Roll up your own Windows NT security

Installing all of the security hot fixes for your Windows NT server can be a full-time job, so Microsoft has created the Windows NT 4.0 Post-Service Pack 6a Security Rollup Package to make things easier. John Sheesley shows you how to get things rolling.

Even though Windows 2000 has been out for a while, and Windows .NET Server is on the horizon, chances are you still have a few Windows NT 4.0 servers chugging along in your server room. Microsoft released the last service pack, Service Pack 6a, in November 1999. Microsoft hasn’t provided any major upgrades to Windows NT since then; however, hackers continue to find new ways to poke holes in Windows NT.

Fortunately, Microsoft has provided smaller updates and hot fixes, but keeping up with and applying them all can be quite a challenge. Microsoft made the task of updating NT’s security a little easier by releasing the Windows NT 4.0 Post-Service Pack 6a Security Rollup Package. In this Daily Feature, I’ll take a look at the package and show you what’s in it and how to apply it.

Red Alert!
As of the time of this Daily Feature, the Code Red worm is wiggling around the Internet attacking IIS 4.0 and IIS 5.0 servers. The fixes included in the Windows NT 4.0 Post-Service Pack 6a Security Rollup Package currently won’t protect you from the Code Red worm. You’ll need to download and install a separate hot fix to handle this critter.

What is it, and why do I need it?
Although Microsoft felt there weren’t enough stability issues to require the issuance of Service Pack 7 for Windows NT, there were enough security hot fixes available that it would be useful to create one large package containing them all. So they created the Windows NT 4.0 Post-Service Pack 6a Security Rollup Package.

As you can probably guess by the name, the package is only intended for Windows NT 4.0 servers and workstations running Service Pack 6a. You can’t install this package if you’re running an earlier service pack or if you never updated your server at all.

The Windows NT 4.0 Post-Service Pack 6a Security Rollup Package patches many potential security problems in Windows NT, over 50 security problems in all. Components patched include the base operating system, IIS 4.0, Index Server, and Front Page Server Extensions. Key fixes include such things as:
  • Malformed RTF Control Word Vulnerability—One of the common file formats support by Microsoft Word is RTF. RTF files consist of both text and control information in the form of control words. The RTF reader that ships with Windows NT has an unchecked buffer in the control word parser. If a user opens an RTF file that contains a control word that’s been hacked in the proper fashion, it could cause the server to crash.
  • Recycle Bin Creation Vulnerability—Through this security hole, it’s possible for a user to create, delete, or modify files in the Recycle Bin of another user.
  • Malformed TCP/IP Print Request Vulnerability—This security vulnerability allows a hacker to create a print request that could cause Tcpsvc.exe to crash. When this occurs, services other than TCP/IP Printing Services stop, including DHCP.
  • IP Fragment Reassembly Vulnerability—This hole arises from a bug in NT’s code that reassembles TCP/IP fragments. If a hacker sends a continuous stream of fragmented IP packets to the server, the server’s CPU will quickly spike to 100 percent utilization while trying to reform the bad fragments. If your server sits behind a firewall or proxy server that drops fragmented packets, you’re probably safe.
  • Remote Registry Access Authentication Vulnerability—It’s possible to access the registry of a remote machine in Windows NT. However, before you do so, you must send a request to a Remote Registry server. If a hacker creates a request in a certain manner, it will cause the Remote Registry to crash. Because the Remote Registry service is part of the Winlogon.exe system process on Windows NT 4.0, the entire system will also crash.
  • NetBIOS Name Server Protocol Spoofing Vulnerability—The NetBIOS Name Server (NBNS) protocol is part of the NetBIOS over TCP/IP. It is implemented by the Windows Internet Name Service (WINS). Unfortunately, this is unauthenticated protocol and can be easily spoofed. A hacker can use WINS’s Name Conflict and Name Release mechanisms to cause another machine not to be able to register a name on the network or relinquish a name it already had registered.
  • Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard—In March 2001, VeriSign, Inc., one of the most popular digital certificate issuers on the Internet, discovered it had issued two digital certificates to someone who claimed to be a Microsoft employee but wasn’t. It would be possible for a hacker to use the fake certificates to create programs, ActiveX controls, or Office macros that appeared to be officially from Microsoft.

Unfortunately, the Windows NT 4.0 Post-Service Pack 6a Security Rollup Package doesn’t fix every security problem with Windows NT 4.0. New exploits appear on a reasonably regular basis, so it’s difficult for Microsoft to produce new patches. Additionally, many security issues arise from poor administration practices rather than security problems due to inherent flaws in the system. Security vulnerabilities not included in the Windows NT 4.0 Post-Service Pack 6a Security Rollup Package include:
  • Unchecked buffers in FrontPage Server extension subcomponents.
  • Vulnerabilities in the Microsoft Java Virtual Machine.
  • The ability for users without Administrator rights to create local groups on a domain.
  • Windows NT 4.0 not deleting an Unattended Installation file.

Obtaining and installing the package
To obtain the Windows NT 4.0 Post-Service Pack 6a Security Rollup Package, you can go to this information page and click the link to the download. You can also go directly to the Windows NT 4.0 Post-Service Pack 6a Security Rollup Package download page.

On the download page, select the language installed on your Windows NT server from the drop-down list and click Next. When the Security Update page appears, click Download Now. Microsoft’s Web site suggests that when the File Download window appears, select the Run This Program From Its Current Location radio button. If you have more than one server to update, select Save This Program To Disk and save it to a temporary directory on your server.

Then, the Q299444I.exe file downloads to your server. This file is 14,883,736 bytes long, so it may take a while to download if you’re only connecting with a dial-up account.

After you’ve downloaded the file, run it. You can do this by finding it through My Computer and double-clicking it or by dropping to a command prompt, changing to the temporary directory to where you downloaded it, typing q299444i, and pressing [Enter]. You can do this on all of your NT servers by copying the Q299444I.exe file to a share available to all of your servers and repeating the process on each of them.

When you run the file, it first extracts the hot fixes to a temporary directory. After the file extracts, it then installs the hot fixes. Don’t panic if you see it copy a lot of files and open and close several command windows. After all of the hot fixes install, you’ll see the Windows NT Hot Fix Setup screen appear, informing you that you need to restart your system. Click OK to restart your server, and then you’re fixed!

Post rollup issues
After you install the package, you may encounter a few problems. If you’re running Windows NT on a Compaq server with the Compaq Array Controller Driver, you may encounter the Blue Screen of Death after applying the package. To fix this problem, visit Microsoft’s Support Site and read Knowledge Base article Q305228.

Also, if your server uses an IntelliPoint mouse, it may lock up after installing the package. This can occur if you’re running IntelliPoint 2.0. You can avoid the problem by upgrading to IntelliPoint 2.2 or later before installing the package. If it’s too late, you can find out how to fix this problem by visiting Microsoft’s Support Site and reading Knowledge Base article Q305462.

Finally, don’t forget that any time you add a new service to your Windows server that requires you to reapply Service Pack 6a, you must also reapply the Windows NT 4.0 Post-Service Pack 6a Security Rollup Package. Just make sure that you reapply Service Pack 6a first and then reapply the package.

Security is a major concern for network administrators. Windows NT can still be a favorite target of hackers. Fortunately, you can beef up security on your old reliable NT server by applying the Windows NT 4.0 Post-Service Pack 6a Security Rollup Package.

Editor's Picks