Microsoft has released so many hotfixes for IIS that it's difficult to tell what I should apply. For example, MS01-044 (15 August 2001 Cumulative Patch for IIS) states simply that it includes all IIS 5.0 hotfixes to date, but it doesn't list them. How can I determine which hotfixes are included in the rollup and which hotfixes I need to install on my servers?

This question is so important that I want to elaborate a bit on the process. Microsoft is good about releasing hotfixes in a timely, organized manner so that customers can implement them quickly. To that end, Microsoft has implemented several important changes (e.g., Security Bulletin Search at http://www.microsoft.com/technet/ itsolutions/security/current.asp) to its Web sites and has included important hotfixes in Windows Update. Nevertheless, Microsoft sometimes complicates administration when a major hotfix's documentation states only that it "includes the functionality of all security patches released to date for IIS 5.0, and all patches released for IIS 4.0 since Windows NT 4.0 Service Pack 5."

The problem is that the documentation doesn't specify what constitutes an IIS hotfix. In fact, Microsoft has apparently changed how it categorizes some hotfixes. For example, WWW Distributed Authoring and Versioning (WebDAV) hotfixes MS01-016 (Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources) and MS01-044 appear in the IIS 5.0 list, but MS01-022 (WebDAV Service Provider Can Allow Scripts to Levy Requests as User) appears as a Windows 2000 hotfix. Microsoft Indexing Service hotfix MS00-098 (Patch Available for "Indexing Service File Enumeration" Vulnerability) appears as a Win2K hotfix, but all other Indexing Service hotfixes appear in both the IIS 5.0 and Win2K lists. The IIS 5.0 hotfixes don't include SMTP hotfixes (e.g., MS01-037—Authentication Error in SMTP Service Could Allow Mail Relaying) or Network News Transfer Protocol (NNTP) hotfixes (e.g., MS01-043—NNTP Service Contains Memory Leak), although both hotfixes apply to services that you manage through the Microsoft Management Console (MMC) Internet Information Services snap-in, which runs in the Inetinfo process. And finally, Microsoft FrontPage Server Extensions hotfixes (e.g., MS01-035—FrontPage Server Extension Sub-Component Contains Unchecked Buffer) don't appear in the IIS hotfix listings.

Fortunately, Microsoft has provided a useful tool called the Network Security Hotfix Checker (hfnetchk.exe) tool, which you can download from http:// www.microsoft.com/technet/itsolutions/security/tools/hfnetchk.asp. This tool scans standalone or network servers for applied hotfixes and generates a report of missing hotfixes. (In some cases, the word Warning appears in the report that Hfnetchk generates, indicating that the tool couldn't determine whether the patch was installed.) Figure 2 shows an Hfnetchk report of missing hotfixes for a machine on which I installed Win2K Advanced Server (standalone), Service Pack 2 (SP2), with no hotfixes. The report shows that MS01-025 (Index Server Search Function Contains Unchecked Buffer) is required, which is interesting because MS01-044 states that it includes all IIS 5.0 hotfixes and addresses all IIS 5.0 vulnerabilities. So, what's the story? If you read farther into MS01-044, it states that the Cumulative Patch for IIS doesn't include hotfixes that are part of other products, such as Microsoft Index Server. MS01-025 is specifically listed as not included. However, MS01-025 does appear as an IIS 5.0 hotfix with Hfnetchk and on Security Bulletin Search. So, Hfnetchk is reporting correctly, but Microsoft is a bit confused.

If you're like me, you don't trust a new automated tool until it's proven. Consequently, perhaps the best way to clear the confusion around hotfixes is to create a hotfix list manually. To create such a list, you must cross-reference the hotfixes found on the Security Bulletin Search page with the services found on your server, then download all the hotfixes you require into a folder. This folder becomes your source for hotfixes when you install or rebuild a server. When Microsoft releases a new hotfix, you can evaluate its relevance and, if the fix is required, add it to the list while removing old hotfixes that the new one replaces.

After you develop your list, I recommend that you follow the directions at http://archives.neohapsis.com/archives/ win2ksecadvice/2001-q1/0124.html (courtesy of Xato at http://www.xato .net). In the scripts.txt file, enter the URLs of the hotfixes in your folder. When you run the script, it will automatically download and install the fixes.

Microsoft's official position on the installation sequence for hotfixes is that the order matters for IIS 4.0 but not for IIS 5.0. Nevertheless, I recommend that you install hotfixes in the sequence in which Microsoft released them. For example, during the CodeRed episode, some administrators found that MS01-033 (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise), the patch that fixed the CodeRed worm and which Microsoft released a month before the exploit, didn't protect their servers unless they had installed and applied SP2, MS01-026 (14 May 2001 Cumulative Patch for IIS), and MS01-033. (At the time of writing, MS01-044 had replaced both MS01-026 and MS01-033.)

My guess is that Microsoft develops hotfixes on fully patched servers. The Microsoft engineers simply don't have time to try the myriad combination of hotfixes to determine the effects of one or more not being applied. Consequently, dependencies on other hotfixes aren't discovered until after Microsoft releases the new hotfix.