The American Heritage Dictionary defines a bastion as:

1. A projecting part of a rampart or other fortification. 2. A well-fortified position or area. 3. Something regarded as a defensive stronghold.

Marcus Ranum is generally credited with applying the term bastion to hosts that are exposed to attack, and its use is common in the firewall community. Ranum says:

Bastions are the highly fortified parts of a medieval castle; points that overlook critical areas of defense, usually having stronger walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers. A bastion host is a system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software.[1]

Bastion hosts are not general-purpose computing resources. They differ in both their purpose and their specific configuration. A victim host may permit network logins so users can run untrusted services, while a firewall gateway may permit logins only at the system console. The process of configuring or constructing a bastion host is often referred to as hardening. The effectiveness of a specific bastion-host configuration can usually be judged by answering the following questions:

Extreme caution should be exercised when installing new software on bastion hosts. Very few software products have been designed and tested to run on these exposed systems. See Chapman and Zwicky[2] for a thorough treatment of bastion hosts.

Install NT
Start with a clean system. The machine should not be attached to a public network while you are doing the installation/configuration. If you have to have a network connection, make sure it's an isolated, trusted network segment. Do not have any other operating systems installed on your bastion host. Install Windows NT 4.00 US-ENGLISH. Use only NTFS. If you're installing NT Server, make it a "stand-alone" member server. This server will not be able to participate in a domain environment. Do not install IIS 2.0. If you want to run IIS, install it from the NT option pack.

As for network protocols and services, install only TCP/IP and do not install additional network services.

Consider removing everything except WordPad in Add/Remove Programs -> Windows NT Setup.

Install Software
Install any third-party software. This might be a Web server such as IIS 4.0. To install IIS 4.0 you have to have SP3 or above already on the system. This doesn't change the fact that you have to reinstall SP5 afterward.

(Re-)Install the Latest Service Pack
Install the latest service pack for Windows NT 4.00. (At the time of writing, this is Service Pack 5.) If you choose to make a backup of old files during the SP installation, be sure to remove the old files afterward. We do not want to leave the possibly vulnerable binaries on the system.

Install Available Hotfixes
Install all available hotfixes, which are available from <ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40>. These should include only Windows NT OS fixes, not any application-specific fixes.

Figure 1

Remove Unused Network Services
Remove all unused services with the Network application in the Control Panel. This should leave you with a configuration like the one shown in Figure 1.

Only the RPC configuration for the port mapper (RpcSs) is left. IIS will not start without it.

Note that when you remove the Workstation service, you will get a message every time you start the Network application in Control Panel: "Windows NT Networking is not installed. Do you want to install it now?"Always answer NO to this question.

Another caveat is that User Manager for Domains (usrmgr.exe) stops working when the Workstation service is not running. Replace it with User Manager (musrmgr.exe) from NT Workstation.

Disable NETBIOS
By unbinding the WINS Client in the Network application from all adapters, we get rid of all listeners on the NETBIOS ports: Network -> Bindings -> All protocols -> WINS Client -> Disable.

Also disable the WINS Client driver in Control Panel -> Devices -> WINS Client -> Disable.

Configure TCP/IP Filters
Configure TCP/IP security by specifying the ports that are allowed inbound (TCP or UDP) on each network adapter. This is done in Network application -> Protocols -> TCP/IP -> Advanced -> Enable Security -> Configure.

Skip this step if you are going to install other packet-filtering software on this host later on.

Example: Web Server
The configuration shown in Figure 2 allows only connections to tcp/80.

No UDP is accepted. ICMP cannot be blocked.

Figure 2

Disable Unused Services
Everything should be disabled except the following (excluding any applications we want running on the system, of course):

The processes that should be running are:

smss.exe	Session Manager
csrss.exe	Client Server Subsystem
winlogon.exe	The logon process
services.exe	The main service handler process
pstores.exe	Protected storage
lsass.exe	Local Security Authority
rpcss.exe	The RPC end-point mapper
explorer.exe	The Explorer GUI
loadwc.exe	Explorer-related
nddeagnt.exe	Explorer-related

Encrypt the System Accounts Database
Run the syskey.exe utility (with the key on disk option). This will provide basic protection against password-cracking tools like L0pht Crack (<http://www.l0pht.com/>).

Apply Policies and ACLs
Run the Microsoft Security Configuration Editor (SCE) in command-line mode. The command-line version of this tool is included in the hpnt*.zip archive, available at my Web site (<http://people.hp.se/stnor/>). This SCE is a part of the Service Pack 4 CD. Our configuration file is called bastion.inf. This file is an ASCII text file. You can take a look at it in your favorite editor, but it's best viewed with the SCE Microsoft Management Console snap-in.

C:> secedit /configure /cfg bastion.inf /db %TEMP%\secedit.sdb
  /verbose /log %TEMP%\scelog.txt

This will make a number of changes to your configuration. Here is a summary of the most significant changes:

Account policies
Password policy

Enforce password uniqueness by remembering last passwords	6
Minimum password age	2
Maximum password age	42
Minimum password length	10
Complex passwords (passfilt.dll)	Enabled
User must logon to change password	Enabled

Account lockout policy

Account lockout count	5
Lockout account time	Forever
Reset lockout count after	720 mins

Local policies
Audit policy

Audit account management	Success, Failure
Audit logon events	Success, Failure
Audit object access	Failure
Audit policy change	Success, Failure
Audit privilege use	Failure
Audit process tracking	No auditing
Audit system events	Success, Failure

User rights assignment

SeAssignPrimaryTokenPrivilege	No one
SeAuditPrivilege	No one
SeBackupPrivilege	Administrators
SeCreatePagefilePrivilege	Administrators
SeCreatePermanentPrivilege	No one
SeCreateTokenPrivilege	No one
SeDebugPrivilege	No one
SeIncreaseBasePriorityPrivilege	Administrators
SeIncreaseQuotaPrivilege	Administrators
SeInteractiveLogonRight	Administrators
SeLoadDriverPrivilege	Administrators
SeLockMemoryPrivilege	No one
SeNetworkLogonRight	No one
SeProfileSingleProcessPrivilege	Administrators
SeRemoteShutdownPrivilege	No one
SeRestorePrivilege	Administrators
SeSecurityPrivilege	Administrators
SeShutdownPrivilege	Administrators
SeSystemEnvironmentPrivilege	Administrators
SeSystemProfilePrivilege	Administrators
SeSystemTimePrivilege	Administrators
SeTakeOwnershipPrivilege	Administrators
SeTcbPrivilege	No one
SeMachineAccountPrivilege	No one
SeChangeNotifyPrivilege	Everyone
SeBatchLogonRight	No one
SeServiceLogonRight	No one

Event Log Settings
The Application, System, and Security logs are configured to be up to 100MB each. They will overwrite events as needed, but only entries older than 30 days. Anonymous access to the logs is disabled.

Registry Values
The policy will also apply the following changes to the registry.

KEY	Type	Value
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanM an Print Services\AddPrintDrivers	REG_DWORD	1
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnablePlainTextPassword	REG_DWORD	0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect	REG_DWORD	15
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareWks	REG_DWORD	0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer	REG_DWORD	0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff	REG_DWORD	1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature	REG_DWORD	1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature	REG_DWORD	1
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\RequireSecuritySignature	REG_DWORD	1
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnableSecuritySignature	REG_DWORD	1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal	REG_DWORD	1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel	REG_DWORD	1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel	REG_DWORD	1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous	REG_DWORD	1
MACHINE\System\CurrentControlSet\Control\SessionManager\ProtectionMode	REG_DWORD	1
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel	REG_DWORD	5
MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\LegalNoticeText	REG_SZ	This is a private system. Unauthorized use is prohibited.
MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\LegalNoticeCaption	REG_SZ	Hardened by HP Consulting
MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\DontDisplayLastUserName	REG_SZ	1
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail	REG_DWORD	1
MACHINE\System\CurrentControlSet\Control\Session Manager\MemoryManagement\ClearPageFileAtShutdown	REG_DWORD	1
MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\CachedLogonsCount	REG_SZ	0
MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\AllocateFloppies	REG_SZ	1
MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\AllocateCDRoms	REG_SZ	1
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects	REG_DWORD	1
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl	REG_DWORD	0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing	REG_BINARY	1
MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ShutdownWithoutLogon	REG_SZ	0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting	REG_DWORD	1

Some of the changes above are not essential to the bastion host, since we don't have any SMB services running on the system, but it's still good practice to apply them. And the script does it all anyway.

File System and Registry Access Control Lists
The ACLs applied to the file system and the registry are identical to what Microsoft ships as the "Highly secure workstation" template in SCE. For details check the bastion.inf file with the SCE snap-in in MMC.

Administrator Account
The bastion.inf policy renames the Administrator account to "root." This should be changed to something unique for your environment. Make sure to have a strong password on the Administrator account as well.

Remove Unused and Potentially Dangerous Components
If an attacker gains access to the bastion host, it is crucial that the attacker doesn't get extra help to establish a back door or gain access to other systems. Therefore it's good practice to remove unused binaries from the bastion host. The downside of doing this is that it may slow down the administrators as well. Use your judgment here.

To remove DOS, Win16, OS/2, and POSIX subsystems:

KEY	Type	Value
MACHINE\System\CurrentControlSet\Control\SessionManager\SubSystems\Optional	REG_BINARY	00 00
MACHINESystem\CurrentControlSet\Control\SessionManager\SubSystems\Os2	N/A	REMOVE THIS KEY
MACHINE\System\CurrentControlSet\Control\SessionManager\SubSystems\Posix	N/A	REMOVE THIS KEY
MACHINE\System\CurrentControlSet\Control\WOW	N/A	REMOVE THIS KEY

Delete the following files:
   %SystemRoot%\system32\ntvdm.exe
   %SystemRoot%\system32\krn1386.exe
   %SystemRoot%\system32\psxdll.dll
   %SystemRoot%\system32\psxss.exe
   %SystemRoot%\system32\posix.exe
   %SystemRoot%\system32\os2.exe
   %SystemRoot%\system32\os2ss.exe
   %SystemRoot%\system32\os2srv.exe
   %SystemRoot%\system32\os2 (directory)

Note that some Win32 applications still have 16-bit installation programs (e.g., Firewall-1 3.0). Removing the Win16 or DOS subsystem will obviously break these programs. The system will claim it's unable to find the executable you are trying to run.

Other potentially dangerous tools are:
   %SystemRoot%\system32\nbtstat.exe
   %SystemRoot%\system32\tracert.exe
   %SystemRoot%\system32\telnet.exe
   %SystemRoot%\system32\tftp.exe
   %SystemRoot%\system32\rsh.exe
   %SystemRoot%\system32\rcp.exe
   %SystemRoot%\system32\rexec.exe
   %SystemRoot%\system32\finger.exe
   %SystemRoot%\system32\ftp.exe

You might even consider removing the actual files for the unused services and drivers from the system, but this might get you in trouble with Microsoft Support if you need to contact them. Also, the next service pack you apply will put them back anyway.

Open Ports
Though it's possible to make Windows NT stop listening on all ports, many applications rely on RPC loop-back communication, especially those from Microsoft. For example, Internet Information Server 4.0 breaks if you disable the RPC client or server. However, if you do not need RPC you can disable it by removing the following keys in the registry:

KEY	Type	Value
MACHINE\Software\Microsoft\RPC\ClientProtocols\ncacn_ip_tcp	N/A	REMOVE THIS KEY
MACHINE\Software\Microsoft\RPC\ClientProtocols\ncacn_ip_udp	N/A	REMOVE THIS KEY
MACHINE\Software\Microsoft\RPC\ServerProtocols\ncacn_ip_tcp	N/A	REMOVE THIS KEY
MACHINE\Software\Microsoft\RPC\ServerProtocols\ncacn_ip_udp	N/A	REMOVE THIS KEY

This will leave you with no open ports whatsoever on your bastion host:

   C:\>netstat -an

   Active Connections

     Proto  Local Address Foreign Address State

   C:\>

If you do need RPC, the RPC end-point mapper service (RpcSs.exe) will open up some ports.

Output of netstat on my test system:

   C:\>netstat -an

   Active Connections

Proto	Local Address	Foreign Address	State
TCP	0.0.0.0:135	0.0.0.0:0	LISTENING
TCP	0.0.0.0:135	0.0.0.0:0	LISTENING
TCP	0.0.0.0:1027	0.0.0.0:0	LISTENING
TCP	0.0.0.0:1028	0.0.0.0:0	LISTENING
TCP	127.0.0.1:1025	0.0.0.0:0	LISTENING
TCP	127.0.0.1:1025	127.0.0.1:1028	ESTABLISHED
TCP	127.0.0.1:1026	0.0.0.0:0	LISTENING
TCP	127.0.0.1:1028	127.0.0.1:1025	ESTABLISHED
UDP	0.0.0.0:135	*:*

   C:\>

We will have to live with this. The TCP/IP security filters should deny any connection attempts made to those ports.

Test of TCP/IP Security Filters
Let's try the TCP/IP security filters. First I configured the filters to allow only tcp/80 and udp/1111. Then I fired up listeners with netcat (<http://www.l0pht.com/~weld/netcat/>) on tcp/80,81 and udp/1110,1111. To test I used netcat to try to connect to the server on the listener ports.

The tcpdump output below shows the behavior of the filter function with SP4.

UDP packets to port 1110 (blocked) shows no output on the netcat listener.
22:54:14.041112 arp who-has 10.0.0.43 tell 10.0.0.5
22:54:14.041171 arp reply 10.0.0.43 is-at 0:10:5a:e6:cf:74
22:54:14.041240 10.0.0.5.1252 > 10.0.0.43.1110: udp 10
22:54:16.909514 10.0.0.5.1252 > 10.0.0.43.1110: udp 11

UDP packets to port 1111 (unblocked) shows output on the netcat listener.
22:58:30.045340 10.0.0.5.1254 > 10.0.0.43.1111: udp 10
22:58:32.807513 10.0.0.5.1254 > 10.0.0.43.1111: udp 11

UDP packets to port 1111 (unblocked) with no netcat listener sends ICMP udp port unreachable.
23:00:39.497178 10.0.0.43 > 10.0.0.5: icmp: 10.0.0.43 udp port 1111 unreachable
23:00:39.725978 10.0.0.5.1255 > 10.0.0.43.1111: udp 2
23:00:39.726038 10.0.0.43 > 10.0.0.5: icmp: 10.0.0.43 udp port 1111 unreachable
23:00:39.979497 10.0.0.5.1255 > 10.0.0.43.1111: udp 5

TCP connect to port 80 (unblocked) shows output on the netcat listener.
23:03:05.220808 10.0.0.5.1264 > 10.0.0.43.http: S 52482:52482(0) win 8192 <mss 1460> (DF) [tos 0x10]
23:03:05.220922 10.0.0.43.http > 10.0.0.5.1264: S 61918:61918(0) ack 52483 win 8760 <mss 1460> (DF)
23:03:05.221044 10.0.0.5.1264 > 10.0.0.43.http: . ack 1 win 8760 (DF) [tos 0x10]
23:03:07.289221 10.0.0.5.1264 > 10.0.0.43.http: P 1:7(6) ack 1 win 8760 (DF) [tos 0x10]
23:03:07.395725 10.0.0.43.http > 10.0.0.5.1264: . ack 7 win 8754 (DF)
23:03:11.146798 10.0.0.5.1264 > 10.0.0.43.http: P 7:8(1) ack 1 win 8760 (DF) [tos 0x10]
23:03:11.301110 10.0.0.43.http > 10.0.0.5.1264: . ack 8 win 8753 (DF)
23:03:11.960993 10.0.0.5.1264 > 10.0.0.43.http: R 52490:52490(0) win 0 (DF) [tos 0x10]

TCP connect to port 81 (blocked) shows no output on the netcat listener. NT sends RST.
23:23:43.669792 10.0.0.5.1286 > 10.0.0.43.81: S 52552:52552(0) win 8192 <mss 1460> (DF) [tos 0x10]
23:23:43.669857 10.0.0.43.81 > 10.0.0.5.1286: R 0:0(0) ack 52553 win 0
23:23:44.168936 10.0.0.5.1286 > 10.0.0.43.81: S 52552:52552(0) win 8192 <mss 1460> (DF) [tos 0x10]
23:23:44.168995 10.0.0.43.81 > 10.0.0.5.1286: R 0:0(0) ack 1 win 0
23:23:44.669639 10.0.0.5.1286 > 10.0.0.43.81: S 52552:52552(0) win 8192 <mss 1460> (DF) [tos 0x10]
23:23:44.669697 10.0.0.43.81 > 10.0.0.5.1286: R 0:0(0) ack 1 win 0
23:23:45.170337 10.0.0.5.1286 > 10.0.0.43.81: S 52552:52552(0) win 8192 <mss 1460> (DF) [tos 0x10]

23:23:45.170392 10.0.0.43.81 > 10.0.0.5.1286: R 0:0(0) ack 1 win 0 The TCP/IP security filters work well on Windows NT 4 .0 SP4.

If the filters are enabled, NT will ignore UDP packets, and TCP connection attempts will be reset on the denied ports.

Secure the Application
The last step is to make a security review of the application that is going to run on the system. This might include NTFS ACLs/Auditing and checking with application vendors for known holes and workarounds or patches.

Summary
Now your system is reasonably well secured. The only way of breaking into it over the network (as far as I can tell) is by exploiting a vulnerability in the applications running on the host (or possibly the MS IP-stack) to run arbitrary code that opens up the system.

We've basically rendered our system inoperable from a management perspective. Windows NT does not provide us with remote logging. NT-based remote-administration tools like the Event Viewer and Server Manager are based on NETBIOS, and the problem with NETBIOS is that it's considered a no-go in perimeter networks. This is because everything runs in NETBIOS (SMB/CIFS, management, and other applications based on named pipes), which means you cannot limit traffic to a host in router access control lists in a granular way. Hence we have to find other — preferably standardized — ways of administering and monitoring the Windows NT host.

Relevant MS Knowledge Base Articles
Microsoft Support Knowledge Base is available at <http://support.microsoft.com/support/search>.

Use "Search for a specific article ID number" and type in the PSS ID number.

PSS ID Number     Name of article
Q93362                    C2 Evaluation and Certification for Windows NT
Q101063                  Windows NT Logon Welcome, Displaying Warning Message
Q114463                  Hiding the Last Logged On Username in the Logon Dialog
Q114817                  No Shutdown Button in Windows NT Server Welcome Screen
Q140058                  How To Prevent Auditable Activities When Security Log Is Full
Q142641                  Internet Server Unavailable Because of Malicious SYN Attacks
Q143164                  INF: How to Protect Windows NT Desktops in Public Areas
Q143474                  Restricting Information Available to Anonymous Logon Users
Q143475                  Windows NT System Key Permits Strong Encryption of the SAM
Q146906                  How To Secure Performance Data in Windows NT
Q147706                  How to Disable LM Authentication on Windows NT
Q151082                  HOWTO: Password Change Filtering & Notification in Windows NT
Q153094                  Restoring Default Permissions to Windows NT System Files
Q155363                  HOWTO: Regulate Network Access to the Windows NT Registry
Q161372                  How to Enable SMB Signing in Windows NT
Q161990                  How to Enable Strong Password Functionality in Windows NT
Q166992                  Standard Security Practices for Windows NT
Q172925                  INFO: Security Issues with Objects in ASP and ISAPI Extensions
Q172931                  Cached Logon Information
Q174840                  Disabling Buttons in the Windows NT Security Dialog Box
Q176820                  Differences Between 128-bit and 40-bit versions of SP3 & SP4
Q187506                  List of NTFS Permissions Required for IIS Site to Work
Q195227                  SP4 Security Configuration Manager Available for Download
Q214752                  Adding Custom Registry Settings to Security Configuration Editor
Q217336                  TCP/IP Source Routing Feature Cannot Be Disabled
Q218473                  Restricting Changes to Base System Objects

Other Resources
"Microsoft Internet Information Server 4.0 Security Checklist."
<http://www.microsoft.com/security/products/iis/CheckList.asp>

"Securing Windows NT Installation."
<http://www.microsoft.com/ntserver/security/exec/overview/Secure_NTInstall.asp>

Kevin Steves, "Building a Bastion Host Using HP-UX 10."
<http://people.hp.se/stevesk/security/bastion.html>

References
[1] Marcux J. Ranum, "Thinking About Firewalls V2.0: Beyond Perimeter Security." <http://www.clark.net/pub/mjr/pubs/think/index.htm>

[2] D. Brent Chapman and Elizabeth D. Zwicky, Building Internet Firewalls. Sebastopol: O'Reilly & Associates, 1995.