The recent release of Windows 2000 Service Pack 1 (SP1) brings to mind that with new security exploits discovered each week, keeping your systems current with the latest vendor updates is crucial, especially for systems—such as Web, email, and e-commerce servers—that are exposed to the Internet. Staying current with Windows NT hotfixes and service packs was a nightmare, but I’m happy to say that Microsoft has addressed these problems in Win2K. In this article, I’ll show you the improvements that Microsoft has made to help you keep your systems up to date and secure. If you haven’t already installed Win2K SP1, you can find it, as well as hotfixes and most other Microsoft downloads, at Microsoft’s Web site.
Improvement #1: Service packs no longer introduce new (buggy) features. Service packs are supposed to be cumulative; however, in addition to providing regression-tested releases of all prior service packs and hotfixes, Microsoft had gotten into the habit of including new features. Unfortunately, whenever Microsoft released new features, it often meant new bugs and instability. Consequently, many administrators became gun shy about loading the latest service pack and, thus, security suffered. Beginning with NT 4.0 SP4, Microsoft promised to refrain from introducing mandatory new functionality. If you consult the Win2K SP1 readme file, you can confirm that Microsoft is living up to its promise in word and deed.
Improvement #2: No more reapplying service packs. Another problem with service packs has been layered updates. When you changed your system state (e.g., by loading a new device driver), installing RAS, Microsoft IIS, or another component, you had to reapply the latest service pack. Thanks to Windows File Protection, this problem is a thing of the past.
Improvement #3: No more vanishing high encryption. With NT, you had to obtain and install a separate high-encryption version of each service pack. If you forgot to do this and installed the normal 40-bit encryption service pack on a system already enabled for 128-bit encryption, the system reverted to the weaker encryption level. For Win2K, you can obtain and install the high encryption pack from Microsoft’s Web site. Then, you can install subsequent service packs when they come out without worrying about your encryption level. The service pack determines your current encryption level and automatically installs the correct files.
Improvement #4: Install service packs along with Win2K. With NT, when you installed a new system, you couldn’t install the OS and the latest service pack in one step. To solve this problem with Win2K, you simply copy the i386 directory of your Win2K CD-ROM to a shared directory on a file server, such as \\fs1\win2k. Next, download the full service pack (sp1network.exe), which is about 88MB, from Microsoft’s Web site. Extract the service pack file to a temporary directory using the /x parameter. For example, create a temporary directory called c:\tempsp1. Next, run
and enter \\fs1\win2k when prompted for a path. Finally, from the temporary directory where you extracted SP1, run
to install SP1 on top of Win2K. At this point, you can delete c:\tempsp1. Now, you can install Win2K and SP1 from this directory in one step by running winnt32.exe.
Improvement #5: Hotfixes now have an informative naming convention. With NT, hotfix files had cryptic names, such as privfix and roll-up, that followed no pattern. It was difficult to determine which vulnerability or bug the hotfix addressed and what language, hardware platform, and OS that Microsoft had compiled the hotfix file for. To determine this information, you had to unpack the hotfix file and make sense of the equally cryptic hotfix.inf file. With Win2K, hotfixes now have a standard naming convention in the form of Q######_XXX_YYY_ZZZ_LL.
For example, Q259622_W2K_SP1_x86_en.exe addresses the Malformed Environment Variable Vulnerability. Q###### identifies the number of the Microsoft Knowledge Base article that documents the hotfix. For security vulnerabilities, this article documents the nature of the vulnerability and how the hotfix addresses it. (You can look up a Knowledge Base article number at Microsoft’s support Web site. XXX specifies the OS—Win2K in this case. YYY specifies which future service pack will include this hotfix. In this example, Q259622 is a pre-SP1 hotfix. As a result, when Microsoft released SP1, the service pack included the new functionality included in the Q2596222 hotfix. ZZZ and LL identify the hardware platform and language, respectively, for which Microsoft compiled the hotfix file.
Improvement #6: Users can use Control Panel to check installed hotfixes. When assessing system security, you frequently need to verify that someone has installed important security-related hotfixes on a particular system. Microsoft has made this task much easier with Win2K. When you install a hotfix in Win2K, the installation adds an entry under Control Panel in the Add/Remove programs applet, as Figure 1 shows. By letting you use the Control Panel in this manner, Microsoft has also made it easy to uninstall a hotfix if it introduces a new problem. Be aware that when you uninstall hotfixes, you need to remove your hotfixes in the reverse order that you installed them. This approach is necessary to successfully return the system to its original state because multiple hotfixes can update the same file. How do you determine the order in which you installed the hotfixes? Each hotfix creates a hidden uninstall directory in %systemroot% in the format $NtUninstall <Q###### >$, as Figure 2 shows. Check the directory creation date to determine when you installed the hotfix.
Microsoft is trying to make it easier for you to keep your systems up to date with the latest service pack and hotfixes. If you haven’t installed Win2K SP1 yet, you’ll want to take a closer look. Be aware that several security-related hotfixes have come out since SP1.
Keeping many systems up to date can be time consuming, given the rate at which new exploits and corresponding fixes appear. To stay secure, you need to automatically deploy service packs and hotfixes to your systems. In a future column, I'll show you how to do that with a few simple scripts.