Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Chapter 2: Applying the Security Risk Management Discipline to the Trey Research Scenario

Published: September 13, 2004 | Updated : March 30, 2006

Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.

On This Page

Introduction
Scenario Detail
Applying the Security Risk Management Discipline
Assessing Risks
Making Risk Decisions
Summary

Introduction

This chapter describes the fundamentals of how to apply a structured and repeatable method of risk analysis for information systems. A thorough risk management process should be established in all organizations to assess where the expenditure of time and effort to secure systems will provide the best security and return on investment (ROI).

The first step toward improving the security of older applications and clients on business networks is to conduct a thorough analysis of the threats and risks associated with the environment, applications, users, and network. Microsoft recommends that every network be analyzed with a well-defined process such as the Microsoft Security Risk Management Discipline (SRMD). SRMD provides a structured, repeatable process for evaluating the assets that an organization has, risks that threaten them, vulnerabilities that may allow an attacker to steal or damage the assets, and countermeasures that can be applied to mitigate or transfer the risks.

A complete discussion of SRMD is outside the scope of this guidance, but it is sufficient to know that SRMD provides a framework for identifying assets, quantifying their value, and identifying and quantifying threats that those assets face so that organizations can make sound decisions about appropriate and cost-effective security activities.

Note   For more detailed information on SRMD, see the references in the "More Information" section at the end of this chapter.

Scenario Detail

Trey Research specializes in wastewater analysis, monitoring, and treatment. Trey maintains its headquarters in Seattle and has field offices in Georgia, Florida, Arizona, and Pennsylvania. Trey has a total of just under 500 employees comprised of field workers, lab technicians, and scientists, along with a few administrative personnel.

Trey Research customers include local and state governments who need specialized assessment services (such as measuring mercury levels in groundwater); construction companies who need to perform site tests before, during, and after construction; industrial and manufacturing companies that need ongoing monitoring of their facilities; and others who need emergency environmental monitoring or cleanup. The data that Trey gathers and the analysis that results is often financially or legally sensitive. When Trey engineers are asked to be expert witnesses, there are specific chain-of-evidence requirements that must be met for the life cycle of the data they gather.

Field workers keep paper logs of measurements, which they manually enter when they come back to their offices. A few of the engineers use mobile computers with Microsoft® Windows® 98 to enter data directly while in the field, but this analysis system is specific to a few of Trey’s largest customers.

During the last three years, Trey has been growing at approximately 20 percent per year. This growth rate finally prompted the company’s CEO to hire an IT director to build and supervise a plan for modernizing their information systems. The IT director began in late 2003, and the first job was to perform a risk analysis to better understand the value of the company’s computing assets and the vulnerabilities that they faced. As a result of this analysis, Trey made a number of very rapid changes to its IT environment. The first significant change was upgrading the domain structure to the Microsoft Active Directory® directory service and Microsoft Windows Server™ 2003. This upgrade provided an immediate security increase for domain accounts and made it possible to apply additional Group Policy controls to sensitive computers like those used by executives and their staffs. In addition, the company accelerated its technology modernization plan so that initial deployment of its new analysis and collection system (based on Windows XP and Windows XP Tablet PC Edition) will begin earlier than planned.

However, Trey also chose to invest in hardening its existing systems to reduce the risk of data loss or compromise between now and the time that the new system is fully deployed. The CEO has given the IT director one month to identify, prioritize, and mitigate the most immediate threats and to investigate the upgrading of the company's Microsoft Windows NT® 4.0 systems. Although this is a short time, Trey takes the security threats involved very seriously and is acting aggressively to protect itself as much as possible.

Network

The recommendations and settings described in this document were tested on a simulation of the Trey network, configured as shown in the following figure:

Cc750827.tmgf0201(en-us,TechNet.10).gif

Figure 2.1 Network testing subset of the Trey Research network

Active Directory Design

Trey Research maintains a single Active Directory domain for the organization. It chose this structure because it offers ease of maintenance and good control. All field offices are connected to Trey’s headquarters through leased private lines, so there is no need to build subdomains for individual branch offices.

Business Requirements

Trey has five primary business requirements related to the security of the company's systems and networks:

  • Maintain the integrity of systems against compromise by outside attackers. This requirement requires hardening the network against penetrations, improving auditing and logging, and reducing systems’ vulnerability to widely known exploits.

  • Maintain normal business operations after all security measures are in place. Much of the analysis work performed is time-sensitive, so frequent or lasting interruptions would be unacceptable.

  • Maintain confidentiality of information where necessary. Some of the information that Trey manages is extremely sensitive, and the company wants to avoid potential liability resulting from disclosure.

  • Provide increased protection against malicious code on the network. Trey has a fairly liberal acceptable use policy, so many users are accustomed to downloading and installing software on their own. This situation has led to security and performance problems in the past. One goal of the hardening is to make the company's systems less vulnerable to downloaded malware (malicious software).

  • Provide an automated method of auditing and distributing security patches.

Applying the Security Risk Management Discipline

The goal of the SRMD is to provide a way to quantify risks and then reduce those that are within the organization's control to mitigate. To do this, the SRMD defines risk management as an ongoing process with four primary stages as shown in the following figure:

  1. Assessing Risk. Identify and prioritize risks to the organization. These risks may or may not be associated with specific IT systems or assets.

  2. Conducting Decision Support. Identify and select control solutions based on a defined cost-benefit analysis process.

  3. Implementing Controls. Deploy and operate holistic control solutions to reduce risk to the organization.

  4. Measure Program Effectiveness. Determine and report on the effectiveness of deployed controls to manage risk to an acceptable level.

Cc750827.tmgf0202(en-us,TechNet.10).gif

Figure 2.2 The SRMD cycle

The Security Risk Management Guide describes SRMD in detail. The Trey IT staff reviewed the SRMD material and developed a plan to do the following:

  1. Assess the risks, a three-step process that requires Trey to build a plan for evaluating risks, gather data about the actual degree of risk and the organization's vulnerability therein, and prioritize those risks in order of severity and cost.

  2. Use the risk assessment to make decisions about specific controls to apply based on the actual degree of risk present.

  3. Implement the selected controls. The remaining chapters of this guide are dedicated to discussing controls that can be applied to mitigate specific types of risks.

  4. Evaluate the effects of the applied controls on the risk and on the organization's environment.

This chapter will focus on the first two steps and explain how the Trey IT staff adapted the SRMD to its environment to help the company begin the SRMD-driven process of risk management. The remaining chapters will focus on the third step, applying the actual controls.

Assessing Risks

The first significant step that Trey must take to commence its security hardening process is to assess the risks and threats the company actually faces. This process required Trey to link together several separate steps:

  1. Identify the roles and function of each class of computers on the network.

  2. Map the communications among different roles. For example, application servers need to communicate with domain controllers and with user workstations. This mapping should pinpoint the protocols, ports, and traffic patterns used for these communications.

  3. Identify potential threats that can exploit the computers in various roles.

  4. Determine the probability or likelihood that particular threats may apply to a given role.

Identifying Roles

For most networks, the process of identifying the roles filled by computers on the network is straightforward. By consulting the physical inventory of systems owned by the company, the Trey IT department was able to generate the data in the following table, which lists the key roles in use on its network, the operating systems used for those roles, and the location and hardware types commonly found in those roles. All of this information is pertinent to the threat modeling process.

Table 2.1: Trey Computer Roles

Role

Operating systems used in role

Location

Hardware type

Application / Web server

Windows NT 4.0

HQ

Conventional server

Dynamic Host Configuration Protocol (DHCP) servers

Windows Server 2003

HQ, field offices

Conventional servers

Domain Name System (DNS) servers

Windows Server 2003

HQ

Conventional servers

Domain controller

Windows Server 2003

HQ, field offices

Conventional server

Executive mobile computers

Windows 2000, Windows XP

Mobile

Mobile computers

Executive/special purpose workstations

Windows XP

HQ

Conventional desktops

Field engineer systems

Windows 98

Mobile

Mobile computers

File/print server

Windows NT 4.0

HQ, field offices

Conventional server

Messaging server

Windows NT 4.0

HQ

Conventional server

Special-purpose control systems

Windows NT 4.0, some Windows 98

Field offices

Mix of conventional servers and desktops

User workstations

Windows 98, some

HQ, field offices

Conventional desktop

Mapping Communications

After the computer roles have been identified, it is possible to begin determining what kind of network communications take place among different roles. This determination makes it possible for you to specify which types of traffic should and should not be permitted between your network as a whole and those segments that contain computers running older versions of the Windows operating system.

Modeling the Network

Modeling the network is very simple. The Trey engineers merely took a diagram of their existing network and used it as the basis for their network map. Such maps should indicate the physical location, network address, and operating system type of each computer on the network. Ideally, they should also visually indicate the location of routers and firewalls and how the network is segmented.

Adding Data Flow Information

After you have a network map, the next step is to superimpose information about the flow of data on it. This is commonly done by using the Yourdon-DeMarco data flow diagram (DFD) method, which indicates data flowing between systems or objects by directed lines. Each line can be labeled with the port number or protocol in use. The result is a diagram that shows the flow of communications between each set of roles. This diagram makes it very simple to configure firewalls and port/packet filters to allow only specified traffic types. Also, data flow information can easily be used in the future to construct Internet Protocol security (IPsec) filter rules for organizations that have Windows 2000, Windows XP, and Windows Server 2003 deployed.

Identifying and Modeling Threats

A threat model is an attempt to enhance the security of a distributed system by producing an inventory of all of the threats posed to the system, regardless of origin. The underlying concept is that if you can identify as many threats as possible, knowing what threats exist will make it easier to either mitigate the threats or rule them out. You can base these decisions on whether the mitigation is not possible, is too difficult or expensive, or because the threat is not significant or likely enough to mitigate. A basic concept when creating the threat model is to enumerate all of the realistic threats — including ones that you know have been protected against already. Sometimes, discussion of threats that have some current defense may lead to the revelation of similar or tangential attacks.

Identifying Threats

After the Trey IT engineers built a map of their network indicating the roles present on the network and the communication methods used between computers in and among the various roles, they were prepared to begin identifying and prioritizing specific threats. These threats can be separated into several categories:

  • Threats to the physical security or integrity of computers. These threats include fire, flooding, loss of electrical power, accidental or intentional physical damage, and compromises caused by unauthorized physical access.

  • Denial-of-service (DoS) attacks involving individual computers, infrastructure services, or the network itself.

  • Execution of malicious code, including viruses, worms, and Trojan horses.

  • Unauthorized disclosure of sensitive information through network monitoring, account compromise, or other means.

  • Compromises caused by loss of control over user or privileged accounts (including those caused by weak passwords, inadequate controls on privileged accounts, failure to follow security procedures, or inadequate auditing).

Each category of threats contains a variety of individual threats, some of which have already been mitigated and some that are very difficult to effectively mitigate in the Trey environment. Each of the following sections describes a class of threats and the measures available to Trey to mitigate them. Note that in many cases, the listed mitigation measures are only partially effective. Only measures available in Windows NT 4.0 or Windows 98 are shown; more effective measures are available in newer releases of Windows.

Physical Security Threats

The following table shows the key physical security threats that Trey identified for its networks. Most of these threats arise from factors that are outside of the company’s controls and can only be effectively mitigated by setting up policies to provide disaster recovery and business continuance processes, which are outside the scope of this guidance.

Note   The "Impact and scope" and "Likelihood" columns in the following tables represent the Trey IT department's best estimate of the nature, scope, and probability of each specified threat. The specific values of these columns may vary widely between organizations.

Table 2.2: Physical Security Threats and Mitigations

Threat

Details / attack vector

Impact and scope

Likelihood

Available mitigations

Environmental damage

Fire, flood, weather, or other external environmental factors.

High / entire network

Low

Insurance; disaster recovery and business continuance plans.

Temporary loss of infrastructure services

Loss of wide area network (WAN) / Internet connectivity, power, cooling, or other critical infrastructure service not provided by Trey.

Medium / entire network

Medium

These outages tend to be short-term.

Physical damage to key computers

Accidental or purposeful damage.

Medium / single machine

Low

Backups; physical access controls for sensitive computers.

Denial-of-Service Threats

DoS threats involve the loss of access to network services or computers because of an intentional attempt to block or overwhelm network equipment or computers with bogus traffic. These threats are normally mitigated at the network perimeter. The following table shows the key DoS threats that Trey identified as significant for its networks.

Table 2.3: Denial-of-Service Threats and Mitigations

Threat

Details / attack vector

Impact and scope

Likelihood

Available mitigations

Network traffic tampering or spoofing

Attacker sends inappropriate / malformed messages to hosts.

High / entire network

Low

Network ingress filtering.

Tampering with DNS services

Attacker spoofs, pollutes, or blocks DNS traffic.

High / entire network

Low

Monitoring of DNS service quality to quickly detect service problems.

Targeted traffic tampering or spoofing

Attacker targets individual computers or assets.

High / single computer

Low

Port and packet filtering; network segmentation; personal firewalls.

User account lockout

Attacker exceeds the maximum number of permitted password attempts, triggering the account lockout policy.

Medium / entire network

Low

Deployment of account lockout policy with no lockout count.

Service account lockout

Attacker denies access to a service account by exceeding the password retry count.

Medium / entire network

Low

Deployment of account lockout policy with no lockout count.

Bandwidth consumption attack

Attacker intentionally consumes bandwidth to target network or device.

Medium / entire network

Low

For perimeter network, ingress filtering and Internet service provider (ISP) monitoring. For internal hosts, Transmission Control. Protocol/Internet Protocol (TCP/IP) stack hardening and ingress filtering.

Malicious Code Threats

The following table shows the key physical security threats that Trey identified for its networks. Like physical threats, most of these threats arise from factors that are outside of the company’s controls and can only be effectively mitigated by setting up policies to provide disaster recovery and business continuance processes, which are outside the scope of this guidance.

Table 2.4: Malicious Code Threats and Mitigations

Threat

Details/attack vector

Impact and scope

Likelihood

Available mitigations

Virus outbreak

Virus spreads after being introduced to Trey network by an internal user.

High / entire network

Medium

Deployment of client and server antivirus software; user education; patch management; segregation of older computers.

User execution of malicious code

User downloads and runs malicious code disguised as something innocuous.

High / single computer

Medium

Microsoft Internet Explorer hardening; user education.

Worm outbreak

Worm spreads after being introduced from the Internet or through an infected internal computer.

High / entire network

Low

Patch management to reduce exploitable vulnerabilities; segregation of older computers.

Information Disclosure Threats

Information disclosure threats include accidental leakage of confidential data, purposeful disclosure by authorized users to unauthorized parties, and targeted attacks to disclose data.

Table 2.5: Information Disclosure Threats and Mitigations

Threat

Details/attack vector

Impact and scope

Likelihood

Available mitigations

Network sniffing

Attacker surreptitiously monitors network traffic to capture passwords or other sensitive data.

High / entire network

Medium

Physical access controls for network; Server Message Block (SMB) signing; use of Windows NT LAN Manager version 2 (NTLMv2) instead of NTLM or LM authentication.

Theft of data from mobile/laptop computers

Attacker steals computer and recovers data from it

High / entire network

Medium

None

Leakage of password data

Attacker steals password hashes from compromised computer or network.

High / entire network

Low

Physical access controls for domain controllers; use of Syskey; NTLMv2.

Purposeful information disclosure

Authorized user discloses information to an unauthorized party.

High / single computer

Low

None

Account Compromise Threats

Account compromise threats can be separated into two broad categories: compromises that occur because an attacker gains physical access to a computer (and can thus remove the local administrator password, install a keystroke logger, or otherwise tamper with the computer), and network-based attacks. The following table shows the most significant account compromise threats with which Trey is concerned.

Table 2.6: Account Compromise Threats and Mitigations

Threat

Details / attack vector

Impact and scope

Likelihood

Available mitigations

Domain administrator account compromise

An attacker obtains the password for a domain administrator account.

High / entire network

Low

Physical access controls.

Local administrator account compromise on individual computer

An attacker learns the password for a local administrator account through password cracking or other means.

High / single computer

Low

Physical security controls; NTLMv2 authentication.

Local administrator account password reset on individual computer

An attacker gains physical access to a computer and resets its local administrator password.

High / single computer

Low

Physical security controls.

User account compromise

An attacker obtains access to an ordinary user account.

Medium / single computer

Low

Physical access controls; SMB signing; NTLMv2 authentication.

Making Risk Decisions

After the Trey IT staff identified the most significant risks that the organization faced (as listed and prioritized in the preceding tables), the staff decided which mitigation measures to take based on the potential impact and likelihood of individual threats. Some of the most significant threats cannot effectively be mitigated at all on computers running Windows 98 and Windows NT 4.0, which is why Trey decided to migrate its infrastructure systems to Windows Server 2003. Other risks may be mitigated by a combination of operating system-specific steps, network configurations, and policy changes. By examining each of the potential threats and calculating the cost required to defend against them, Trey developed a plan for mitigating as many serious risks as possible. The remaining chapters of this guidance describe the specific measures on which Trey decided.

Summary

This chapter has described some of the considerations involved with applying the SRMD to a common customer scenario. All information provided for this example is based on actual data; however, this information represents only a fragment of the overall information required for an organization to be able to perform a thorough security risk assessment. Including the entire risk analysis table or every security risk statement would have made the information provided in this chapter more difficult to understand. Instead, relevant examples were highlighted for quick reference and easy comprehension.

The guidelines in this chapter were applied to develop a list of risks that are addressed with specific remediation steps. After the Trey engineers complete the list, they can proceed to identify the steps required to mitigate the risks by securing their systems to protect against the listed vulnerabilities. These remaining chapters in this guide examine these steps in detail.

More Information

For more information about how to apply SRMD to an enterprise environment, see the following resource:

The Security Risk Management Guide at https://go.microsoft.com/fwlink/?linkid=30794 on TechNet.

Download

Get the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions