Securing Legacy Windows Applications

Question:

What are some techniques for securing legacy Windows server applications using virtualization and/or sandboxing?

Answer:

……,

I do come across these legacy applications everyday and you are right they are not going away and we have to deal with them.

VMware and the other virtualization solutions will not make legacy windows applications more secure (or less secure) . They will just virtualize legacy host systems and fill the need for multiple hardware hosts. You may certainly choose to segment hosts via virtualization, if you believe that it is easier to apply high end IPS/FW/Content security systems inline. This is technically possible in several ways,

1- Deploying hypervisor behind security controls

2- Deploying virtualized security appliances in between vm images.

Your options are not that much different on non-vm deployments. Legacy windows systems are tough to secure for the following reasons:

1- They are usually deployed on vulnerable operating systems, the patches are not available for the operating systems.

2- Host based security controls are usually not compatible (HIPS, AV, FW, Logging, Identity Management etc)

3- Ancient communication protocols are used (RPC, older network stacks, clear text non authenticated file transfers etc)

4- Don’t have the developers of the apps at reach, it is not easy to patch application vulnerabilities…

And the list goes on for the reasons that you already know.. Here are practical solutions: 1- Deploy file integrity monitors, registry monitors. These MD5/SHA1 based tools are independent of the OS, they bring some security. You need to identify critical files/filesystems yourself.

2- Migrate user management to new systems if possible (this is usually not possible but try – avoid NT4 domains, allow local admin users only). Migrate old databases/database connectors to new ones if possible (applications stays intact /data moves to a new home, technically to a more secure one)

3- Segment these servers, they will be compromised since they cannot be properly secured. Do not keep them in the same segment with other “decently” secured hosts/applications. If possible use 1 new segment per host. Usually it is difficult to change IP settings so you can use transparent firewalls/IPS at Layer2

4- After segmenting , assume that these legacy segments are untrusted, apply the security controls that you apply to untrusted segments.

5- Run vulnerability assessments continuously, and know your vulnerabilities. Run your action plan based on the findings…Pen test if the stakes are higher.

6- You will probably see buffer overflows, monitor uptime and get curious after unplanned reboots ,systems halts

7- Log everything at network level (not on host or at application level). Allow access at need to know level. Restrict access by any means (IP, client etc).. Make sure that you have audit trail.

8- Have a migration plan, if not make sure that your risk statement includes the risks associated with these hosts.

Good luck, cross your fingers,

cheers,

- yinal ozkan