New hardening guides arrive early for April Fools' Day.
Microsoft released a downloadable document today that discusses how to harden your Windows 98 and NT 4.0 systems.
It seems a little early for April Fools' Day, so I opened it up and took a look.
It's a 109-page document full of honest and useful advice for those of you in the untenable position of having to secure a network with components that date from the last century.
It could do with a little proof-reading ("The Security Configuration Manager is available from the Microsoft FTP server at http://microsoft.com/ntserver/techresources/security/securconfig.asp" - how is "http://" the start of an FTP server location?), but a quick skim through suggests that this is a good starting document for anyone who has to work with these older systems.
My only gripe on this initial read is that the suggestion to readers that their first step should be to try all means possible to upgrade these systems should have been in huge type, bold, and ideally a fetching shade of red to draw people's attention to it.
The danger of publishing guides like these is that people will assume that their presence means that these systems can continue to be used, and are sufficiently secure for corporate use.
The danger of not publishing guides like these, however, is that people will assume that their absence means that these systems are already sufficiently secure for corporate use.
Just as abstinence programmes do little-to-nothing to counter teen pregnancy and sexually-transmitted diseases, so too a security program should be willing to say "Windows 98 and NT 4.0 are no longer supported by their vendor, and are not secure for today's corporate environment," but follow this up with "Here's what you can do to make them more secure, if you find your enterprise in bed with these systems, and you cannot prevent what naturally occurs."
Usual disclaimers apply: read the list of hardening methods, and their reasons for being, and assess the risks and benefits of each before choosing to apply or discard them.
Remember RFC 1925:
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead."