securing NT 4.0 SP6a/you can't get there from here

securing NT 4.0 SP6a/you can't get there from here

Post by delta_fa.. » Tue, 22 Aug 2000 04:00:00

Service Pack 6a for Window NT was officially released in December of
1999. Since December 1, 1999 Microsoft has released 68 security patches
and if this trend continues, we can look forward to an average of about
seven more for each month between now and the release SP7.

I have the unenviable task of determining exactly which patches need to
be applied to ensure that NT servers are secured against attack. A
number of practices currently in place at Microsoft make this far more
difficult than it needs to be. I have sent a number of emails to

representatives that monitor that address, but now I just get a form
letter that advises me I can use the free support options (Knowledge
Base) or the Pay for Support options to resolve my questions.

I am aware of these options, but I am very frustrated with Microsoft
for failing to address what I see to be the larger issues, which are
laid out in the next few paragraphs.

1.      A number of bulletins at the MS Security site have directions
on how to determine if a patch has been properly applied. While this is
good information to have, it is only useful if it is correct, and on a
number of bulletins it is wrong. MS99-046 is good example of this
problem. In the FAQ for this bulletin, posted at there
is table near the bottom of the page that lists the dates of the files
that should be present on a properly patched system. The date for the
TCPIP.SYS file for an SP6a, i386 platform, is listed as 12/14/99 and is
incorrect. The date of the TCPIP.SYS file included in the patch at the
download site is actually11/30/99.

This means that if I use the information in the FAQ as guide, and check
the date on the TCPIP.SYS file on my system I will come away with
impression that it has not had this patch applied. In order to get the
correct information regarding the date of this file it is necessary to
download the patch, expand it and check the date on the file.

I notified Microsoft of this nearly six months ago, and as of today
(8/21/00) the error has not been corrected.

2.      Another difficulty I face has to do with the odd manner in
which version dates and day/time stamps are being applied to files. For
example, MS00-005
( deals
with a buffer overrun in the Rich Text Format reader. One of files
contained in the patch for the i386 build of NT 4.0 is RICHED32.DLL.
The RICHED32.DLL file in the patch has a time/date stamp of 12/23/99
and a version of 4.0.835.1381. The RICHED32.DLL that can is on my
servers is dated 11/4/97 and is version 5.0.1458.47. Because the older
file has a higher version number, I am unable to determine which of
these files needs to be applied in order to ensure that my system is
patched. What I find particularly odd is that there is a two-year
difference in the time/date stamps, and the older file has a higher
version number.

3.      The other issue I have with trying to maintain these systems is
the number of patches that need to be applied to an SP6a NT server to
bring it up to date. As I mentioned earlier, there are 68 security
patches that have been released since December of 1999. While some of
these fixes were rolled into SP6a, the majority were not. Also, some of
these patches supersede others, but this information is not indicated
in many cases where this takes place.

The more cynical in the crowd would likely say this is Microsoft
applying pressure to users in order to influence the migration to
Windows 2000. I tend to be a little less of a cynic, and would prefer
to attribute this to a matter of shifted priorities. I suspect the
development efforts for SP1 for Windows 2000, and the efforts on
Windows ME have been taking away from the NT SP7. However, the answer
to Why hasnt SP7 been released? is less important to me than the
answer to When will SP7 be released?.

I doubt that I am the only one experiencing frustration over keeping NT
4.0 SP6a servers up to date. I am very interested in hearing how other
NT administrators approach the issue of security patches, and
determining exactly which patches need to be installed on a particular
server, and how they determine if those patches have in fact been
properly installed. If there are any third party utilities that are
able to accurately assist in this effort, I would really like to know
about them.

Sent via
Before you buy.


1. Can't stop sharing drives in Window NT 4.0 (sp6a) Workstation

Sorry if this is a repost. I searched through the last year of posts and
coule not find my
question addressed before.

I have tried to stop sharing of my C and D drives in WIndows NT sp6a. I
remove the sharing.
Everything seems fine until I reboot my machine and find that the drives are
shared once again.
Any ideas? Am I missing something here?

Thanks in advance.

-Patrick Lampani

2. Generic Host Process for WIN 32 is attempting to access the internet

3. IE 6.0 Filters on NT 4.0 SP6a not working

4. Reistalling WMP

5. Looking for discussions on XP Pro logon configuration with NT 4.0 sp6a

6. Recover Lost inbox

7. NT 4.0 server SP6a not routing

8. usb/firewire pci card half ht? or glue in? RCA video in?

9. Fw: Killing NT 4.0 (HOT FIXES or NOT / SP6a)

10. Trouble getting NT Server 4.0 to play audio CD's

11. I'm tired of the start menu getting userped in NT 4.0

12. Winsocket?/NT SP6a: Can't create IP socket (10106)