 |
 |
On Friday 16 February 2007 16:14:59 Hoort, Brian wrote: > Greetings: > > > > I contacted Microsoft with the intention of paying them for the DST > patch for Windows 2000 (for those of you sleeping under a rock W2K is > out of M$'s support cycle and they are not distributing non-security > patches to organizations without Extended Support Contracts). We still > have a small percentage of servers that haven't been replaced yet. The > response was that it would cost $4000. > > > > We're not paying $4000 for a patch. I don't suspect many departments > across the University are. So what are you guys doing? I know we > aren't the only ones with W2K servers and workstations lingering... > Here, we've discussed the following alternatives: > > a) One of my co-workers found a 3rd party company that was giving an > unsupported patch away for free on their web site; sounds great, but, > it's not from M$ and who knows how well it works come March. I'd feel > much safer if it was from M$. > > b) M$ offers instructions on how to do it manually in KB914387. > It's very complicated. I wouldn't trust myself to even copy and paste > without errors, and being a registry patch there would be no feedback as > to whether it was wrong. > > c) My limited understanding of Kerberos and AD/Domain behavior > suggests that trying to fake it out by changing the time won't work for > any machine in the domain (it seems as though it might for > non-domain-members). (Kerberos refuses net connectivity to any > connection more than 5 minutes offset from the DCs - try it yourself - > change your workstation date ahead and try and connect to Exchange - no > go). > > d) Could the U. buy the patch and distribute it, much like U. site > licenses? Perhaps we would all pay a fraction of that cost? > > > > Are you aware of any other options? I'm plan is for option a). I have not yet tried it but friends have tested it and it works. As for feeling 'safer' with MS, they're the ones who've created all the security problems in the first place. Given MS's repeated inability to fix code correctly (how many RPC patches are there, now?), I think other places can do at least as good a job. I'm quite serious. Option d) might be reasonable but I don't think things could move fast enough for that to happen. --STeve Andre' Political Science