Microsoft Security Tool Kit: Securing an Existing Windows NT 4.0, Terminal Server Edition System
For the purposes of this guide, we are assuming that the existing installation has not been compromised. In the case in which a system has been compromised, you need to follow the recommendations for fixing that system before you can begin the following baseline steps. For more information about how to find out if your system or network has been compromised, click here. This guide references additional documents and updates that can be found in the contents section of this kit.
On This Page
Step 1: Determining the Current State
Step 2: Securing the System
Step 3: Securing the System (continued)
Step 4: Ongoing Maintenance Program
Step 1: Determining the Current State
It is often difficult to determine the current state of an existing installation. Besides knowing which individual patches have been applied, you need to know which services are running.
Internet Information Server (IIS) 3.0 is vulnerable to security attacks and should not be installed on Windows NT Server 4.0, Terminal Server Edition. Also, IIS 4.0 is not supported on Windows NT Server 4.0, Terminal Server Edition. It is recommended to use a separate server to run IIS services.
It is important to identify which applications and service packs are running on the system. Microsoft specifically recommends that you identify which level of service packs you are running on the operating system and Internet Explorer.
Step 2: Securing the System
With your operating system up and running, it is time to make it more secure. Depending on the state of your system, (determined in Step 1) you might be able to skip some of the following steps.
Install Windows NT Server 4.0, Terminal Server Edition Service Pack 6.
Information about installing service packs on Windows NT 4.0 can be found in the article How to Deploy Windows NT 4.0 SP6a with Systems Management Server 1.2 and 2.0.
Install Windows NT Server 4.0, Terminal Services Edition Security Rollup Package (SRP)
You have a few choices when securing the Internet Explorer Web browser.
Install IE 5.01 SP2 to meet the minimum requirement of the security baseline.
OR
Install IE 5.5 SP2 if you would like to take advantage of the added functionality of this new version of the Web browser.
OR
Install Internet Explorer 6.0 SP1 and the Microsoft Knowledge Base article 810847, Cumulative Patch for Internet Explorer 6 Service Pack 1, or greater (recommended) if you would like to take advantage of the added functionality in this new version of the Web browser.
Install all critical security hotfixes since Terminal Services Edition SRP. Microsoft has created the Qchain tool to chain hotfixes together in order for only one reboot to be required when installing several fixes.
Install theInstall Windows Media Player 6.4 patches.
Step 3: Securing the System (continued)
Terminal Server was designed to host many applications that would not usually be installed on a typical server. For this reason, you need to give extra attention to securing the individual applications.
For information regarding installing and deploying Microsoft Office applications, see the Microsoft Office Resource Kit Web Site .
For information about installing and securing non-Microsoft applications, refer to your application documentation.
To continue securing your system, you must follow the checklists below that apply to your installation.
Windows NT 4.0 Server Baseline Security Checklist
Windows NT 4.0 Workstation Baseline Security Checklist
Step 4: Ongoing Maintenance Program
Your system has now been installed with a good security baseline, but without ongoing maintenance, your system can become vulnerable to new forms of attacks.
Subscribe to the Microsoft Security Notification Service. This is a free email notification service that Microsoft uses to send information to subscribers about the security of Microsoft products.
Use the Microsoft Update Web site to check for the latest Recommended and Critical updates.
As new security fixes become available, it is important to apply these new fixes. Microsoft has created the Qchain tool to chain hotfixes together in order for only one reboot to be required when installing several fixes.