Isolation

Suppose your Windows NT 4.0 systems run an application that is only used by a small subset of personnel, would be prohibitively expensive to upgrade or replace, and won’t run on modern operation systems? If that’s the case, then we need to do the best we can to isolate the legacy NT 4.0 systems to isolate any risk of damage or interference to the rest of the network.

The lowest budget way to handle isolation is typically through VLANs and access control lists. Users of the NT 4.0 legacy system should be added to the same VLAN as the Windows NT 4.0 systems. However, this can often be cumbersome to manage, especially with users in multiple locations and interaction with other enterprise infrastructure, such as backup and anti-virus systems.

For another low cost solution, consider reusing old VPN hardware to create an isolated internal network for the legacy Windows NT 4.0 systems. Your decommissioned VPN hardware may no longer have enough horsepower to serve the entire enterprise, but it will probably perform adequately to allow a small to medium number of users to access the NT 4.0 legacy systems.

Finally, a more robust isolation solution might entail moving the Windows NT 4.0 systems to an isolated subnet and using a Citrix front-end to control user interaction with the NT 4.0 systems. Assuming that your users currently use a front-end local application to interact with the NT 4.0 back-end systems, you would simply move the front-end application to a Citrix server in front of the isolated Windows NT 4.0 systems and eliminate any direct access to the Windows NT 4.0 isolated network.


Virtualization

Depending on the application in use on the legacy Windows NT 4.0 system, virtualization could be a good choice for replacement. Using VMWare, you could schedule systematic snapshots, which could allow for a quick recovery in the event of compromise. An added benefit here would also be that you’re no longer dependant on the aging hardware which may also be no longer supported by the hardware vendor. However, without isolation, either through the VM product or otherwise, your legacy systems could still be used as attack platforms for attacking the rest of your network.

If your legacy system contains only static data, then one extremely low-cost and secure solution would be to roll the Windows NT 4.0 system into a non-networked VM that is accessed locally using the freely available VMWare Player software. If networking is disabled then any network security problems associated with Windows NT 4.0 are all but eliminated.

Summary

Continuing to run unsupported legacy operating systems such as Windows NT 4.0 can be a serious risk to organizational security and compliance. Since they receive no security patches, these systems are vulnerable to many potential exploits and worms. However, in this article we looked at several low-cost ways to mitigate the risk though replacement, isolation, and virtualization.