Patrick, Thank so very much - you've been a big help and I really appreciate it.
Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Patrick R. Sweeney Sent: 21 January 2002 18:32 To: MSWinNT Discussions Subject: RE: Post SP6a Hotfixes The good news: I think Q299444 and Q297860 will pretty much cover an SP6a machine running IIS. The bad news: Method 1: (long - includes some ranting about the deficiencies of Microsoft's QFE release process.) To identify all security related hotfixes for a particular product go to http://www.microsoft.com/security Click the Security Bulletins link on the left. Now select the product and SP version. One note of caution - components covered by the OS SP are often listed on their own in this page, so after you check Windows NT 4.0 Server you'll have to go back and check IIS, HyperTerminal, and other applications bundled with the OS or the Option Pack. Now, once you have a complete list, go to bulletin MS01-041 and find the link for Security rollup. open that article and cross off all the patches listed there. Installing Q299444 takes care of all of these. (Q299444 is not an article about the rollup - it is an article about an RPC DoS fix. The rollup is detailed in a separate article but the brain surgeons handling the MS QFE release process have followed some convoluted logic which leads them to conclude that the last hotfix included in the rollup is the appropriate Q article to tag the rollup with. This is not followed consistently throughout the QFE release process - COM+ hotfixes are handled in a logical manner, except that file versions in those often don't match the file versions expected because when a newer COM+ rollup comes out the older ones seem to get repackaged with the newer set of files.) There is also an IIS rollup (MS01-048, Q297860) - so cross the appropriate articles off your list (including the previous rollups that this supersedes.) Now download the remaining hotfixes and run each with a /x and extract each to its own directory. Now use filever to catalogue the file versions in these fixes. Determine which fixes will be completely superseded by other fixes and eliminate them. Check the file versions for remaining fixes against their respective articles and contact MS PSS for those that don't match. (You could also incorporate a SHA1 sum utility and verify against the mssecure.xml file used by HFNETCHK. MS has been known to release multiple versions of files without incrementing the file version resource.) Also open the hotfix.inf file for each hotfix and check the strings it contains at the end of the file - for NT 4 it should list the SP that this comes after (Win2K it should list the SP it will likely be included in.). MS frequently screws this up. Now repeat this process for IE and any other components commonly installed on your servers. (If you install Outlook on servers you must use this process for Office since HFNETCHK is not yet capable of checking it.) Method 2: (quicker and easier) Install a machine with everything you commonly use, IE, IIS, SQL, Exchange. Install the highest SP for each product. Run HFNETCHK. Get the hotfixes flagged. Explode them all, and check the file versions and hotfix.inf form. (Hotfix.inf is OS hotfix only. IE and Office hotfixes can take on a variety of forms. Given the high failure rate of packaging errors in the rigidly formatted hotfix.inf files I doubt more than 30% of other MS hotfixes are packaged correctly.) Method 3: (ALL HOTFIXES - Quick but dangerous and incomplete) You should be able to go to ftp://hotfix.microsoft.com/winnt/windows_nt_4.0/sp7/ and work off the list of fixes there. Two articles which seem to be missing here - Q299444 the Post SP6a Security Rollup Package (SRP) and Q297860 - the IIS rollup. That and the directories for IIS 4.0 make no sense. (This comes back to MS's face saving but BS decision not to release an SP7 for NT 4.0. Now they are releasing rollups but their whole process is not geared for tracking it. This translates into an enormous multiple of labor in maintaining a MS infrastructure with proper rigor.) p.s. If Bill gates is serious about security this release process must be fixed. So far the only thing I've seen in respect to this from the SPTT is HFNETCHK - but the release process is no better and my sources indicate that while Scott Culp is advocating the elimination of Full Disclosure MS is sitting on security related hotfixes for up to 6 months and asserting once again that exposures that are "unknown" in the wild don't need to be patched. I can't confirm this, but I've heard it from sources who I respect. This also means I know of two unpatched exposures - one simple DoS and one remote execution. I also heard this from an individual connected to a well-known and respected tiger-team in relation to a recent SQL patch. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Whittington, Mark Sent: Monday, January 21, 2002 6:21 AM To: MSWinNT Discussions Subject: Post SP6a Hotfixes Dear All, What's the easiest way of identifying all of the post SP6a hotfixes - is there a generic, on-line, list available? I believe that I could use HFNTCHK on an individual server but this list I want to produce is not machine centric. Tnx Mark Email Disclaimer The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
