Slipstreaming Service Packs and Hotfixes

An important component of any Windows installation is hardening—that is, configuring the system after the installation process to make it more secure. The keys to hardening Windows 2000 are to install service packs and hotfixes, modify registry settings, and change insecure default configurations. However, not every organization puts its Win2K systems through this hardening process. As a result, thousands of computers across the Internet are vulnerable to intrusion and Internet-based worm viruses.

You need a way to install Win2K in an already-secured state so that you can safely connect it to a hostile network such as the Internet. Installing service packs and hotfixes is the first step toward that state. Unfortunately, Microsoft hasn't provided adequate tools for streamlining the process, and the company isn't likely to support the hacks I describe in this article. But through the use of third-party shareware and a bit of experimentation, you can install Win2K in an already-secured state.

A word of caution: This article isn't for the faint of heart. The hotfix-slipstreaming process is cumbersome and tedious, and Microsoft might suddenly decide to tweak something that would render these instructions useless. But if you're faced with the task of installing and hardening many Win2K servers, the process is definitely worth the effort.

Distribution Files
You can customize a Win2K installation in many ways, but one method that Microsoft doesn't support is to build a custom bootable installation CD-ROM—a useful method that you can use as the basis for other methods. The first step is to build a master Win2K distribution directory. This distribution directory will be the source for your bootable CD-ROM and should be well secured to maintain its integrity.

Copy the entire contents of your Win2K CD-ROM to a directory on your hard disk. You won't need all the files on the CD-ROM, so to make room for other utilities and updates, you might want to remove the files and directories that you won't use. You can safely remove the following directories and files: \bootdisk, \setuptxt, \support, \valueadd, read1st.txt, and readme.doc. If you'll use this distribution only for clean installations and not for upgrades, you can also safely remove the following files and directories: \i386\win9xmig, \i386\win9xupg, \i386\winntupg, autorun.inf, and setup.exe. You might also want to add files that you commonly install. On my CD-ROM, I've created a \software directory for commonly installed software and an \updates directory for—you guessed it—product updates.

Slipstreaming Service Packs
Slipstreaming is the process of integrating a service pack into a Windows distribution. One advantage of slipstreaming is that the service pack becomes the base file set for the distribution. If you ever add or remove components, the system will always use these updated files, rather than the original source files. Another advantage of slipstreaming service packs is that the system creates the Protected Store with a higher level of encryption. Microsoft Security Bulletin MS00-032 (Patch and Tool Available for "Protected Store Key Length" Vulnerability) talks about a flaw in the encryption level of the Protected Store. You might not realize that in addition to installing the hotfix (or latest service pack), you must also run keymigrt.exe for every account on the system. If you slipstream the service pack, you don't need to take this step because the maximum level of encryption is in place from the start. The disadvantage of slipstreaming service packs is that you can't uninstall the service pack. So, you need to make sure the service pack works properly with your configuration before you slipstream it.