Customers have complained loud and long about the complexity and time-consuming nature of monitoring and installing security hotfixes. Microsoft has been aware of the shortcomings of the current procedure for some time and has tentatively answered these complaints with a new audit and advisor tool called Hfnetchk, which Microsoft Gold Partner Shavlick Technologies developed. The tool's first version falls far short of ideal, but it’s certainly a step in the right direction.
I decided to put Hfnetchk through it’s paces on an old machine, and I’m happy to report that despite its ungainly name, this tool is useful in small to midsized network environments. Hfnetchk has three features that you’ll appreciate, especially when compared with the old Qfecheck utility.
First, Hfnetchk uses a comprehensive XML-formatted hotfix catalog that Microsoft updates every time the company releases a new security hotfix. In the initial release, the catalog contains current security hotfix information for Windows 2000, Windows NT 4.0, Microsoft Internet Information Server (IIS) 4.0 and Internet Information Services (IIS) 5.0, and SQL Server versions 7.0 and 2000. When you run Hfnetchk, it audits and reports on the status of the security hotfixes that you've already installed for each of the products running on the system on which you perform the audit.
Second, because the catalog contains a current list of all security hotfixes for each product, Hfnetchk can advise you of which fixes to apply to bring your system up to date. You can direct the utility to tell you which hotfixes you've already installed, which are missing, which you need, or a combination of missing and necessary fixes. When you get the report, you know exactly which security bulletins to evaluate.
Third, on the machine where you install Hfnetchk, you can initiate a remote audit of one machine, a group of machines, or all systems in a domain. You can identify the systems you want to audit by computer name, by individual TCP/IP addresses, by a range of TCP/IP addresses, or by domain name. When you identify systems by computer or domain name, Hfnetchk uses NetBIOS name resolution to locate the systems. (If you’re running a pure Win2K domain, you might not have a WINS server handy, so keep this limitation in mind.)
You can download Hfnetchk from the Microsoft Web site. But before you jump in, you should also download your own copy of the security hotfix catalog. You can find the catalog, mssecure.cab, at the Microsoft Web site. You must expand both download files into the same directory. Mssecure.cab expands into mssecure.xml.
If you start Hfnetchk without any options, the utility automatically attempts to download the current copy of the catalog. If you already have the catalog, you can use the command
Hfnetchk –x mssecure.xml
to instruct the tool to use the local copy and skip the download. Even better, you can download the catalog regularly and store it on a network share that everyone can use, thus skipping the download step each time.
Because the first version is command-line driven, you can run Hfnetchk periodically to analyze the state of system security on selected servers and workstations and dump the report file for later analysis. Hfnetchk creates a word-wrapped report suitable for Wordpad or Notepad by default, but you can use a command-line option to generate a tab-delimited report suitable for import into spreadsheets.
When I ran Hfnetchk on a Win2K Service Pack 2 (SP2) system, the tool recommended that I install 12 hotfixes—11 for the OS and one for Internet Explorer (IE). Considering that Microsoft has released 46 bulletins this year, I didn’t feel too bad. In any case, I read the bulletins and selected eight updates that I thought were relevant for my operation. Next, I built a script to install all the updates. The last line in the script runs Qchain, the utility that ensures that the OS installs only the latest version of any common files at the next reboot. However, when I ran the script, I discovered a couple of significant weaknesses in the current procedure.
Microsoft packaged 10 of the security updates I installed with hotfix.exe, the standard hotfix installer, but packaged the WebDav and IE security hotfixes with the MSDAIPP installer. When hotfix.exe installs updates, it creates an uninstall directory and related registry keys. Hotfix.exe also accepts –z and –m options to disable the automatic reboot and interactive feedback the update usually generates. When MSDAIPP installs updates, it doesn’t create an uninstall directory or a registry key. MSDAIPP accepts the /q option for quiet mode and doesn't force a reboot.
Because the hotfixes don't follow a standard format, you can’t write a script that will run correctly without first expanding every hotfix to determine which installer it will use. To eliminate this unnecessary work, Microsoft should either standardize on one installer or publish two versions of every security hotfix, one for each installer. We could then download and build scripts without having to examine each update in detail.
Another weakness of the dual-installer method is that it severely hinders Hfnetchk’s credibility because the utility can't deliver an accurate report with valid recommendations. Hfnetchk can report that a hotfix is correctly installed when the registry key exists, when the version number on each file matches the version number in the catalog, and when the file checksums match. If no registry key exists, you receive a warning message. Neither WebDAV nor IE create registry keys, so as you'd expect, the next time I ran Hfnetchk, it warned me that I should install the WebDAV and IE updates.
To accommodate the difference in the way Microsoft packages hotfixes, the developers included a command-line option that tells Hfnetchk to skip the registry-key verification. However, I don’t think I want to skip the step for hotfixes that use registry keys; if the developers think this is an important part of the verification process, how do I know they’re properly installed?
If you’d like to give this new tool a test drive, you can get all the details from two Microsoft articles. Microsoft article Q303215 documents Hfnetchk’s numerous command-line options and the procedure Hfnetchk uses to perform the audit and create recommendations. Microsoft article Q305385 contains the Hfnetchk FAQ. If you just want to audit and update one system and you trust Microsoft to update your system online, try the Microsoft Personal Security Advisor at the Microsoft Web site.