I just finished testing the most recent version of Shavlik Technologies' security auditing tool, Network Security Hotfix Checker Professional (HfnetchkPro), and I’m happy to report that the professional version addresses most of the concerns that I raised about the command-line version when I discussed it on September 4. To the professional version, Shavlik developers have added a GUI that lets you set all the options that the command-line version supports, but more easily. In addition, the GUI automatically enumerates all domain members. You can now select just the systems in a domain that you want to audit. You can select systems by TCP/IP address, specifying one address, a list of non-contiguous addresses, or a range of addresses. The professional version also lets you define a permanent location for the catalog file, mssecure.xml.
My biggest complaint about the command-line version of the tool, aside from its clumsy interface, is that using it to locate and download update files takes too long. The professional version eliminates this problem by generating an easy-to-read HTML report that includes a Microsoft security bulletin number, a Microsoft article reference number, a download link (hooray), the hotfix's name and a brief description, and an explanation of why the utility suspects that the hotfix is missing.
With a download link for each hotfix, you can locate the file you want with one mouse click—no more paging forward and backward through the snarled tangle of links at Microsoft’s security bulletin Web site. And when you click a link to download a patch, HfnetchkPro automatically opens a new browser window, which means that you can keep the audit report open in one browser while you download hotfixes in another.
You can download the command-line version of Hfnetchk for free from the Microsoft Web site. You can also download a freeware utility that converts Hfnetchk’s output report to HTML, which is easier to read. The freeware reporter invokes Hfnetchk in default mode with interactive output, so you should edit the .cmd file to change the options if you want to audit a specific system, use a local copy of mssecure.xml, or save the audit report as a text file. (Thanks to Al Degutis for passing along the information about the Hfnetchk freeware tool.)
If you're managing a network of 10 or more machines and appreciate a GUI interface, you should test drive HfnetchkPro. You can learn more about the utility from the Shavlik Web site.
Win2K SP2 Hotfix Problems
Microsoft article Q299549 reports that if you install any of 98 "preliminary" hotfixes on a Windows 2000 system before you install Service Pack 2 (SP2), SP2 will silently overwrite files associated with the preliminary version of these fixes when you install the service pack. You might think that you have correctly updated the OS, but in fact, SP2 has compromised each of the 98 updates. For example, if you install the preliminary update that corrects a DHCP lease-reservation problem and then install SP2, your DHCP server will revert to its previous buggy behavior.
Microsoft offers the following pitiful explanation for this lack of file integrity: "Some problems were found during the testing of SP2. These problems were fixed in both SP2 and SP3. These fixes could not be included in the preliminary hotfixes, but the preliminary hotfixes had already been released to some customers. Now that SP2 has been completely tested and released, the preliminary hotfixes that were generated have been updated to include the necessary fixes, and final versions of these hotfixes have been generated. Customers who received a preliminary version of a hotfix need to obtain the final version of that hotfix to ensure they receive the full benefits of SP2."
To determine whether you need to update any preliminary hotfixes on your SP2 systems, you must consult the list of 98 hotfixes in Microsoft article Q299549 and cross-reference hotfix number with the Microsoft article numbers (i.e., Qnnnnn) that appear in the file spuninst.inf, which is in the service pack uninstall folder($NtServicePackUninstall$) in the system root:
- Find the file spuninst.inf file in the %SystemRoot%\$NtServicePackUninstall$\Spuninst folder.
- Open the file and find the \[Reg.Restore.Keys\] section.
- Find Qnnnnn entries, which designate Microsoft article numbers for installed hotfixes (e.g., HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Qnnnnn,,reg00001).
If you find a match, you need to reinstall the permanent version of the hotfix.
Microsoft article Q299549 includes links to descriptions of each update. Unfortunately, you must call Microsoft Support Services (MSS) for the final version of most of the patches. Remember that you can safely install multiple updates without rebooting. When installing each update, use the command-line option that disables the automatic reboot. Then, run Qchain to ensure that only the most recent version of each file installs, and reboot to load the new files.