In this two-part series, Brien Posey offers techniques for securing Windows NT after Microsoft's support deadline passes. Part one covers six steps for keeping Windows NT secure. Part two
discusses more advanced tips for controlling access to your servers.
Although Windows NT was an excellent and highly-secure operating system in its day, it lags far behind more modern operating systems when it comes to security. It has countless security holes -- much like any other operating system made by Microsoft. But in this case, Microsoft will no longer provide regular patches. In fact, Microsoft will soon discontinue support for Windows NT altogether, leaving many Windows professionals asking the question, "How do we secure an insecure operating system?" I'll try to help you answer that question with the tips in this two-part series.
Most Windows NT support ended last year. Microsoft will pull the plug on all other support on Dec. 31, 2004. Normally this wouldn't be such a big deal, seeing as newer and more secure operating systems are available. The problem is that many companies are stuck with at least one Windows NT Server, either because they don't have the budget to upgrade to Windows Server 2003 or they have mission-critical applications that won't run on any other operating system. For those companies, the following six steps can help maintain your server security.
1. Install current service packs and hot fixes
First, you must cover the basics. Make sure you have every available service pack and hot fix installed. Use the Microsoft Baseline Security Analyzer for help.
2. Review server permissions
Next, take a look at all of your server's permissions. Configure Windows NT to deny access to anything you haven't specifically granted permissions. While you're at it, verify that the server is configured to use the NTFS file system. When Windows NT was popular, it was common for administrators to use the FAT file system rather than NTFS. Recovering NTFS-based systems from a crash was extremely difficult because features like safe mode and the recovery console didn't exist yet.
3. Keep up with recommended security settings
Verify that your security settings are up to par (account lockout, password requirements, etc.). Remember that Microsoft's recommended security configuration tends to evolve over time. The User Manager for Domains is a good starting place. I have seen a lot of companies make changes to their group policy settings as new security recommendations are made, but forget that, depending on their configuration, these changes may have no effect on Windows NT. Therefore, I recommend taking a look at your server to make sure the various security settings are up to date.
4. Disable unused services
Once the above is completed, turn your attention to the processes that are actually running on the server. Even in Windows Server 2003, it's a good idea to disable any services that aren't being used. In Windows NT, you will want to take this concept one step further. For example, suppose that your Windows NT Server is acting as a file and print server, hosting three applications. Then you should move your file and print services to a more secure server. Any server can share files and printers, so there is no reason to leave those on a server that is known to be insecure.
5. Move applications to newer operating systems
You should also take a look at the applications running on the server. If any of them can function on a newer operating system, you should consider moving those applications to one that's more secure. In the end, your Windows NT Server should only run applications that absolutely will not run on another operating system, and then it should only run the bare minimum services needed to support that application. Remember that by default, lots of unnecessary services are enabled in Windows NT.
6. Take advantage of Windows Server 2003 compatibility mode
Finally, take another look at applications that don't run on anything other than Windows NT. What about that application prevents it from running under another operating system? If the application depends on some obscure piece of hardware not supported by newer servers, then you are probably stuck with Windows NT. If the application checks to see if it is running on a Windows NT Server, you might be able to take advantage of compatibility mode. Compatibility mode is a feature found in Windows Server 2003. It allows you to trick an application into thinking that it is running under Windows NT or another legacy Microsoft operating system. Compatibility mode can also be used to force the application to run with certain video-mode restrictions that were common in older operating systems.
So far I have shown you several methods to help make your Windows NT system as secure as possible. These tips and techniques are only a warm-up. In part two of this series, I will cover some of the more advanced techniques for controlling access to your Windows NT Server.
Brien M. Posey is a regular contributor on SearchWindowsSecurity.com.
For More Information:
Get eight strategies for securing Windows vulnerabilities
Learn how to implement permissions in Windows 2000/NT
Get Best Web Links for securing
Windows NT Server
This was first published in November 2004