Windows NT 4.0 Security Best Practices Guide

Tyler Maginnis | January 22, 2024

Windows NT 4.0SecurityHardeningBest PracticesLegacy SystemsRisk Management

Need Professional Windows NT Server 4.0?

Get expert assistance with your windows nt server 4.0 implementation and management. Tyler on Tech Louisville provides priority support for Louisville businesses.

Call Now: (202) 948-8888 Email for Quote

Same-day service available for Louisville area

Windows NT 4.0 Security Best Practices Guide

Introduction

Security is paramount for Windows NT Server 4.0 systems. Despite being legacy, these systems may still handle critical functions. This guide provides comprehensive security hardening procedures, policies, and ongoing maintenance practices.

Security Assessment

Initial Security Audit

Before implementing changes, assess current security:

  1. Document Current State
  2. Installed services
  3. User accounts and groups
  4. Share permissions
  5. Running processes

  6. Open ports

  7. Identify Vulnerabilities

  8. Missing service packs
  9. Weak passwords
  10. Unnecessary services
  11. Excessive permissions

  12. Unpatched vulnerabilities

  13. Risk Assessment ``` Critical Systems:

  14. Domain Controllers
  15. File Servers
  16. Application Servers

Risk Factors: - Internet exposure - Sensitive data - Business impact ```

Physical Security

Server Room Security

  1. Access Control
  2. Locked server room
  3. Access logs
  4. Security cameras

  5. Visitor escorts

  6. Environmental Protection

  7. Temperature monitoring
  8. UPS systems
  9. Fire suppression

  10. Water detection

  11. Hardware Security

  12. Lock server cases
  13. Disable floppy/CD boot
  14. BIOS passwords
  15. Remove unnecessary peripherals

Installation Security

Secure Installation Process

  1. Clean Installation
  2. Format drives completely
  3. Install from trusted media
  4. Disconnect from network

  5. Apply service packs immediately

  6. Partition Strategy C:\ - Operating System (2 GB) D:\ - Applications (varies) E:\ - Data (remaining space) F:\ - Logs and Temp (2 GB)

  7. File System

  8. Always use NTFS
  9. Never use FAT16
  10. Convert existing FAT volumes

Post-Installation Hardening

  1. Immediate Actions
  2. Install Service Pack 6a
  3. Change Administrator password
  4. Rename Administrator account

  5. Disable Guest account

  6. Remove Unnecessary Components ``` Control Panel → Add/Remove Programs Remove:

  7. Games
  8. Multimedia files
  9. Sample applications
  10. Unused network services ```

Account Security

Password Policies

  1. Configure Strong Policies ``` User Manager → Policies → Account

Password Restrictions: - Minimum Password Length: 8 characters - Maximum Password Age: 42 days - Minimum Password Age: 2 days - Password Uniqueness: 12 passwords - Account lockout: 3 attempts - Reset count: 30 minutes - Lockout Duration: 30 minutes ```

  1. Password Complexity Not enforced by default. Use PASSFILT.DLL: Copy PASSFILT.DLL to System32 Registry: Add Passfilt to Notification Packages Requires: 3 of 4 character types

Account Management

  1. Administrator Account ```
  2. Rename to non-obvious name
  3. Create decoy "Administrator" (disabled)
  4. Use only for administration

  5. Log all usage ```

  6. Service Accounts Naming: svc_servicename Permissions: Minimum required Password: Complex, documented Rights: Log on as service only

  7. User Account Best Practices

  8. Individual accounts only
  9. No shared accounts
  10. Regular access reviews
  11. Disable vs. delete initially
  12. Document all accounts

User Rights

Configure via User Manager → Policies → User Rights:

Critical Rights to Restrict:

Access this computer from network:
- Authenticated Users (not Everyone)

Log on locally (servers):
- Administrators only

Shut down the system:
- Administrators only

Take ownership of files:
- Administrators only

Debug programs:
- No one (remove all)

Replace a process level token:
- No one

Network Security

Protocol Security

  1. Disable Unnecessary Protocols ``` Network → Bindings Disable:
  2. NetBEUI (if not required)
  3. IPX/SPX (if not required)

  4. DLC (rarely needed) ```

  5. TCP/IP Hardening ``` Registry: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

SynAttackProtect = 2 TcpMaxConnectResponseRetransmissions = 2 TcpMaxDataRetransmissions = 3 EnableDeadGWDetect = 0 EnablePMTUDiscovery = 0 KeepAliveTime = 300000 ```

  1. NetBIOS Security Unbind from external interfaces: Network → Bindings → NetBIOS Disable on Internet-facing NICs

Port Security

  1. Identify Open Ports ``` netstat -an

Common NT Ports: 135 - RPC Endpoint Mapper 137 - NetBIOS Name Service 138 - NetBIOS Datagram 139 - NetBIOS Session 445 - SMB (SP3+) ```

  1. Firewall Rules External firewall recommended: ``` Block all except required:
  2. 80/443 for web servers
  3. 25 for mail servers
  4. Specific application ports ```

IPSec Configuration

Basic IPSec (limited in NT 4.0):

Install: Network  Protocols  Add  IPSec
Configure policies for sensitive traffic
Requires compatible endpoints

File System Security

NTFS Permissions

  1. System Directories ``` C:\WINNT
  2. Administrators: Full Control
  3. SYSTEM: Full Control
  4. Users: Read & Execute

C:\WINNT\System32 - Administrators: Full Control - SYSTEM: Full Control - Users: Read & Execute - Everyone: (Remove) ```

  1. Critical Files ``` Remove Everyone group from:
  2. AUTOEXEC.BAT
  3. CONFIG.SYS
  4. Registry files

  5. Event logs ```

  6. Application Directories ``` Program directories:

  7. Administrators: Full Control
  8. Users: Read & Execute
  9. Modify only where required ```

Share Security

  1. Remove Default Shares Registry: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters AutoShareServer = 0 (disables C$, D$, etc.)

  2. Share Permissions ``` Best Practice:

  3. Share: Everyone - Full Control
  4. NTFS: Implement actual security
  5. Hidden shares for administration ```

Auditing Configuration

  1. Enable Auditing ``` User Manager → Policies → Audit

[X] Audit These Events:

Logon and Logoff: [X] Success [X] Failure

File and Object Access: [ ] Success [X] Failure

Use of User Rights: [ ] Success [X] Failure

User and Group Management: [X] Success [X] Failure

Security Policy Changes: [X] Success [X] Failure

Restart, Shutdown, System: [X] Success [X] Failure ```

  1. File/Folder Auditing ``` For sensitive data: Properties → Security → Auditing Add Everyone:
  2. Read: Success, Failure
  3. Write: Success, Failure
  4. Delete: Success, Failure ```

Service Security

Unnecessary Services

Disable these services if not required:

Services to Consider Disabling:
- Alerter
- ClipBook Server
- Computer Browser (on non-browse masters)
- Messenger
- NetMeeting Remote Desktop Sharing
- Remote Access Service (if not used)
- Remote Registry Service
- Routing and Remote Access
- Schedule (if AT not used)
- SNMP Service
- Telephony Service

Service Configuration

  1. Service Accounts ``` Change from LocalSystem where possible:
  2. Create dedicated service accounts
  3. Grant minimum required rights

  4. Use different accounts per service ```

  5. Service Dependencies Document all dependencies Test changes thoroughly Monitor after modifications

Registry Security

Registry Permissions

  1. Secure Registry Keys ``` REGEDT32 → Security → Permissions

HKEY_LOCAL_MACHINE\SOFTWARE - Administrators: Full Control - SYSTEM: Full Control - Users: Read

HKEY_LOCAL_MACHINE\SYSTEM - Administrators: Full Control - SYSTEM: Full Control - Users: Read ```

  1. Protect SAM ``` HKEY_LOCAL_MACHINE\SAM
  2. Administrators: Full Control only
  3. Remove all others ```

Registry Auditing

Enable for critical keys:

Security → Auditing
Add Everyone:
- Query Value: Failure
- Set Value: Success, Failure
- Delete: Success, Failure

Application Security

IIS Security (if installed)

  1. Remove Sample Applications Delete: C:\InetPub\iissamples C:\InetPub\AdminScripts MSADC virtual directory

  2. Secure Configuration

  3. Use NTFS permissions
  4. Disable directory browsing
  5. Remove unused ISAPI mappings
  6. Enable logging

SQL Server Security (if installed)

  1. Authentication Mode
  2. Use Windows Authentication
  3. Avoid SQL authentication

  4. Complex SA password if required

  5. Network Libraries

  6. Disable unused protocols
  7. Use encryption where possible

Patch Management

Service Pack Installation

  1. Current Service Pack Always install SP6a Post-SP6a hotfixes as required Re-apply after system changes

  2. Testing Process

  3. Test in lab environment
  4. Verify application compatibility
  5. Schedule maintenance window
  6. Have rollback plan

Security Hotfixes

Critical post-SP6a updates: - Security Rollup Package - IIS cumulative patches - RPC vulnerability patches - Print spooler updates

Monitoring and Detection

Event Log Management

  1. Configure Log Settings ``` Event Viewer → Log → Settings

Maximum Log Size: 10240 KB Event Log Wrapping: [ ] Overwrite as needed [X] Overwrite events older than 30 days [ ] Do not overwrite ```

  1. Critical Events to Monitor ``` Security Log:
  2. 529: Logon failure (bad password)
  3. 534: Logon failure (account disabled)
  4. 539: Logon failure (account locked)
  5. 624: User account created
  6. 642: User account changed

System Log: - 7000: Service failed to start - 7031: Service terminated unexpectedly ```

Performance Monitoring

Security-related counters:

Server object:
- Errors Access Permissions
- Errors Granted Access
- Errors Logon

Security System-Wide Statistics:
- NTLM Authentications
- Kerberos Authentications (N/A in NT4)
- Digest Authentications

Incident Response

Preparation

  1. Response Plan
  2. Contact information
  3. Escalation procedures
  4. Recovery priorities

  5. Communication plan

  6. Tools and Resources

  7. Incident response kit
  8. Clean boot media
  9. Backup restoration procedures
  10. Forensic tools

Detection and Analysis

  1. Indicators of Compromise
  2. Unexpected processes
  3. Unknown user accounts
  4. Modified system files
  5. Unusual network traffic

  6. Event log gaps

  7. Initial Response

  8. Document everything
  9. Preserve evidence
  10. Isolate if necessary
  11. Begin investigation

Backup and Recovery

Backup Security

  1. Backup Strategy ``` Include:
  2. System State
  3. Registry
  4. User data
  5. Application data
  6. Event logs

  7. Security databases ```

  8. Secure Backup Storage

  9. Offsite storage
  10. Encrypted if possible
  11. Access control
  12. Regular testing

Emergency Repair Disk

  1. Create ERD RDISK /S (includes SAM) Store securely Update after changes Test restoration

Security Checklist

Daily Tasks

  • [ ] Review Security event log
  • [ ] Check failed logon attempts
  • [ ] Monitor system resources
  • [ ] Verify backup completion

Weekly Tasks

  • [ ] Review all event logs
  • [ ] Check user account changes
  • [ ] Analyze performance data
  • [ ] Test critical services

Monthly Tasks

  • [ ] Review user permissions
  • [ ] Audit share access
  • [ ] Check for new patches
  • [ ] Update documentation
  • [ ] Security awareness training

Quarterly Tasks

  • [ ] Full security audit
  • [ ] Penetration testing
  • [ ] Disaster recovery drill
  • [ ] Policy review and update

Conclusion

Securing Windows NT Server 4.0 requires continuous effort and vigilance. While the platform lacks modern security features, proper configuration and monitoring can significantly reduce risks. Regular updates, strong policies, and proactive monitoring are essential. Consider migration to supported platforms for systems requiring high security. Document all configurations and maintain current backups to ensure quick recovery from security incidents.