Don't Forget Other Updates
When you install hotfixes, overlooking other updates that you need to apply to your systems is unfortunately easy to do. For example, most hotfix-checking tools tell you which hotfixes are required for your current service pack level but don't always inform you that a new service pack is available. Also, be aware that Windows Update covers only Microsoft's main products. Table 2 lists several updates that administrators can often overlook. Many third-party patch-management solutions offer much more comprehensive product coverage than the Microsoft tools do. Table 3 lists several such third-party patch-management offerings.
Know When to Reinstall
Even if you carefully follow the guidelines in this article, you should always reinstall hotfixes in the following situations:
- after adding or removing Windows components
- after performing an emergency repair
- after recovering from a backup
- after installing a service pack
At some point before Microsoft releases a service pack, the company must freeze the code to start the testing process. During that test period, Microsoft will likely fix bugs in the service pack and release new hotfixes. Microsoft will often rerelease these hotfixes (and refer to them as post–service pack hotfixes) when releasing the service pack. After you install a new service pack, reinstalling any post–service pack hotfixes that you had previously installed is a good idea. I also suggest that you regularly check your systems with an automated patch-management system to verify that all hotfixes are current and properly installed.
Keep Up with Fixes
At one time, when Microsoft recommended against installing hotfixes unless they were absolutely necessary. In fact, common practice was not to install any fix if a server was already running properly. But the proliferation of Internet-based attacks has changed that practice.
Although some exceptions exist, the new best practice is to install every hotfix and service pack relevant to your high-visibility or high-security servers. Microsoft expects users to have installed the most current service pack, and some hotfixes won't work with older service packs. Some hotfixes rely on DLLs released with service packs, and not having the right version can result in server instability. Thus, installing every update requires careful testing before full deployment.
Speed is also a concern when applying hotfixes. With some security problems, patching your servers as soon as you've tested the patch for your environment is crucial. If someone really wants to break into your Web site, all they have to do is closely monitor Microsoft's security bulletins and exploit the vulnerability before you patch your servers. The only sure way to counter such exploits is to patch your servers as quickly as possible. In the meantime, be sure to use other tools such as firewalls, Intrusion Detection Systems (IDSs), and the URLScan security tool to block known attacks.
Know Where to Get Help
Microsoft's hotfix articles used to carry a disclaimer that hotfixes weren't supported products to emphasize that the company typically didn't subject hotfixes to the same extensive testing procedures used for service packs. This situation has changed, and Microsoft now provides free support for hotfix-related problems. A complete list of ways to contact Microsoft Product Support Services (PSS) is available at http://support.microsoft.com/default.aspx?scid=fh;enus;cntactms.
Microsoft also provides support through newsgroups. This support option is often helpful because it not only includes feedback from Microsoft but also from the Windows community. Go to http://www.microsoft.com/technet/newsgroups/nodepages/security.asp for a complete list of security-related newsgroups. Microsoft provides a search mechanism for these groups, but you might have better results using Google's Usenet search engine, which includes Microsoft newsgroups.
Other public forums and mailing lists are available for community support. For questions specific to patch management, check out http://www.patchmanagement.org. The two largest mailing lists for Microsoft-related security concerns are FOCUS-MS at http://www.securityfocus.com/archive/88 and NTBugtraq at http://www.ntbugtraq.com. If you have a bad experience with a hotfix, be sure to post to all these public forums so that everyone can benefit from your experience.
As you can see, patch management still has many unresolved concerns and has some way to go before you can completely trust the automated process. The best way to deal with hotfixes is to keep up with them. You might find that an automated solution works best for your organization, or you might choose to keep your own list of fixes to install and be aware of the problems as they come up. Monitor the public forums for known concerns and properly test the fixes before deployment. If you follow all these tips, you can be sure that your crucial servers are as secure and up-to-date as you can make them.