In this two-part series, Brien Posey offers tips for securing Windows NT after Microsoft's support deadline passes. Part one covers six steps for keeping Windows NT secure past the deadline.
Part two below discusses more advanced techniques for controlling access to and communications from your NT servers.
Although Microsoft is discontinuing Windows NT support, many companies are still running the operating system either because they have proprietary software that doesn't work under other systems, they don't have the budget to upgrade or simply because Windows NT is getting the job done. Unfortunately for them, Windows NT is anything but secure. Countless security holes have been found over the years, and Microsoft has no intention of patching them now. So if you're sticking with Windows NT, you must consider some more advanced techniques to keep it as secure as possible.
1. Refrain from Internet browsing
One of the best ways to protect your NT server is not to touch it unless you absolutely have to. I have seen countless instances when a person trying to fix a server launches Internet Explorer from the server console to look up the solution, forgetting that the Internet is one of the most hostile environments imaginable. Even a relatively secure machine with a modern operating system can become infected with viruses, Trojans and spyware through casual Internet surfing. Windows NT is more vulnerable to malicious software than any current version of Windows. Therefore, you should refrain from browsing the Internet from an NT server.
2. Install antivirus and anti-spyware protection
I do recommend installing good antivirus and anti-spyware protection on the server. Keep this software up to date and scan the machine regularly. While it's true that the server won't "catch anything" if you stay off of the Internet, you never know what may already be on the server or what might attack it if another administrator happens to go online.
3. Establish a dedicated network segment
Another great way to protect your Windows NT Server is to place it on its own network segment, completely isolated from the rest of the network. Then you can protect the network segment using a firewall. But don't just block traffic flowing through obscure ports. This is your server, and you know who should and should not be accessing it. Set up IP-address filtering so no one can access the server without an approved IP address.
4. Protect against outbound traffic
When you implement a firewall, pay close attention to securing outbound traffic. Most people spend lots of time protecting servers against inbound traffic, not giving much thought to the information flowing from the server. Keep in mind that most Trojans send information to a server on the Web somewhere. I recommend blocking all outbound TCP and UDP ports except for those that the server absolutely needs to communicate. That way if the server does become infected by a Trojan, you can prevent the Trojan from being able to "phone home."
5. Use Virtual Server 2005
Finally, if you have a Windows Server 2003 in your organization, you might consider taking advantage of Virtual Server 2005, which allows you to consolidate hardware by running multiple virtual machines on a single physical machine. In this particular case, Windows NT could run within a window on Windows Server 2003. The advantage to doing this is that many known exploits against Windows NT gain direct access to the server's hardware. But if Windows NT is running on a virtual machine, then Windows Server 2003 is controlling access to the physical hardware, not NT itself (even though NT will have a virtual hard drive). Running NT inside a virtual machine adds a layer of complexity, and that, combined with the security built into Windows Server 2003, makes it just a little bit harder to hack. Just keep in mind that running Windows NT in a virtual machine does eliminate some known vulnerabilities -- but it's still anything but secure.
Of all of the security techniques I have shown you, running Windows NT on an isolated and protected network segment is by far the most effective. As a general rule, you should still use as many of these techniques as possible.
Brien M. Posey is a regular contributor on SearchWindowsSecurity.com.
For More Information:
- Go to part one for five basic steps to securing Windows NT after support deadline ends
- Get news about Microsoft's plan not to release NT patches
- Learn how to prevent null session attacks on Windows NT and 2000
This was first published in November 2004