Microsoft gives Windows admins a legacy migration headache with WINS sunset

Microsoft has given system administrators until 2034 to stop using WINS (Windows Internet Name Service) NetBIOS name resolution technology in their networks — but even nine years may not be enough notice for some: WINS is very much still in use, supporting a niche range of difficult-to-replace legacy systems.

WINS dates from Windows NT in 1994 and has long since been displaced by the more modern Domain Name System (DNS). It was deprecated in 2021 to coincide with the appearance of Windows Server 2022. This meant it would be supported but no longer developed, a clear signal that the clock was ticking.

Now, Microsoft has said, the last operating system to support WINS will be Windows Server 2025. That’s what determines the nine-year final migration deadline — the lifespan of Windows Server 2025 on the Long-Term Servicing Channel (LTSC).

“Organizations using WINS are strongly encouraged to migrate to modern DNS-based name resolution solutions,” the company said, perhaps stating the obvious, in a Windows Message Center advisory in early November.

According to Microsoft, the timescale is generous. “Our goal is to make planning and migrations as predictable and low-stress as possible. With advanced notice and a support runway, organizations can confidently modernize their environments at their own pace,” it said.

Cutting out WINS

Future versions of Windows without support for WINS will lose the WINS Server role and associated binaries, the WINS Microsoft Management Console (MMC) snap-in, and WINS automation APIs and related management interfaces, the company added.

WINS migration is yet another legacy issue inherited from the creative ferment of computer networking in the 1980s and 1990s. That era needed solutions to lots of networking problems in a hurry, especially how to turn a desktop PC operating system such as DOS or Windows into a practical server platform.

WINS solved an important challenge: how to connect the names used to identify computers using the 1980s’ NetBIOS network naming system with modern IP addresses. DNS, a hierarchical system that worked for Internet as well as network addresses, had rendered NetBIOS obsolete. But both ended up co-existing, examples of how the industry delivered more than one answer to the same problem.

Today, the arguments for getting rid of WINS extend beyond its obsolescence. It is also a security risk. In 2017, Fortinet’s FortiGuard Labs discovered a WINS Server remote memory corruption vulnerability in Windows Server 2008, 2012, and 2016.

Microsoft’s reply to Fortinet made interesting reading: “A fix would require a complete overhaul of the code to be considered comprehensive. The functionality provided by WINS was replaced by DNS and Microsoft has advised customers to migrate away from it.”

In short, Microsoft had no plans to patch the issue. Its solution was that customers migrate away from WINS, a process it has since become clear could still be ongoing for some customers into the 2030s.

Why WINS is still in use

Organizations still using WINS are likely to fall into one of two categories: those using it to support old technologies with long lifecycles such as operational technology (OT) systems, and those that have simply half-forgotten that they are still using it.

“For OT stacks built around WINS/NetBIOS, replacing them isn’t trivial because changing name resolution touches safety‑critical systems and bespoke integrations,” said Kieran Bhardwaj, head of security engineering at UK cyber security consultancy Bridewell, which specializes in advising on critical infrastructure.

“Legacy technologies persist because some niche systems like industrial/OT environments are engineered for multi‑decade lifecycles. Many control systems are architecturally fixed and can’t be re‑platformed,” he said. “It’s also hard for Microsoft: WINS sits deep in the networking stack which means removing a once‑core component demands exhaustive regression to avoid unintended breakage.”

Equally, according to William Wright of pen-testing company Closed Door Security, WINS was still running on some networks for the same reason that many legacy technologies overstay their usefulness: migration apathy.

“Most organizations running WINS today probably aren’t actively using it for anything critical. They’ve just never had a compelling reason to turn it off,” he said. “It’s been quietly replicating in the background, consuming minimal resources, causing no obvious problems. That’s the nature of legacy infrastructure: It persists not because it’s needed, but because removing it requires effort and carries risk, while leaving it alone is free,” said Wright.

WINS is a security risk

WINS had major design limitations that made it a security risk, said Wright. “WINS has no mechanism to verify the legitimacy of name registrations, which makes it vulnerable to spoofing attacks,” said Wright.

“An attacker on the network can register malicious entries, including Web Proxy Auto-Discovery (WPAD) records to intercept web traffic, or redirect connections to systems they control. It’s a straightforward path for lateral movement,” he said.

Finding WINS still turned on inside a network was a godsend to hackers using open-source tools such as Responder to conduct name resolution poisoning attacks against legacy Windows protocols such as Link-Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS), Wright added.

Worse, the presence of WINS often indicated that a target was using other vulnerable legacy protocols. “Systems often fall back to NetBIOS broadcast queries when WINS isn’t available, which are spoofable on local networks. This is exactly what tools like Responder exploit, and it remains a common technique in penetration testing and real-world attacks alike.”

Network inventory

Organizations looking to rip WINS out should start with an inventory to find out where it is being used, Bhardwaj said: “Many organizations don’t realize a legacy asset still relies on WINS, so proactively inventory older segments and OT/ICS networks and verify resolution paths before the next upgrade window.”

“The trade-off is that customers still using WINS must put in the work to move to DNS by auditing dependencies, modernizing or isolating legacy workloads, and implementing DNS. But the payoff is a simpler, more secure platform.

In the end, even the brightest and best-performing technologies will one day be legacy. Migrating from WINS is a test of how well organizations are dealing with this wider problem. “There’s way too much legacy that is unused and that presents an attack surface for no reason,” said Bhardwaj.