Windows NT 4.0 and Windows 98 Threat Mitigation Guide

The Microsoft Solutions for Security (MSS) team has released a guide that will assist the many companies that are deploying Windows Server 2003 and Windows XP but cannot yet upgrade their older systems. The guide includes both the best hardening strategies to use before upgrading and the security justifications for upgrading.

Content Road Map
"The Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide" describes the process of hardening networks and computers that run earlier versions of the Windows OS. Organizations may have a variety of combinations of computers running Windows NT 4.0 (Workstation, Server, and Advanced Server) and Windows 98, with or without later versions of Windows clients or servers. This guide focuses on the protective measures that can be applied to Windows NT 4.0 Workstation and Windows 98 clients and Windows NT 4.0 member servers in an Active Directory directory service domain environment to improve their security.

The guide comprises eight chapters, grouped into two sections. The first section consists of two chapters, Chapter 1, "Introduction," and Chapter 2, "Applying the Security Risk Management Discipline to the Trey Research Scenario," both of which are intended for executives and IT management at all levels.

Section I
Chapter 1 provides an executive summary, introduces the business challenges and benefits surrounding the security of older operating systems, suggests the recommended audience for the guidance, lists the reader prerequisites, and provides an overview of the chapters and solution scenarios in the guidance. Chapter 2 details a fictitious company scenario that is used to develop the recommendations in this guidance and explains how an IT generalist would assess the security risks and vulnerabilities of the network infrastructure. Trey Research, the fictitious company in the scenario, has its headquarters in Seattle and field offices in several states throughout the country. The chapter also describes how IT generalists can identify and prioritize their individual organizations' risks and vulnerabilities to generate security requirements that can drive an action plan to mitigate security threats.

Section II
The second section of the guidance contains six chapters of prescriptive information for IT administrators and technical managers. Each chapter begins with a discussion of design principles and options before discussing the specific hardening measures chosen for the target scenario.

Chapter 3, "Network Security and Hardening," describes network security vulnerabilities and the process of hardening network components (including client and server computers) against these vulnerabilities. The chapter addresses network segmentation, Transmission Control Protocol/Internet Protocol (TCP/IP) stack hardening, and the use of personal firewalls for client protection.

Chapter 4, "Hardening Windows NT 4.0," explains how to harden Windows NT 4.0 (Workstation and Server) by establishing a baseline for the system and then applying specific hardening measures. It describes the importance and methods of physical security and procedures for applying security policies to file, print, Web, and application servers. The chapter discusses the inherent compromises in various security approaches and concludes by describing in detail the most advantageous hardening policies for Trey Research.

Chapter 5, "Hardening Windows 98," explains how to harden Windows 98 clients and applications, and describes methods for applying patches, updates, and security policies to computers running Windows 98.

Chapter 6, "Patch Management," shows how to find out about new updates in a timely manner, implement them quickly and reliably throughout your organization, and ensure that they are deployed everywhere. It describes the compromises of patch management implementations and concludes with a detailed description of the Trey Research patch management system.

Chapter 7, "Antivirus," describes the importance of antivirus software and policies as well as the security and supportability of client-based and server-based antivirus solutions.

Chapter 8, "Conclusion," provides a brief summary of the hardening processes that were discussed throughout the guide.