Editing Windows 2000 (section)

== Security ==
During the Windows 2000 period, the nature of attacks on Windows servers changed: more attacks came from remote sources via the Internet. This has led to an overwhelming number of malicious programs exploiting the IIS services – specifically a notorious buffer overflow tendency.<ref name="ecommerce-guide.com">{{Cite news |date=August 19, 2003 |title=Worms Wreak Havoc |url=http://www.ecommerce-guide.com/news/trends/article.php/3065801 |archive-url=https://web.archive.org/web/20050301072847/http://www.ecommerce-guide.com/news/trends/article.php/3065801 |archive-date=March 1, 2005 |access-date=May 17, 2019 |publisher=ECommerce-Guide}}</ref> This tendency is not operating-system-version specific, but rather configuration-specific: it depends on the services that are enabled.<ref name="ecommerce-guide.com" /> Following this, a common complaint is that "by default, Windows 2000 installations contain numerous potential security problems. Many unneeded services are installed and enabled, and there is no active local security policy."<ref>{{Cite web |title=Articles - Network Security Resources - GovernmentSecurity.org |url=http://www.governmentsecurity.org/articles/Windows2000Security.php%7ctitle=governmentsecurity.org |website=Network Security Resources}} {{Dead link|date=November 2018 |bot=InternetArchiveBot |fix-attempted=yes }}</ref> In addition to insecure defaults, according to the [[SANS Institute]], the most common flaws discovered are remotely exploitable [[buffer overflow]] vulnerabilities.<ref>{{Cite web |title=SANS Institute |url=http://www.sans.org/top20/ |url-status=live |archive-url=https://web.archive.org/web/20060919033409/http://www.sans.org/top20/ |archive-date=September 19, 2006 |access-date=September 17, 2006}}</ref> Other criticized flaws include the use of vulnerable encryption techniques.<ref>{{Cite magazine |last=McCullagh |first=Declan |date=May 16, 2000 |title=Critics Blast MS Security |url=https://www.wired.com/news/technology/0,1282,36336,00.html |url-status=live |archive-url=https://web.archive.org/web/20080724131754/http://www.wired.com/news/technology/0,1282,36336,00.html |archive-date=July 24, 2008 |access-date=February 25, 2010 |magazine=Wired News}}</ref>

Code Red and [[Code Red II (computer worm)|Code Red II]] were famous (and much discussed) [[Computer worm|worms]] that exploited vulnerabilities of the [[Windows Indexing Service]] of Windows 2000's [[Internet Information Services]] (IIS).<ref name="CERTCodeRed" /> In August 2003, security researchers estimated that two major worms called [[Sobig (computer worm)|Sobig]] and [[Blaster (computer worm)|Blaster]] infected more than half a million Microsoft Windows computers.<ref name="SoBig">{{Cite web |date=August 21, 2003 |title=SoBig worm not slowing down yet |url=https://money.cnn.com/2003/08/21/technology/sobig/ |url-status=live |archive-url=https://web.archive.org/web/20190517030254/https://money.cnn.com/2003/08/21/technology/sobig/ |archive-date=May 17, 2019 |access-date=May 17, 2019 |website=[[CNN Money]] |publisher=[[Time Warner]]}}</ref> The 2005 [[Zotob (computer worm)|Zotob]] worm was blamed for security compromises on Windows 2000 machines at [[American Broadcasting Company|ABC]], [[CNN]], the [[New York Times Company]], and the [[United States Department of Homeland Security]].<ref name="Wired">{{Cite magazine |last=Poulsen |first=Kevin |date=April 12, 2006 |title=Border Security System Left Open |url=https://www.wired.com/2006/04/border-security-system-left-open/ |url-status=live |archive-url=https://web.archive.org/web/20170217143454/https://www.wired.com/2006/04/border-security-system-left-open/ |archive-date=February 17, 2017 |access-date=February 17, 2017 |magazine=[[Wired (magazine)|Wired]] |publisher=[[Condé Nast]]}}</ref>

On September 8, 2009, Microsoft skipped patching two of the five security flaws that were addressed in the monthly security update, saying that patching one of the critical security flaws was "infeasible."<ref>[http://news.techworld.com/operating-systems/3201403/microsoft-windows-2000-too-old-to-update/ Techworld] {{Webarchive|url=https://web.archive.org/web/20140426211409/http://news.techworld.com/operating-systems/3201403/microsoft-windows-2000-too-old-to-update/ |date=April 26, 2014 }}, September 9, 2009, "Microsoft: Windows 2000 too old to update"</ref> According to Microsoft Security Bulletin MS09-048: "The architecture to properly support [[TCP/IP]] protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require re-architecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system." No patches for this flaw were released for the newer [[Windows XP]] (32-bit) and [[Windows XP Professional x64 Edition]] either, despite both also being affected;<ref>{{Cite web |title=microsoft.com |url=http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx |url-status=dead |archive-url=https://web.archive.org/web/20110804072524/http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx |archive-date=August 4, 2011 |access-date=November 13, 2011 |website=[[Microsoft]] |df=mdy-all}}</ref> Microsoft suggested turning on [[Windows Firewall]] in those versions.<ref>{{Cite web |last=Keizer |first=Gregg |date=September 14, 2009 |title=Microsoft: No TCP/IP patches for you, XP |url=https://www.computerworld.com/article/2527501/microsoft--no-tcp-ip-patches-for-you--xp.html |url-status=live |archive-url=https://web.archive.org/web/20190517030606/https://www.computerworld.com/article/2527501/microsoft--no-tcp-ip-patches-for-you--xp.html |archive-date=May 17, 2019 |access-date=May 17, 2019 |website=[[Computerworld]]}}</ref>