Printable View
I am looking for some insight and input for protecting legacy servers. Since Microsoft stopped supplying patches and updates for NT it poses somewhat of a security risk, but in some cases there are specialized applications running which the vendors have not updated yet and they require NT.
What sort of processes, tools, applications or devices do you use to segregate and protect your network from your NT servers and vice versa??
Any thoughts and contributions appreciated.
From CERT
http://www.us-cert.gov/reading_room/win-resources.html
MTHs
MLF
Couple of things...
From a compliance stand point i.e. laws/regulations etc. - maintaining customer information on an OS no longer supported is BAD. Even with CERT guidlines on locking down a server, an admin or security officer is just one small step away from a vulnerability that could compromise the network.
I am in the same boat with 2 NT servers. Even now there are unpatched security vulnerabilities in NT. Not to mention the authentication mechanism is flawed. At this point those applications should have been migrated and phased out. But they are not.
I have raised the risk level of those machines to the top and REMOVED all personal customer information from them. If a program needs access to data it does it OFF the NT box. Luckily for me applications support that but only through local drive mapping to remote machines. The executables still require root access but data should not. In addition they are removed from ALL outside access. It would take an employe with a high security level already to access the box through domain policy object limitation to access. If they jack into the network with their own laptop, snort will detect that and inside attempts to exploit NT vulnerabilities.
Security aside, vendor who refused to update applications on NT are doomed. NT is 10 years old and MS has slipped the dropping of support several times. Eliminate them or remove the box from the network. I have an application that uses DOS and they use it within their own locked room and within it's own local network. If the application must be networked, there is no way to protect the machine integrity except through passive monitoring of what is transpiring on the box beyond locking it down. Isolate it physically and through ACLs. I would also bet that applications still running on NT or not being updated either. So you are running 10 year old applications on a 10 year old OS.
You're going to want to use some method of filtering requests and responses. Any number of proxying firewalls out there will do the job. I could give a better suggestion depending on the specifics of the applications.
My favorite network cure-all is Sidewinder G2.
cheers,
catch