Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Chapter 8: Conclusion

Published: September 13, 2004 | Updated : March 30, 2006

Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.

This guidance has discussed many of the challenges involved to deploy older Microsoft® Windows NT® version 4.0 and Microsoft Windows® 98 clients in enterprise environments. The guidance referenced the experiences of Trey Research, a fictitious company that needed to identify and mitigate security vulnerabilities. Many of the issues that Trey resolved are faced by organizations that need to implement their own secure networking environments.

The information presented in this guidance will allow you to identify secure networking infrastructure, create baseline configurations for servers and workstations running older operating systems, define procedures for sound patch management, and institute a proactive antivirus strategy. Together, these techniques can help extend the life of important assets until organizations are able to upgrade to newer, more secure operating systems.

While the Trey Research scenario may not mirror your particular environment, the techniques presented here apply to organizations of all sizes and can be adapted to most environments. The most important concept is that sound security is an ongoing process that should be integrated into the daily life of an IT organization, and that security involves installation, baselining, monitoring, and updating processes.

Threats in the Trey Environment

The threats that Trey identified as part of their risk analysis required a detailed plan of identification and mitigation. The following sections discuss the ways in which the Trey IT staff was able to plan and carry out the task of securing the company network.

Physical Security Threats

The biggest physical security threat to Trey systems involves uncontrolled physical access to their computers. Many key servers and workstations are in relatively unprotected areas. Trey partially mitigated this risk by using physical locks and better access controls, along with moving the most important servers to more secure locations. Other physical security risks, like environmental damage, were adequately mitigated by non-technical measures.

Denial-of-Service Threats

Most of the denial-of-service risks that affect the Trey network can be addressed by the network hardening and filtering features available in Windows NT 4.0. To bolster this protection, they installed personal firewalls on all their Windows 98 and Windows NT computers. In addition to proper server and workstation configuration, proper network segmentation and firewall configuration helped Trey specify which types of traffic were allowed to pass to specific computers. However, Trey was not able to completely mitigate the threat of network traffic tampering or spoofing. Microsoft Windows 2000, Windows XP, and Windows Server™ 2003 support the use of Internet Protocol Security Extensions (IPsec) to protect sensitive network traffic, but Windows 98 or Windows NT do not support IPsec.

Malicious Code Threats

Trey identified three key malicious code threats: user execution of malicious code, virus outbreaks, and worm outbreaks. They addressed these in three specific ways:

To partially mitigate the risk of user execution of malicious code, Trey upgraded its workstations to Internet Explorer 6.0 SP1 and applied more restrictive security settings. However, a more effective approach — using Windows software restriction policies to only allow trusted applications to run — cannot be applied because Windows NT and Windows 98 do not support restriction policies.
To guard against the possibility of virus infection, Trey Research installed centrally managed antivirus software to protect all servers and workstations. Virus definitions are now updated daily, and weekly scans can be scheduled or manually initiated from the antivirus console. If a virus-infected computer, downloaded file, or media is introduced into the network, protected clients have a substantially reduced risk of infection.
To help protect against worms, Trey segmented their network so that all older computers are on their own separate segment of the network with their own firewall. They developed patch management processes to ensure timely deployment of new patches to all systems, and reviewed and restricted their firewall configuration to ensure that no unnecessary ports were open.

Trey’s effort to mitigate these threats is complicated because neither Windows NT nor Windows 98 supports the full set of patch management tools available from Microsoft and other third-party vendors. In particular, Trey cannot use the Microsoft Baseline Security Analyzer (MBSA) to scan their Windows 98 computers, so staff at the company must inventory these computers, and then manually apply patches to them. This represents a serious problem for Trey that will only be solved when the company completes its IT modernization.

Ultimately, the biggest protection against threats from malicious code is educating users to use good security practices. These practices include choosing the appropriate Internet Explorer security settings, and exercising caution in downloading and executing programs or attachments.

Information Disclosure Threats

Trey took three primary measures to help mitigate the information disclosure threats described in Chapter 2. First, the company began requiring the use of NTLMv2 authentication on all its computers. This requirement had a significant compatibility impact, and it remains less secure than a pure Kerberos deployment. However, it is adequate as a stopgap protective measure until Trey can complete its IT modernization and deploy IPsec.

As an additional protective measure, Trey enabled the use of server message block (SMB) signing for its Windows NT, Windows 2000, and Windows Server 2003 computers. This approach helps ensure that older computers would be able to vouch for the authenticity of all network transmissions. It drafted a plan to monitor computers for performance bottlenecks. A 10 percent to 15 percent performance drop is expected; if this proves to be too much of an impact on some servers, Trey can remove the RequireSecuritySignature setting from affected clients. A matching Group Policy object (GPO) in the Microsoft Active Directory® directory service controls SMB signing for native Active Directory servers and workstations; Trey may also have to reset this.

For more protection against offline attacks against the Security Account Manager (SAM) database, Trey required the use of the Syskey utility on all their Windows NT, Windows 2000, and Windows 2003 servers. This helps reduce the risk that an attacker will obtain sensitive security data from these machines.

Trey was not able to effectively mitigate the risk of data theft from the company's mobile computers. The Encrypting File System (EFS), available in Windows 2000 and Windows XP, allows users to selectively encrypt critical data on their computers so that if an attacker steals one, the attacker cannot recover the encrypted data; in this way, EFS would provide the company with effective mitigation.

Account Compromise Threats

The biggest account threat Trey faces involves the possibility for an attacker to compromise accounts due to weak passwords. Because Windows 98 supports a maximum password length of 8 characters, Trey could not adequately mitigate this risk. However, the use of NTLMv2 authentication helped to somewhat reduce the risk that password hashes could be recovered from the network. There is still some risk that an attacker could reset the local password on individual computers; Windows 2000, Windows XP, and Windows Server 2003 include features designed to prevent this type of attack.

Summary

This guidance discussed how to identify and mitigate security risks in network environments containing computers running Windows 98 and Windows NT 4.0 Workstation and Server.

Chapter 1 discussed the Trey infrastructure and introduced a fairly typical network environment of its size.
Chapter 2 introduced the SRMD process and components, giving examples of how they fit into the Trey IT environment. The chapter then used the principles of SRMD to audit and identify vulnerabilities in the company's network.
Chapter 3 discussed ways to securely design a network infrastructure to support necessary communications while denying unnecessary or harmful traffic.
Chapters 4 and 5 demonstrated ways to mitigate the security vulnerabilities of Windows NT 4.0 servers and workstations, and Windows 98 workstations. Key topics included configuring computers to participate in Active Directory, applying security policies, and choosing reliable and secure authentication and communications protocols.
Chapter 6 established procedures for implementing an ongoing patch management process and discussed auditing, baselining, patch installation, and process automation.
Chapter 7 provided an analysis of the growing menace of viruses, worms, and Trojan horses, and discussed sound methods for countering these threats.

Organizations that make these types of tasks a regular part of ongoing operational procedures will reap benefits in terms of system uptime, user satisfaction, and an extended lifecycle for integral older computers.