A number of readers have asked about NT 4.0 recently with regards to vulnerability advisories or exploits. I have found that one of the best ways to protect legacy applications and operating systems is to isolate them. Ideally only those clients/users that absolutely must access these systems should be able to. This can be accomplished at the switch, router, firewall, proxy, or at the end point. The painful part of the process is establishing who must access what, and then which protocols are actually needed. Then figure out where you can best form an 'enclave' or internal perimeter with access control. This isn't ideal, but can shield these systems from a worm or unauthorized access. You also need to determine the value of the data/service that these systems have. If they are performing a valuable service, or hold critical data you really should be protecting them. The unfortunate truth is that NT 4.0 is dead, and really should not be used.
One reader wrote back:
"Block port 139 at our choke routers and possibly some network routers. Remove systems from the network
Remove the infection if possible (hopefully a tool would be created to remove). Possibly buy support for NT from MS. Disable port 139 on the NT systems. This would most likely break what is running on the system, which would be broken anyway. We have a patch cycle around patch Tuesday. We will be ready to patch next Tuesday. Currently testing. The operation that you mentioned about isolating systems would be difficult for us to manage. Let's hope that those out there who might be thinking of releasing a worm remember the last several mass attacks that occurred against MS, these individuals have been arrested and prosecuted."
Another reader wrote in that there are third party support pay options for NT 4.0, including custom patch development.
The bottom line though, you really do need a migration/upgrade plan.
I will be teaching next: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques - SANS London November 2021 - Live Online
Adrien de Beaupre
Aug 11th 2006
|Thread locked Subscribe||
Aug 11th 2006
1 decade ago