Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Chapter 1: Introduction
Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.
On This Page
Interest and investment in secure computing systems have escalated and changed a great deal over the last ten years. Some factors in this shift might have been predicted, but several—including the widespread use of the Internet, the broad deployment of always-on broadband connections, and the increasing use of personal computer-based hardware in environments as diverse as retail stores, cars, and entertainment devices—would have been extremely difficult to foresee. One such issue is the fact that organizations today are using earlier versions of the Microsoft® Windows® operating system that now face security threats that did not exist—and could not reasonably have been foreseen—when those versions of Windows were designed years ago.
Newer versions of Windows offer significantly increased security because they have been designed to protect against the kinds of threats common in today's computing environments. Microsoft recommends that you upgrade client and server operating systems to these newer versions to improve their security and the security of the networks to which they belong. However, the use of earlier versions of Windows in widely deployed business applications (such as point-of-sale and store management systems and branch office desktop clients) means that not all organizations can easily and quickly upgrade their systems. Those organizations with large numbers of custom applications running on earlier versions of Windows are especially challenged, because the applications themselves need updating — which is not always easy or even possible in some cases.
For organizations that are not able to immediately update all of their older systems, this guidance provides prescriptive information and test plans for strengthening the security of (or hardening) clients and servers running earlier versions of Windows. This guidance is designed to protect these systems to the greatest degree possible while migration plans are put into place.
By following the recommendations here, you will be able to reduce risks to deployed systems. It is important to keep in mind that many significant security features and improvements in later versions of Windows will still not be available. This strategy provides improved protection now, giving owners of older systems the time to consider the best migration strategy for future deployments. However, this guidance is no substitute for a properly designed migration to more secure versions of Windows.
The Business Challenges
Many organizations depend absolutely on the integrity and availability of their information systems. Security is not typically considered a core business function, but it is important precisely because the real core business functions of an organization depend on it. The key business challenges that enterprises face include:
Guarding systems and data against targeted or random attacks. Many attacks are more or less random, but that does not make them any less dangerous. Modern business operations have to be able to protect important assets by quantifying what the assets are worth and what threatens them.
Improving security while maintaining compatibility and controlling cost. IT managers often view the process of improving system security as a battle among compatibility, implementation and maintenance cost, and improved security. For older systems, compatibility often outweighs security. Security changes that break older applications may have an immediate, and serious, impact on business productivity and service quality. However, organizations must counterbalance this against the risk of not adequately securing important assets. To correctly balance these conflicting imperatives, it is important to view security holistically, not just as a goal that can be achieved via a few check boxes or button clicks.
Providing flexible protection to end users. In many environments, it is difficult to achieve adequate security, because security measures inevitably conflict with user convenience. Highly-managed desktop systems offer good security at the expense of some user flexibility; older desktop operating systems are much less manageable and, hence, harder to secure.
Justifying security costs. It is very difficult to quantify the actual financial cost of not implementing adequate security until after a compromise occurs. In this regard, security expenses can be thought of as insurance. However, as with insurance, the cost has to be carefully weighed against the benefits and level of protection offered, especially because the end date for regular support of these operating systems is rapidly approaching.
The Business Benefits
Improving the security of your older systems can lead to some direct business benefits. These benefits include:
Better protection. Microsoft Windows NT® 4.0 and Windows 98 do not support many of the security features developed for Windows 2000, Microsoft Windows Server™ 2003, and Windows XP, but most organizations that have older operating systems deployed are not even making use of all of the protections in the software they already have. Taking full advantage of these features can greatly improve protection when compared to using only the baseline installations of these operating systems.
Better security for less money. In large part, you can implement the recommendations in this guidance with no additional software or licensing costs. However, they offer a significant increase in security. The cost/benefit ratio for the changes described in this guidance is very high.
The ability to secure existing systems without breaking anything. Preserving application compatibility is important, but so is strengthening security. Careful application of the recommendations in this guidance will provide improved security and continued compatibility.
Who Should Read This Guidance
The intended audience for this guidance includes architects, IT managers and administrators, technical decision makers, and consultants involved in securing an infrastructure in which Windows NT 4.0 and Windows 98 operating systems are still in production use.
Note This guidance applies only to Windows 98 SR2 and Windows NT 4.0 Workstation and Server. Other versions of Windows (including Windows NT version 3.1 and 3.51, Windows 95, Windows Me, and Windows 3.11) are not covered by the prescriptive material herein.
The following knowledge and skills are prerequisite for administrators or architects charged with developing, deploying, and securing installations of Windows NT version 4.0 and Windows 98 in an enterprise:
MCSE certification for Windows NT, Windows 2000, or Microsoft Windows Server 2003 with two or more years of security – related experience.
In-depth knowledge of the corporate domain structure (including the Microsoft Active Directory® directory service, if it has been deployed).
Use of Windows management tools, including the Windows NT system policy editor (Poledit), the Microsoft Management Console (MMC), and the Security Configuration Manager (SCM).
Experience deploying applications and workstations in enterprise environments.
Familiarity with applications unique to your individual enterprise environment.
This guidance describes the process of hardening networks and computers in environments with computers that run earlier versions of the Windows operating system. Organizations may have a variety of different combinations of computers running Windows NT 4.0 (Workstation, Server, and Advanced Server) and Windows 98, with or without later versions of Windows clients or servers. This guidance focuses on the protective measures you can apply to Windows NT 4.0 Workstation and Windows 98 clients and Windows NT 4.0 member servers in an Active Directory directory service domain environment to improve their security.
This guidance comprises eight chapters, grouped into two sections. The first section consists of two chapters, Chapter 1, "Introduction," and Chapter 2, "Applying the Security Risk Management Discipline to the Trey Research Scenario," both of which are intended for executives and IT management at all levels.
Chapter 1: Introduction
This chapter provides an executive summary, introduces the business challenges and benefits surrounding improving the security of older systems, suggests the recommended audience for the guidance, lists the reader prerequisites, and provides an overview of the chapters and solution scenarios in the guidance.
Chapter 2: Applying the Security Risk Management Discipline to the Trey Research Scenario
This chapter details a company scenario that is used to develop the recommendations in this guidance and explains how an IT generalist would assess the security risks and vulnerabilities of a network infrastructure. Trey Research, the fictitious company in the scenario, has its headquarters in Seattle and field offices in several states throughout the country. The chapter also describes how IT generalists can identify and prioritize their individual organizations' risks and vulnerabilities to generate security requirements that can drive an action plan to mitigate security threats.
The second section of the guidance contains six chapters of prescriptive information for IT administrators and technical managers. Each chapter begins with a discussion of design principles and options before covering the specific hardening measures chosen for the target scenario for this guidance.
Chapter 3: Network Security and Hardening
This chapter describes network security vulnerabilities and the process of hardening network components (including client and server computers) against these vulnerabilities. The chapter addresses network segmentation, Transmission Control Protocol/Internet Protocol (TCP/IP) stack hardening, and the use of personal firewalls for client protection.
Chapter 4: Hardening Windows NT 4.0
This chapter explains how to harden Windows NT 4.0 (Workstation and Server) by establishing a baseline for the system and then applying specific hardening measures. It describes the importance and methods of physical security and procedures and methods for applying security policies to file, print, Web, and application servers. The chapter discusses the inherent compromises in various security approaches and concludes by describing in detail the most advantageous hardening policies for Trey Research.
Chapter 5: Hardening Windows 98
This chapter explains how to harden Windows 98 clients and applications, and describes methods for applying patches, updates, and security policies to computers running Windows 98.
Chapter 6: Patch Management
One of the main ways to guard against attack is to ensure that your environment is kept up to date with all the necessary security patches. Patches are required at the server and client levels. This chapter shows you how to ensure that you find out about new patches in a timely manner, implement them quickly and reliably throughout your organization, and monitor your systems to ensure that they are deployed everywhere. It describes the compromises with patch management implementations and concludes with a detailed description of Trey Research patch management system.
Chapter 7: Antivirus Protection
This chapter describes the importance of antivirus software and policies and the security and supportability of client-based and server-based antivirus solutions.
Chapter 8: Conclusion
This chapter closes out the guidance by providing a brief summary of the hardening processes that have been discussed.
Tools and Templates
The Tools and Templates provided with this guide are used in the “Configuring Windows NT 4.0 IP Tuning Parameters” section in Chapter 3, “Network Security and Hardening.” They comprise the following registry files:
AFD_Params.reg. A registry file that applies registry settings specific to the AFD service for computers running Windows NT 4.0 Server.
DisableDCOM.reg. .A registry file that disables the DCOM service on computers running Windows NT 4.0 Server.
NT4WS_AFD_Params.reg. A registry file that applies registry settings specific to the AFD service for computers running Windows NT 4.0 Workstation.
NT4WS_TCP_Params.reg. A registry file that applies registry settings specific to the TCP service for computers running Windows NT 4.0 Workstation.
TCP_Params.reg. A registry file that applies registry settings specific to the TCP service for computers running Windows NT 4.0 Server.
These files are REGEDIT4 formatted files that can be used as a template for settings that you apply manually by using Registry Editor on the relevant computer. They can also be applied directly to a specific computer simply by double-clicking them. The files include all the registry keys, subkeys, and values required to secure the computer accordingly.
Caution Double-clicking a .reg file automatically makes alterations to your registry after confirmation. Where needed, you can edit the .reg file with Notepad, for example, if you need to change a path or string value.
The solution revolves around Trey Research, an environmental engineering firm headquartered in Seattle. Trey has about 55 servers and 500 employees spread among its offices in Georgia, Florida, Arizona, Pennsylvania, and Washington state. The Trey Research servers host a number of custom applications, including ones for controlling laboratory test and measurement equipment, database applications built on Microsoft SQL Server™, and collaboration applications built on Microsoft Exchange version 5.5. Perimeter network security is provided by a hardware firewall/router combination. Antivirus software is deployed on some computers, but not uniformly.
End users use their computers for office productivity applications, Internet access, e-mail, remote access to specialized services (including the Chemical Abstracts Service), and remote control of measurement and laboratory equipment. The custom applications that Trey’s employees use range from Web-based Active Server Page (ASP) applications to applications built on top of FoxPro for Microsoft MS-DOS® and Microsoft Access 95. In some cases, the original source code for the application has been lost, so porting the applications would be impossible without completely starting over.
Figure 1.1 shows a portion of Trey’s network, illustrating the Windows Server 2003 domain controllers and selected client and member server resources.
Active Directory Design
Trey's original network design was built around several Windows NT 4.0 domains, with a mix of Windows 98 SR2 and Windows NT Workstation clients. Over time, Windows 2000 and Windows XP clients were introduced; the company currently has a combination of Windows 98 SR2, Windows NT Workstation 4.0, Windows 2000, and Windows XP.
Although many of the workstations and servers that run Trey’s specialized analysis and control applications cannot be upgraded without substantial effort, Trey’s IT staff realized that moving its domain infrastructure to Windows Server 2003 would immediately provide them with better security and reliability for domain logon services, Dynamic Host Configuration Protocol (DHCP), Windows Internet Naming Service (WINS), and Domain Name System (DNS), along with the possibility of using Active Directory Group Policy objects (GPOs) for policy application on Windows 2000 and Windows XP clients. Accordingly, Trey's current environment features a single Windows Server 2003 Active Directory domain with Windows Server 2003 infrastructure servers. Other network components remain on Windows NT 4.0 Server. Because Windows Server 2003 domain controllers can emulate Windows NT domain controller functionality, the existing clients are able to function in an Active Directory environment.
Business Justification for Using Windows NT
Trey Research is currently planning a major re-engineering of its business processes and systems in an effort to become more competitive. This re-engineering involves examining every aspect of the company's business systems, including network design and workstation and server configurations. Until that process is completed, Trey’s management is unwilling to invest in upgrading hardware, software, or operating systems except in exceptional cases. The increased security gained from an immediate migration of domain and infrastructure servers to Windows Server 2003 was one such exceptional case, which is why it was approved. For the broader portfolio of applications, though, Trey is working to identify an application migration strategy that fits its business requirements. Because hardware is not being upgraded, many of the benefits that end users might see from upgrading to Windows XP on the desktop cannot be fully realized, slowing demand for upgrades. This process is further complicated by the fact that Trey does not have source code for all of the applications that they use, meaning that Trey is not able to fix all applications that fail when the underlying operating system is upgraded.
Supporting This Guidance in Your Environment
The scenario presented in this guidance was designed to reflect what many Microsoft customers are using in production. The recommendations presented here were tested in a configuration that replicates the Trey configuration scenario; because your own organizational configuration may differ, you should carefully examine the recommendations to ensure that they are appropriate for your environment. As you prepare to make changes to secure your environment, you should keep the following principles in mind:
It is very important when making security-related configuration changes to maintain documentation on what settings are being modified by a given script, policy, or template being applied. Before you apply any settings changes to your computers, ensure that you have documented the current state and what changes you are applying.
Applying broad, sweeping security changes to a production Windows network can result in a situation where it is very difficult to determine which configuration changes are the root cause of newly appearing problems. Your deployment strategy should call for applying changes in multiple stages, deploying each new change to small groups of computers. This approach helps limit the scope of problems if they do occur.
Your deployment plans should not apply a large number of security changes in a single increment. Instead, you should divide the security changes into logical groupings and then deploy these changes discretely using separate policies, scripts, or templates.
Your deployment plans should include provisions for rolling back changes if they cause problems. Rollback plans should provide for two contingencies: quick recovery by reverting back to the previous settings and reversion of a subset of computers to verify that in fact that the security change did cause the problem. Rollback plans should be tested alongside the deployed changes in the test environment prior to any deployment of the changes to the production network.
Solution Accelerator Notifications