One of the easiest ways to eliminate many of the existing and known vulnerabilities and bugs associated with Windows NT is through the application of service packs. Service packs are applied directly to an existing system. They usually take into account all of the previous patches and hot fixes and then apply them en masse to the existing operating system. Service packs are released after a number of hot fixes and patches have been released. A service pack is Microsoft's way of making it easier for the end user to update her system. It is absolutely critical to remain up-to-date on service packs. Applying the latest service pack is the easiest and most efficient way for keeping your Microsoft-based system up-to-date.
A recently released free utility from Microsoft is also available to help an end user determine whether a system is up to date with patches. Microsoft Network Security Hotfix Checker (hfnetchk), found through the Web site www.microsoft.com/technet, is a command-line tool that checks the patch status of a given machine. It runs on both Windows NT and Windows 2000. This utility should be run on a periodic basis to determine if a machine is current on its patches and hotfixes. Listing 10.9 shows some sample hfnetchk output. If you do not patch the system with these updates, you will continue to be vulnerable to attacks against the operating system.
C:>hfnetchk -a b Microsoft Network Security Hotfix Checker, 3.1 Developed for Microsoft by Shavlik Technologies, LLC [email protected] (www.shavlik.com) ** Attempting to download the XML from http://download.microsoft.com/download/ xml/security/1.0/NT5/ EN-US/mssecure.cab. ** ** File was successfully downloaded. ** ** Attempting to load C:inmssecure.xml. ** Using XML data version = 1.0.1.142 Last modified on 8/30/2001. Scanning MACHINEA .............................................................................. Done scanning MACHINEA ---------------------------- MAXIME ---------------------------- Windows 2000 SP2 Patch NOT Found MS00-077 Q299796 Patch NOT Found MS00-079 Q276471 Patch NOT Found MS01-007 Q285851 Patch NOT Found MS01-013 Q285156 WARNING MS01-022 Q296441 Patch NOT Found MS01-025 Q296185 Patch NOT Found MS01-031 Q299553 Patch NOT Found MS01-037 Q302755 Patch Found MS01-041 Q298012 Patch Found MS01-043 Q303984 Patch NOT Found MS01-046 Q252795 Internet Information Services 5.0 Patch NOT Found MS01-004 Q285985 Patch NOT Found MS01-025 Q296185 Patch Found MS01-026 Q293826 Patch Found MS01-033 Q300972 Patch Found MS01-044 Q301625 Internet Explorer 5.5 SP1 Patch NOT Found MS00-093 Q279328 Patch NOT Found MS01-012 Q283908 Patch NOT Found MS01-015 Q286045 Patch NOT Found MS01-015 Q286043 Patch Found MS01-020 Q290108 Patch Found MS01-027 Q299618 |
In this example, we see that this machine is missing several patches related to Windows 2000, IIS 5.0, and Internet Explorer 5.5. The far-right column contains the Microsoft Knowledge Base identifiers. More information on each security patch can be obtained at http://www.microsoft.com/technet/security/current.asp. Each bulletin has a link to the specific patch that can be downloaded.