Keep your network up-to-date and secure without burning the midnight oil
Microsoft recently responded to several new security holes in Windows NT. Some of these security holes required only a configuration change to protect the system, but many required Microsoft service packs or hotfixes.
Security experts estimate that patches (i.e., configuration changes, service packs, or hotfixes) are available for over 90 percent of system breaches that occur. Security suffers if you don’t apply patches in a timely manner. You can reduce your risk by keeping up-to-date with new exploits and their patches. However, managing service packs and hotfixes is daunting when you have hundreds or thousands of systems to maintain. For example, Microsoft often releases, updates, and removes hotfixes at its FTP sites without informing users. Documentation regarding hotfix installation and cumulative compatibility is sometimes contradictory and confusing. In addition, native NT functionality doesn’t permit easy distribution of updates to multiple computers. To further complicate matters, some hotfixes require you to make risky Registry changes to activate the patch’s functionality. Even simple hotfixes can destabilize systems and introduce new bugs. Finally, obtaining enterprisewide reports on current update levels is difficult, and total cost of ownership (TCO) soars when you maintain systems at wildly disparate update levels.
Without an easy method for administering patches, your costs increase and your security and stability suffer. In this article, I discuss how you can securely manage updates by using simple batch files, NT’s native tools, and inexpensive or free tools and services that are available on the Internet. The process involves discovery, evaluation, testing, deployment, and tracking. (For more information about service packs and hotfixes, see "Related Articles in Windows NT Magazine.")
Discovery
A proper discovery process depends on your level of specialization and responsibility in security matters. In the past, systems administrators often waited until they ran into a problem before they looked for a patch. But current security demands necessitate a proactive approach: You must search for fixes before you need them.
For years, UNIX users have had security bulletin services such as the Computer Emergency Response Team (CERT) and Computer Incident Advisory Capability (CIAC), which announce new exploits and vendor patches. Microsoft only recently introduced its Security Notification Service. At a minimum, you’ll want to subscribe to this service. (Go to http://www.microsoft.com/security/ services/subscribe.asp.) However, this vendor-based information source provides only information that serves Microsoft’s best interests.
Mailing lists exist on which the industry’s best hackers and security experts discuss exploits and fixes. My favorite resource is the NTBugtraq mailing list. You can subscribe to this list at http://www.ntbugtraq.com. Discussion on this list revolves around NT exploits and fixes. Russ Cooper effectively moderates the list, which more than 15,000 users subscribe to. NTBugtraq is one of the best resources for untangling hotfixes’ idiosyncrasies and contradictory documentation. For additional NT security mailing lists, go to http://www.ntsecurity.net and http://www.iss.net/vd/maillist.html.
The volume of email from security mailing lists can be overwhelming. I direct all the mail to an NT Security folder in Microsoft Outlook. Once a day, I scan the subject lines for topics of immediate relevance. I also scan the authors, because I’ve learned to recognize the regular posters whose messages are consistently valuable. This method lets me spend a minimal amount of time keeping up-to-date. When I have some downtime, such as on a flight, I scan the rest of the messages for new problems, tricks, and insights.
If you’re trying to solve a particular problem, you might have difficulty finding the appropriate hotfix. You can use NTBugtraq’s free service at http://ntbugtraq.ntadvice.com/ntfixes.asp to search for hotfixes by language, NT version, processor type, and service pack. The tool even highlights hotfixes that the vendor has updated or removed.