Microsoft Security Tool Kit: Installing and Securing a New Windows NT 4.0 System

This is a brief guide intended to help you understand the basic steps necessary to safely install a new copy of Windows NT4. This guide references additional documents and updates that can be found in the contents section of this kit.

The information in this guide applies to:

• Microsoft Windows NT Server 4.0, Enterprise Edition

• Microsoft Windows NT Workstation 4.0

• Microsoft Windows NT Server 4.0

On This Page

Step 1: Performing a Base Installation
Step 2: Securing the Base Installation
Step 3: Securing the Base Installation continued
Step 4: Securing Internet Information Server
Step 5: Ongoing Maintenance Program

Step 1: Performing a Base Installation

When setting up a new system, the first step is making sure the network environment which the system is connected to has not been compromised by security attacks or that the system's vulnerable services are disabled before the system is connected to the compromised network. For more information about how to find out if your system or network has been compromised, click here. Choose one of the two following installation methods.

• Install Windows NT 4.0 while not connected to a network. Typically this is done by using a CD-ROM.

  The base install of Internet Information Server (IIS) is vulnerable to security attacks and should remain disabled or disconnected from the network until both the Windows NT 4.0 Service Pack 6a and the IIS Security Roll-up package are installed.

• Install Windows NT 4.0 while connected to a network that has not been compromised.

Step 2: Securing the Base Installation

Now that the operating system is up and running, it is time to make it more secure. Depending on how your initial setup was completed in Step 1, you might be able to skip some of the following steps.

• Install Windows NT 4.0 Service Pack 6a.

  Information about installing Service Packs on Windows NT 4.0 can be found in the How to Deploy Windows NT 4.0 SP6a with Systems Management Server 1.2 and 2.0.

• You have a few choices while securing the Internet Explorer Web browser.

  • Install Internet Explorer 5.01 SP2 to meet the minimum requirement of the security baseline.

    OR

  • Install Internet Explorer 5.5 SP2 if you would like to take advantage of the added functionality of this new version of the Web browser.

    OR

  • Install Internet Explorer 6.0 SP1 and the Microsoft Knowledge Base article 810847, Cumulative Patch for Internet Explorer version 6 Service Pack 1, or greater (recommended) if you would like to take advantage of the added functionality in this new version of the Web browser.

• Install either the Windows NT 4.0 Server Option Pack or the Windows NT Workstation 4.0 Option Pack if IIS is installed and running or if you plan on using it in the future. The Option Pack will upgrade the version of IIS you are running to version 4.0.

  Warning: Ignore the message warning you that the Option Pack has not been tested on Service Pack 4.0 or higher.

• Reinstall Windows NT 4.0 Service Pack 6a to update the files installed by the Windows NT 4.0 Option Pack.

• Install Microsoft Knowledge Base article 29944 Post-Windows NT 4.0 Service Pack 6a Security Rollup and all baseline security post-SRP hotfixes. This must be installed after Service Pack 6a by using the following steps.

  1. Install Post-Windows NT 4.0 Service Pack 6a Security Roll-up.

  2. Install all post-SRP hot fixes. Consider using Qchain as mentioned below.

• Install the IIS 4.0 Security Roll-up Package if you plan to enable those services. Remember: if you installed the operating system offline and IIS is running, then you should not connect it to the network until this step is complete.

• Install Windows Media Player 6.4 patches.

Step 3: Securing the Base Installation continued

To continue securing your system, you must follow the checklists below that apply to your installation.

Microsoft Internet Information Server 4 Security Checklist

Microsoft Windows NT Server 4.0 Security Checklist

Microsoft Windows NT Workstation 4.0 Security Checklist

Step 4: Securing Internet Information Server

You now have a good baseline of security patches installed. Web servers are particularly susceptible to security attacks, and Microsoft has provided the IIS Lockdown tool to help you. Please follow this step if IIS will be running on this system.

• Run the IIS Lockdown Wizard.

  This tool lets you instantly configure an IIS 4.0 or 5.0 Web server for secure operation. It includes server role templates for Microsoft Exchange, Commerce Server, BizTalk, Small Business Server, SharePoint Portal Server, FrontPage Server Extensions, and SharePoint Team Server. The tool provides an Undo feature that allows the effects of the most recent lockdown to be reversed. It also screens all incoming requests to an IIS Web server and allows only those that comply with a ruleset created by the administrator to pass. This significantly improves the security of the server by helping ensure that it responds only to valid requests. The tool allows the administrator to filter requests based on length, character set, content, and other factors. A default ruleset is provided, which can be customized to meet the needs of a particular server.

Note: All SRP and post-SRP security hotfixes should be applied before and after the use of the IIS Lockdown Tool.

Step 5: Ongoing Maintenance Program

Your system has now been installed with a good security baseline, but without ongoing maintenance, your system can become vulnerable to new forms of attacks.

• Use the Hfnetchk tool to assess which security fixes have been applied to the Windows NT 4.0 operating system, as well as security fixes for Internet Information Server 4.0, SQL Server 7.0, SQL Server 2000 (including Microsoft Data Engine—MSDE), and Internet Explorer 5.01 or later.

  When you run the Hfnetchk tool after installing the security baseline described above, the Hfnetchk results will show many security fixes are not installed. This is true and expected. The document provides only a baseline from which to start. It is recommended you take the necessary steps to ensure all the critical security patches are installed.

  You should run this tool against all the computers that you are securing on a daily basis until you are confident that all the recommended fixes have been applied. Then, you can lower the frequency. As you deploy new security fixes, you should continue to run the tool to verify and detect missing security patches.

  Note: Although it does not run natively on NT 4.0, consider running Microsoft's Baseline Security Analyzer (MBSA) from a Windows 2000 or XP machine to analyze multiple networked NT 4.0 machines at once. Besides revealing missing patches and updates, the MSBA will look for common vulnerabilities and recommend solutions.

• Subscribe to the Microsoft Security Notification Service . This is a free email notification service that Microsoft uses to send information to subscribers about the security of Microsoft products.

• Use the Microsoft Update Web site to check for the latest Recommended and Critical updates.

• As new security fixes become available, it is important to apply these new fixes. Microsoft has created the Qchain tool to chain hotfixes together in order for only one reboot to be required when installing several fixes.