the Windows 2000 Service Pack 2 was in beta in December 2000. Microsoft expects to make that available soon, but isn't pegging a firm date.