Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Chapter 5: Hardening Windows 98

Published: September 13, 2004 | Updated : March 30, 2006

Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.

On This Page

Introduction
Windows 98 Security Design
Implementation
Testing the Solution
Summary

Introduction

Most organizations with earlier versions of the Microsoft® Windows® operating system have substantial populations of desktop and mobile computer clients running Windows 98, Windows 98 Second Edition (SE), or Windows Millennium Edition (Me). (This chapter refers to these versions collectively as “Windows 98.”) This chapter focuses on what you can do to improve the security (or harden) these clients to improve the overall security of your network.

Windows 98 clients are deployed in many roles in which upgrading the operating system is not feasible. For example, Windows 98 serves as a platform for many kiosks and point-of-sale terminals, customized applications, and classroom student workstations. Proper configuration of security settings on these computers can ensure continued reliability of line-of-business applications without exposure of the workstation itself or other computers on the network.

This chapter discusses how to accomplish the following tasks:

  • Install Windows 98 and provide a patch baseline.

  • Install an Internet firewall.

  • Harden the boot sequence.

  • Deploy baseline configurations of Microsoft Internet Explorer.

  • Install Microsoft Active Directory® directory service Client Extensions.

  • Configure Server Message Block (SMB) signing.

  • Choose the Windows NT LAN Manager (NTLM) authentication level.

  • Define effective system policies.

Windows 98 Security Design

Much of the design of a secure Windows 98 installation involves the identification of configuration settings that can be easily modified. In a secure environment, these settings are configured to a corporate specification and locked so that the configuration remains unchanged.

Installing Windows 98 and Providing a Patch Baseline

A baseline deployment of Windows 98 with current security patches gives a known starting point from which to implement a secure platform policy. You can find a complete list of Windows 98 patches on the Microsoft Windows 98 download site at https://microsoft.com/windows98/downloads/corporate.asp. (Chapter 6, "Patch Management," in this guidance discusses patches in great detail.) Your initial deployment of Windows 98 workstation into a network should include remediation of known vulnerabilities. For example:

  • All Windows 98 workstations should be configured using only the options necessary for proper network performance. For example, if local file and printer shares are not required, File and Print Sharing options should not be specified in network configuration.

  • Make sure that you have applied all critical updates from the Microsoft Web site to workstations and that you have installed recommended updates if they apply to the local computing environment.

  • Microsoft Internet Explorer 6 Service Pack 1 (SP1) incorporates the latest secure browsing enhancements and fixes. You should install it on any computer connecting to the Internet. You can install it directly from the Microsoft Internet Explorer Web site at https://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.mspx, order it on a CD-ROM, or install it in a customized configuration using the Internet Explorer Administration Kit (IEAK).

Trey chose to build its computers from a common image that was applied to new workstations with the Ghost imaging tool. The common image was built by installing Windows 98, Internet Explorer 6.0, and all released patches and service packs, plus content from the Windows Security Update CD.

Installing an Internet Firewall

A firewall is a security solution that segregates one portion of a network from another portion, allowing only authorized network traffic to pass through according to traffic filtering rules. Firewalls can be either hardware or software-based. An Internet firewall is one that exists between your local computer network and the Internet to protect against malicious attacks by denying access to incoming network traffic that is not specifically approved. In a network environment, the network itself should have a hardware firewall or similar security product such as Microsoft Internet Security and Acceleration (ISA) Server to protect against external threats. You can protect individual workstations by installing software firewall products, which are available from several vendors; see the “More Information” section at the end of this chapter.

Boot Sequence Hardening

One potential security weakness in Windows 98 is the boot sequence, which can be interrupted to allow system access before policies are in place. To ensure that the system cannot be compromised in this manner, you must secure the boot process by editing the Msdos.sys system file with Notepad or another text editor (specific guidance is provided later in this chapter). System administrators should be aware that this setting will disable the ability to boot the computer into safe mode, which is desirable in order to keep malicious users from bypassing security measures. However, this setting will make system troubleshooting more difficult, and will have to be reset in order to use alternate boot sequences for system maintenance.

Because the boot process can be interrupted by booting from removable storage, computer basic input/output system (BIOS) configuration should be set to boot from the primary hard disk only. Most computers allow entry into BIOS settings with a control key during system startup. After setting the BIOS for secure booting, you can secure it further by setting an administrative password. This approach is not perfectly secure; many system BIOS settings can be reset by an “emergency” key sequence that is often published on Web sites, and nearly all can be reset by opening the system case and changing the position of a hardware jumper. In settings where physical security of the computer is uncertain, you should physically lock the system chassis.

Trey engineers modified the boot timeout value for each computer running Windows 98 in the domain. All desktop and mobile computer users were given cable locks to secure their computers. Also, on computers that support it, BIOS settings were changed to restrict alternate booting.

Deploying Baseline Configurations of Internet Explorer

The Internet Explorer Administration Kit (IEAK) contains many tools for customizing, deploying, and maintaining Internet Explorer 6. With the IEAK, network administrators can identify secure configurations to deploy to network clients. Deployments can include custom applications, pre-built favorites lists, privacy and security settings, specification of proxy server, and almost any other customization of Internet Explorer. Maintaining such configurations allows for easy update of any security components as new Internet vulnerabilities arise.

Internet Explorer allows configuration of security zones to allow or block downloads or active content. The four zones that can be configured are:

  • Internet. Contains all Web sites not included in other zones.

  • Local intranet. Contains all sites within local networks.

  • Trusted sites. Contains Web sites that are trusted not to contain malicious content.

  • Restricted sites. Contains Web sites that have the potential to contain malicious content.  

You can set customized security configurations within each of these four security zones, or you can select preset safety levels ranging from “low” to “high” from a drop-down list.

To deploy Internet Explorer 6.0, Trey built a custom configuration with the IEAK (a process described in detail in the documentation accompanying IEAK, available at https://www.microsoft.com/technet/prodtechnol/ie/ieak/default.mspx) that includes a complete list of Security Zone settings for trusted hosts.

Some malicious code can come from active content that invokes new Internet Explorer sessions or “pop-up” windows. Many pop-ups attempt to trick users into installing Trojan Horses (programs that appear to be useful but contain hidden code to exploit or damage computer systems), viruses (programs designed to replicate themselves on multiple computers), or spyware (programs that conduct certain activities on a computer without obtaining appropriate user consent). A simple way to stem the tide of pop-ups is to install a pop-up blocker. A good one is available for free from Microsoft as part of the MSN Toolbar, which is available at https://toolbar.msn.com. Trey deployed the MSN toolbar as part of its Windows 98 image update.

Installing Active Directory Client Extensions

Windows 98 clients do not have all of the features of newer operating systems that were designed to take advantage of Active Directory services. Microsoft published the Active Directory Client Extension Add-On (DSClient) for Windows 98 to provide access to Active Directory networks. The following Active Directory features become available to Windows 98 clients through the use of DSClient:

  • Awareness of Active Directory sites. This awareness gives the client the ability to log on to the domain controller closest to the client on the network, rather than the primary domain controller (PDC) or PDC emulator role holder. It also gives the client the ability to reset passwords against any domain controller. In Windows NT version 4.0 domains the PDC handles all password changes, but in Active Directory any domain controller can service these requests. DSClient extends this functionality to Windows 98 clients. These enhancements help to reduce network traffic and load on the PDC.

  • NTLM version 2 (NTLMv2) authentication. NTLMv2 authentication gives much more secure authentication than the LAN Manager (LM) authentication that shipped with Windows 98. While not as strong as Kerberos authentication, NTLMv2 is far more secure than LM.

  • Active Directory Services Interface (ADSI). ADSI provides a common application programming interface (API) to applications and allows a scripting interface for Active Directory.

  • Distributed File System (DFS) fault tolerance. DSClient gives access to Windows 2000 and Microsoft Windows Server™ 2003 DFS failover shares as specified in Active Directory.

  • Active Directory Windows Address Book properties. DSClient extends the Windows 98 environment to expose extended Active Directory schema elements through the Search command on the Start menu. It also allows users who have permissions to edit properties on user objects within Active Directory.

The following Active Directory features are not made available through the Active Directory Client Extensions:

  • Kerberos support. Full Kerberos support is available only on Windows 2000 and later clients.

  • Group Policy support. Group Policy participation and IntelliMirror object management are not made available to the clients with earlier-version operating systems.

  • Internet Protocol Security (IPSec) and L2TP support. These advanced secure networking protocols are not available.

  • Service Principle Name (SPN) or mutual authentication. These capabilities are not enabled through DSClient.

It is important to obtain the latest version of DSClient from Microsoft Product Support Services. DSClient 2003 is available as a hotfix; more information can be obtained from KB article 323455, "Directory Services Client Update for Windows 98" at https://support.microsoft.com/?id=323455. Before installing DSClient, ensure that your workstations are running Internet Explorer 6 with SP1 or later.

The Trey IT staff manually deployed DSClient to each of the computers running Windows 98 in the domain. They did this to allow integration with Kerberos authentication and to allow the computers running Windows 98 to use a higher NTLM authentication level.

Configuring SMB Signing

SMB signing is a cryptography technique that allows each packet sent between a client and server to be digitally signed to verify authenticity. This technique prevents client or server impersonation in the network by computers that may attempt to interject themselves in the middle of communications, and it verifies the source of all network communications.

SMB signing was introduced with Windows NT 4.0 Service Pack 3 (SP3) and is described in KB article 161372, "How to Enable SMB Signing in Windows NT" at https://support.microsoft.com/?id=161372. To enable it in Windows 98, you must make a registry DWORD entry in the HKLM\SYSTEM\CurrentControlSet\Services\VxD\VNetsup key to either require signing or support it if the communications partner requires it. There are two DWORD values that together control the use of SMB signing:

  • If you set EnableSecuritySignature to 1 and RequireSecuritySignature to 0, SMB signing will be used if the client and server both support it. This setting allows the opportunistic use of signing but does not prevent the client from connecting to other clients or servers that do not support signing.

  • If you set RequireSecuritySignature to 1 and EnableSecuritySignature to 0, the client will only communicate with servers that support SMB signing.

SMB signing, when used, should be configured on all computers that participate on a network. Computers that do not have these registry entries will not be able to communicate with other network hosts. The overhead for SMB signing typically results in a 10 to 15 percent decrease in network performance.

Trey chose to disable the use of SMB signing for its Windows 98 clients to provide complete compatibility with their existing environment. SMB signing is enabled, but not required, for servers and domain controllers, as well as for Windows NT and Windows 2000 clients. On their Windows 98 clients, the client settings used were EnableSecuritySignature=0 and RequireSecuritySignature=0, which prevents Windows 98 clients from requesting or accepting signed connections. Although this approach denies those clients the additional security against spoofing and man-in-the-middle attacks, turning off SMB signing preserves compatibility, which was evaluated as being more important to Trey business operations than the additional security. This change also required Trey to make a configuration change on their Windows Server 2003 domain controllers, since Windows Server 2003 enables SMB signing by default.

Choosing the NTLM Authentication Level

Windows 98 uses older, less secure authentication LM encryption by default. Vulnerabilities and exploits have been published against them, and Microsoft has strengthened the authentication security protocols to mitigate these vulnerabilities. After the DS Add-On client has been configured, you can set it to use the more secure NTLMv2 authentication method.

With DSClient installed, Windows 98 supports two levels of NTLM and NTLMv2 authentication that are controlled by the LMCompatibility registry value described later in this chapter. These values are:

  • 0 (Send LM & NTLM responses). Offers the most interoperability. Clients may use LM or either version of NTLM to authenticate.

  • 3 (Send NTLMv2 response only). Use this value only if all clients with earlier operating system versions have DSClient installed.

Trey initially deployed the registry key with a value of 0, which mirrored the existing environment. After the Windows NT 4.0 servers at Trey had been upgraded as described in Chapter 4, "Hardening Microsoft Windows NT 4.0," Trey reset the LMCompatibility value on computers running Windows 98 to 3.

The default installation of NTLMv2 encryption provides 56-bit key lengths on systems where the 56-bit version of Internet Explorer is installed. Systems where Internet Explorer was installed after 1999 probably have the 128-bit version; older clients can be upgraded to 128-bit encryption as described in the preceding chapter. If the 128-bit version of Internet Explorer is installed before you install the DSClient, 128-bit NTLMv2 authentication will be enabled. As described in Chapter 4, “Hardening Microsoft Windows NT 4.0,” Trey installed the 128-bit update on its computers running Windows 98 and deployed NTLMv2 authentication support for all its computers. After these changes were in place, Trey was able to proceed with enabling NTLMv2 support on servers and domain controllers.

Defining Effective System Policies

System policies let you centrally apply security policies to overwrite default settings in the local computer registry. Network administrators can identify areas of vulnerability within computers running Windows 98 and configure many of the settings to be as secure as possible.

Windows 98 clients apply policies in the Config.pol file located in the PDC’s Netlogon share (because computers running Windows 98 can only enumerate a domain user’s group memberships from the PDC, not from any backup domain controllers (BDCs)). Because the domain controllers at Trey are running Windows Server 2003, this is not a problem for the environment; sites that are still running Windows NT® 4.0 domain controllers may be able to use the recommendations in KB article 150687, “Group Policies Not Applied on Windows NT Domain” at https://support.microsoft.com/?id=150687 to deploy user-specific policies.

Most of the Windows 98 policies are oriented toward restricting the user’s ability to change the desktop environment. Trey elected not to use these policies because they add little effective security. Instead, Trey chose to apply policy settings that would make it more difficult for a malicious attacker to cause damage, or for an innocent but untrained user to accidentally break needed functionality. Trey chose to apply policies to:

  • Require logon security, and to present a logon banner that describes organizational policies.

  • Set a password policy that hides user passwords while they are typed and requires long alphanumeric passwords.

  • Disable file and print sharing and remote dial-in access.

  • Prevent users from running the registry editing tools.

Remember that a mistake can quite easily secure the computer too much and lock out functionality necessary for using or administering the computer. Therefore, as a best practice, use a computer that is not a primary workstation and can be reconfigured. It is also a good idea to make group-specific or user-specific policies for administrators that relax some of the restrictions so that administrators can easily access registry editing and troubleshooting tools. Trey developed a test schedule that deployed proposed policy settings in a lab environment with computers built to accurately represent its production hosts; this test schedule was used to verify that the policies worked as intended without unintended side effects.

Implementation

Windows 98 lacks most of the configuration and management tools introduced in later versions of Windows. This limitation meant that the Trey Research staff was forced to choose between building a secure Windows 98 configuration and deploying it via imaging to all their current workstations, or manually applying security settings. Because they were already planning a deployment of Windows XP Service Pack 2 for all computers as part of their IT modernization plan, they elected to use manual configuration to avoid having to rebuild affected computers twice, even though it means an additional degree of complexity in the short term.

Implementation Prerequisites

For these implementation details to work correctly, you must have a basic Trey Research infrastructure implemented as introduced in Chapter 2, "Applying the Security Risk Management Discipline to the Trey Research Scenario."

Implementation Overview

Implementing this solution scenario will involve performing the following activities:

  • Installing Windows 98 and providing a patch baseline

  • Installing an Internet firewall

  • Boot sequence hardening

  • Deploying Internet Explorer

  • Installing the Active Directory Client Extensions for Windows 98

  • Configuring SMB signing

  • Choosing the NTLM authentication level

  • Defining effective system policies

Installing Windows 98 and Providing a Patch Baseline

Trey developed a standard Windows 98 configuration by reinstalling Windows 98 with its standard defaults on a test computer, installing patches from the Security Update Kit, and then adding the most up-to-date set of patches from Windows Update. After the installation was complete, Trey used the Windows Update catalog tool to analyze the test system and print a report listing the patches that were applied. This list of patches was then used to update other Windows 98 systems to the same baseline.

Installing an Internet Firewall

After evaluating a number of personal firewall products, the Trey IT director chose one that allowed centralized configuration and reporting of attempted attacks and penetration. This firewall product was then deployed to all desktop and mobile computers running Windows 98. Microsoft does not recommend or endorse specific firewall products, but some available products are listed in the “More Information” section at the end of this chapter.

Boot Sequence Hardening

To secure a computer running Windows 98 against interruption of operating system startup, you must modify the Msdos.sys system file and configure the computer BIOS to remove access to removable media as boot devices.

Securing the Boot Process

To keep the boot sequence from being interrupted before security policies are enforced, you should edit the Msdos.sys system file to disable the ability to change startup behavior and circumvent policies. KB article 118579, "Contents of the Windows Msdos.sys File" at https://support.microsoft.com/?kbid=118579 explains how to locate and edit this file.

Because the Msdos.sys file is hidden and marked Read-Only, you should modify it to remove these attributes until the file is edited.

To modify Msdos.sys with Notepad

  1. Click Start, point to Find, and then click Files Or Folders.

  2. In the Named box, type msdos.sys

  3. In the Look In box, click your boot drive (usually drive C).

  4. Click the Find Now button.

  5. Right-click the Msdos.sys file and select Properties.

  6. Clear the Read-Only and Hidden check boxes to remove these attributes from the file, and then click OK.

  7. Right-click the Msdos.sys file and select Open With.

  8. In the Choose the program you want to use box, click Notepad, and then click OK.

  9. Add the following two lines to the [Options] section:

    BootKeys=0

    BootSafe=0

    The BootKeys Boolean value specifies whether keyboard function keys are allowed on system startup. Because several of these keys can be used to interrupt the boot process, a secure system disables the keys by assigning a value of 0.

    BootSafe is another Boolean setting that allows safe-mode booting. Setting BootSafe to a value of 0 locks the computer from a safe-mode boot.

  10. Save the file and close Notepad.

  11. Right-click the Msdos.sys file and select Properties.

  12. Select the Read-Only and Hidden check boxes to set the attributes for the file, and then click OK. Close the Find dialog box.

  13. Reboot the computer for the changes to take effect.

Note   Further discussion of the contents of Msdos.sys is available in the KB article referenced earlier.

Removing Access to Removable Media as Boot Devices

If a computer can be booted from removable media, system security settings can be completely bypassed and reconfigured. Consult your system manufacturer’s guidance for instructions for accessing the system BIOS.

To disable booting from removable media

  1. Set the primary hard disk as the first boot device.

  2. Disable booting from floppy disk and CD-ROM devices.

  3. Consider disabling universal serial bus (USB) and FireWire ports if not needed in your business environment.

  4. Set the BIOS password (if available) to prevent these security measures from being reset.  

Deploying Internet Explorer

Administrators of large networks can build custom installations of Internet Explorer 6.0 SP1 with the Internet Explorer Administration Kit (available at https://www.microsoft.com/technet/prodtechnol/ie/ieak/default.mspx) to ensure that workstations are running the latest secure build of Internet Explorer. IEAK allows administrators to set administrative profiles to preconfigure Internet Explorer security settings, lock down Microsoft NetMeeting® and Microsoft Outlook® Express, and control which features users are able to change.

Note   The most up-to-date version of the Active Directory Client Extensions requires Internet Explorer 6.0, as described in KB article 555038 “How to enable Windows 98/ME/NT clients to logon to Windows 2003 based Domains” at https://support.microsoft.com/?kbid=555038.

Installing Active Directory Client Extensions for Windows 98

Microsoft has created extensions for Windows 98 to allow participation in Active Directory domains. This client should be installed on all Windows 98 workstations in these environments. Although the Active Directory Client Extensions for Windows 98 were distributed with Windows 2000, a new update is available from Microsoft Product Support Services as a free hotfix.

Configuring SMB Signing for Network Communications

SMB signing ensures that each packet transmitted across a network is digitally signed, which provides a high level of security but may incur a network performance cost of 10-15 percent. If SMB signing is configured, all systems in the network should be configured to use SMB signing. However, to ensure maximum compatibility at the expense of some security, Trey elected to force its Windows 98 clients to disable SMB signing. Their configuration can be implemented as follows.

To disable SMB signing on the Windows 98 client

  1. Start the Registry Editor by typing Regedit.exe at a command prompt and pressing ENTER.

  2. Find the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\
    Services\VxD\VNetsup

  3. Add two values to this key:

    • Value Name: EnableSecuritySignature

      Data Type: REG_DWORD

      Value: 0 (disables the use of signing when the server supports it)

    • Value Name: RequireSecuritySignature

      Type: REG_DWORD

      Value: 0 (allows communication even when the server cannot support signing)

  4. Exit the Registry Editor.

  5. Restart the computer.

To change the Windows Server 2003 default setting that requires SMB signing

  1. Log on to the Windows Server 2003 domain controller using an account with administrative privileges on the domain.

  2. Launch the Microsoft Management Console (MMC.exe) and add the Group Policy Object Editor snap-in. Target the Group Policy Object Editor snap-in at the Default Domain Controllers Policy object for the domain, and then click Finish.

  3. Expand the Default Domain Controllers Policy object, then expand Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options.

  4. Double-click Microsoft network server: Digitally sign communications (always).

  5. Select the Define this policy setting check box, and then ensure that the Disabled button is selected. Click OK.

  6. Close the Microsoft Management Console window.

Choosing the NTLM Authentication Level

After the Active Directory Client Extensions have been installed, you should enable NTLMv2 authentication. KB article 239869, "How to enable NTLM 2 authentication," provides guidance on enabling these settings.

To set the NTLMv2 authentication level

  1. Start the Registry Editor by typing Regedit.exe at a command prompt and pressing ENTER.

  2. Locate and click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\

  3. Create a new subkey of Control named LSA.

  4. Create a DWORD value called LMCompatibility and set it to 3 (see “Choosing the NTLM Authentication Level” earlier in this chapter for a discussion of permissible values).

  5. Restart the computer.

Note   You should not set the value of LMCompatibility to 3 until after you have updated your Windows NT servers to allow the use of NTLMv2. If the environment contains computers that are not configured to use NTLMv2, communications will fail. Ensure that you plan these settings across your enterprise to ensure uninterrupted communication. For more information about restricting the LM compatibility level on Windows NT, see Chapter 4, "Hardening Microsoft Windows NT 4.0."

Configuring System Policies for Security

System Policy Editor is a powerful tool that can be used to limit access to a computer running Windows 98 in a precise manner by preventing users from changing security settings while allowing them to accomplish their work. You should create system policies to help protect your workstations from tampering and enforce custom security settings.

Installing System Policy Editor

You must install the System Policy Editor on the same platform for which you want to create policies. That is, if you want to make policies for Windows 98 systems, you must edit and save the policy file from a Windows 98 workstation.

To install the System Policy Editor from the Windows 98 CD-ROM

  1. Click Start, point to Settings, and then click Control Panel.

  2. Click Add/Remove Programs.

  3. Click the Windows Setup tab, and then click Have Disk.

  4. Insert the Windows 98 disk into your CD-ROM drive.

  5. In the Install From Disk dialog box, browse to the \Tools\Reskit\Netadmin\Poledit folder on the CD, select the Poledit.inf file, and then click OK.

  6. In the Have Disk dialog box, select the System Policy Editor component and then click Install.  

This installation copies Poledit.exe to the Windows folder and Windows.adm, Common.adm, and Poledit.inf to the \Windows\Inf folder. It also makes the necessary changes to your registry and adds a start menu item to your Programs\Accessories\System Tools folder.

Warning   Before you edit the registry, you should first make backup copies of the registry files (System.dat and User.dat), which are hidden files in the Windows system folder.

After installing the System Policy Editor, you can use it to create a policy for local installation or distribution. Notice that as you change policy settings, the check boxes for each policy setting have three states: selected, cleared, and disabled (dimmed). If the check box is selected, the policy will apply as specified. If the check box is dimmed, the policy setting will be ignored. If the check box is cleared, that policy’s registry settings might be deleted unintentionally.

To create a policy using recommended computer-level settings

  1. Double-click C:\Windows\poledit.exe.

  2. Click File, and then New Policy.  

  3. Double-click the Default Computer icon. The Default Computer Properties dialog box will display.

  4. Expand the Windows 98 Network node. The following settings are recommended for the network properties.

    Under Logon, select the following check boxes:

    • Logon Banner. Adds a start-up banner that describes organizational policy about computer usage.

    • Require validation from Network for Windows Access. Requires users to authenticate over the network rather than at their local computers.

    • Do not show last user at logon. Forces users to type in a valid user name, instead of displaying the previous value.

    • Do not show logon progress. Hides progress of the logon session.

    Under Password, select the following check boxes:

    • Hide share passwords with asterisks. Masks passwords as they are typed.

    • Disable password caching. Forces the client to authenticate against a more secure network controller rather than storing passwords locally in a less-secure cache.

    • Require alphanumeric Windows password. Forces a higher level of complexity for local passwords.

    • Minimum Windows Password length. Lets you specify the number of characters required for a password. A setting of 8 is a relatively strong password length.

    Under Microsoft Client for Windows Networks, select the following check boxes:

    • Log on to Windows NT. Lets the administrator hard-code the domain to which the workstation is authorized to log on.

    • Disable caching of domain password. Minimizes the exposure of locally cached passwords.

    • Workgroup. Allows the administrator to hard-code the domain to which the workstation will log on. This setting is required for domain logon.

    • Clear the Alternate Workgroup check box so that the user cannot log on to specified workgroups.

    Under File and Print Sharing for Microsoft Networks, clear all check boxes. File and print sharing capabilities should generally be disabled on local workstations. If users need to share files or printers, use dedicated servers and secure them properly.

    Under Dial-Up Networking, select the Disable dial-in check box to ensure that the computer cannot be accessed remotely.

  5. Click OK.

To create a policy using recommended user-level settings

This procedure requires that you complete the previous procedure and that the System Policy Editor is already open. Windows 98 only supports downloading a single policy from the domain controller, so user-level and computer-level settings must be combined.

  1. Double-click Default User.

  2. In the Default User Properties dialog box, double-click Windows 98 System.

  3. Double-click Control Panel.

  4. Expand Network, and then click Restrict Network Control Panel.

  5. Expand System, and then click Restrict System Control Panel.

  6. Expand Restrictions, and then click Disable Registry editing tools.

  7. Click OK.

  8. Save the policy to the appropriate location.

Deploying Policies

After you configure the policies for your organization, complete the following steps to name the policy file Config.pol and save it to the correct network location so that the client workstations can automatically download and apply the settings.

To deploy policies

  1. On the File menu, select Save As.

  2. Name the file Config.pol and store it in one of the following locations:

    • For Windows NT 4.0 domain controllers, save the file as %systemroot%\WINNT\System32\Repl\Import\Scripts\Config.pol

    • For Windows 2000 and Windows Server 2003 domain controllers, save the file as %systemroot%\sysvol\sysvol\domainName\scripts\Config.pol

To enable automatic policy downloading for the Windows 98 client

  1. Log on to the computer running Windows 98.

  2. Open the Control Panel.

  3. Double-click Network.

  4. Ensure that in the Primary Network Logon drop-down list, Client for Microsoft Networks is selected.

  5. Click the Identification tab, ensure that the value in the Workgroup field matches the name of the domain, and then click OK.

Testing the Solution

After the scenario implementation is complete, you are ready to validate your implementation to ensure that it meets the requirements.

Validation

You can use the information in the following table to test the Trey scenario and validate your implementation of this guidance.

Table 5.1: Validation Tests

Description

Test steps

Expected result

Validate installation of hotfixes

Run the QFECheck.exe utility (located in the Windows installation folder).

You are able to obtain a list of current hotfixes that match established baseline.

Validate installation of Internet Explorer 6 SP1

Start Internet Explorer, and from the Help menu click About Internet Explorer.

Version information should show 6.0.2800.xxxx.

Validate that DSClient successfully installed

Click Start, and then Search and For People.

Ability to search Active Directory indicates successful installation of DSClient.

Validate NTLMv2 authentication

Set the domain controller to require NTLMv2 authentication.

Client can successfully log on.

Validate SMB signing

Set network resources to require SMB signing for communications.

Client can successfully access network resource.

Validate system policies

Attempt to access resources restricted by system policies.

You cannot access forbidden resources.

Validate system BIOS security

Attempt to access system BIOS with manufacturer-specified escape sequence.

You are presented with a password challenge.

Attempt to circumvent boot device

Insert a bootable floppy disk and CD.

Client does not boot from removable media.

Attempt to circumvent boot sequence

Press F5 or F8 during system startup.

Client does not present a menu allowing alternate boot.

Attempt to bypass network logon

Attempt to press ESC when presented with logon.

Windows 98 desktop not accessible until successful domain credentials are presented.

Summary

Many organizations have significant investments in Windows 98 systems and, for various reasons, are not able to upgrade them to newer operating systems with stronger built-in security. Given proper attention, these systems can be made relatively secure from vulnerabilities that otherwise could impact an organization. Best practices dictate a proactive security management stance and threat mitigation by staying current with security patches for operating system and applications after a well thought-out initial installation and configuration. The Active Directory Client Extensions for Windows 98 allow these workstations to obtain some of the benefits of participating in an Active Directory domain by providing secure authentication with NTLMv2. Also, man-in-the-middle attacks from computers posing as valid clients can be stopped using SMB signing. In addition, you can use Windows 98 System Policy Editor to implement strong policies that allow knowledge workers to perform their job functions while securing their computers from the chance of accidental or intentional misconfiguration.

After a strong foundation is in place, you can protect your investment with strong patch-management practices and antivirus technology, covered in Chapters 6, "Patch Management," and Chapter 7, "Antivirus Protection," respectively, of this guidance.

More Information

Download

Get the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions