The Pros and Cons of Upgrading Now

Microsoft released Service Pack 6 (SP6) for public download at the end of October 1999. After a week or two, several nasty problems emerged—a Winsock error that, among other things, prevented users from accessing Lotus Notes unless they logged on with administrator rights; an AppleTalk error that generated a blue screen on systems connected to an AppleTalk network server or Apple print server; and a date problem in Microsoft Internet Information Server (IIS) 3.0's log converter that converted year 2000 dates to the year 2028. Microsoft corrected these problems in SP6a, included an update of winver.exe (the command-line utility that reports the version of the running OS), and released the new service pack at the end of November 1999. SP6a supersedes and replaces SP6 and all earlier service packs.

Many people installed SP6, then removed it a few days later in response to either the bad publicity or the problems they discovered during testing. Therefore, many Windows NT 4.0 servers are still running SP5, and many users have unanswered questions about SP6 and SP6a. Is now the time to upgrade your SP5 systems? With this article's discussion of post-SP6a hotfixes, you should have enough technical input to make that decision.

SP6a Enhancements
SP6a includes a long list of bug fixes for networking problems, closes several security holes, corrects minor setup glitches, fixes a few desktop problems, and adds three Y2K updates. After you install SP6a, you'll no longer need to maintain 15 post-SP5 hotfixes; instead, you'll manage 3 post-SP6a hotfixes and at least 1 security update (which I discuss later). Considering the number of network bug fixes, systems running SP6a will probably require significantly reduced troubleshooting. The Microsoft article "List of Bugs Fixed in Windows NT 4.0 Service Pack 6/6a (Part 2)" at http://support.microsoft.com/support/ kb/articles/q244/6/90.asp provides detailed descriptions of SP6a's fixes. In addition to bug fixes, SP6a offers several notable enhancements.

Encryption. SP6a extends the encryption strength of the standard version of NT from 40 bit to 56 bit, which is more secure and not subject to as many export constraints as the 128-bit high-encryption version. When you install the high-encryption version of SP6a on a standard version of NT, SP6a upgrades your system from 40-bit to 128-bit high encryption. For more information, see the sidebar "Determining Encryption Level and Current Version."

French version. The French version of NT now supports 40-bit encryption for RAS and PPTP, Microsoft Systems Management Server (SMS) Remote Console, SQL Server, and Exchange Server.

OEM partitions. NT 4.0 Setup now recognizes Compaq and Dell OEM utility partitions, so you needn't reformat the system disk or use an alternative partition to install a fresh copy of the OS.

Microsoft Internet Explorer 5.0. SP6a lets you install Internet Explorer (IE) 5.0 so that IE doesn't create its desktop icon or make the file associations that establish IE as the default browser. If you use another browser or want to disable Internet browsing, you'll appreciate this improvement. IE 5.0 updates are available on the SP6a CD-ROM, not in the download version. To disable the desktop icon and IE's status as the default browser, you must run the IE 5.0 update from the command line.

Print-spooling enhancements. SP6a offers three major print-spooling enhancements. If these improvements work as Microsoft advertises, you'll experience far fewer print-management headaches. First, a print job that hangs on a printer that is part of a printer pool will resume after you resolve the error. Second, print jobs won't queue to a printer that shows an unavailable status—except when the status indicates low toner. Third, when a print job doesn't print within a specific time period, the spooler will redirect the output to another printer in the print pool.

New print drivers. Microsoft has extended the Add Printer wizard to include many new print drivers, including drivers for several Hewlett-Packard (HP) LaserJet PCL 5e printers (i.e., the 2100, 4000, 5000, and 8x00 series) and two Lexmark Optra printers. SP6a also includes many PostScript drivers.

Winnt32.exe and Setupdd.sys
The downloadable versions of SP4 through SP6a don't include NT's native setup utility winnt32.exe or the SCSI driver setupdd.sys. However, service packs that ship on CD-ROM include these files. Winnt32 is a handy tool that lets you perform an upgrade or a reinstall on a running NT system, and setupdd.sys recognizes your SCSI boot drive. You can download setupdd.sys from the NT 4.0 Service Pack Download page (it's the last entry on the list), and you can download both files from the SP4 directory at ftp://ftp.microsoft.com/bussys/winnt/ winnt-public/fixes/usa/nt40/ussp4/additional. Although you'll find the files in the SP4 directory, these two utilities operate correctly with SP4 through SP6a.

Download vs. CD-ROM
The CD-ROM version of SP6a contains more updates than the version you can download from Microsoft's Web site. The additional updates include improvements to IE 5.0, the Security Configuration Editor (SCE), Distributed COM (DCOM), Winsock, Microsoft Message Queue Server (MSMQ) files for Windows 9x, additional print drivers, files that let you install RRAS in unattended Setup mode, and updates to Certificate Server and Internet Authentication Service (IAS). You can order the CD-ROM at the Service Pack Download page.

The SP6a Upgrade
You can upgrade your system online, download the 34.5MB update file, or order the CD-ROM from Microsoft. (For more information about downloading SP6a, see the sidebar "SP6a Download URLs.") The sp6i386.exe file expands to 67MB of files, and you need 120MB of disk space for the expanded files and the uninstall directory. SP6a doesn't include the post-SP6 RAS hotfix, so you need to install the hotfix after the upgrade completes. If you're already running SP6, you can update your systems to SP6a by applying the SP6a hotfix (i.e., q246009i.exe for Intel platforms and q246009a.exe for Alpha systems). If your systems are running SP5, you need to download and install the full SP6a upgrade.

After you install SP6a, you'll see the HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009\Installed = 1 Registry key. After you upgrade, you might want to verify that this key is present; it won't exist if your system is running an earlier service pack.

Potential Installation Roadblocks
When you reboot after installing SP6a on a system running Microsoft Exchange Server, the messaging server might initiate a full index recalculation. If you interrupt the index operation, Exchange Server might corrupt the database it's processing. When I upgraded my Exchange Server system to SP6a, a long pause occurred after I logged on (and before the desktop appeared), and I found several sets of Exchange Server recalculation events in the Application Event Log (i.e., Category of Table/Column and Event IDs 174 and 175). These log entries indicate that Exchange Server cleaned up the Public and Private stores and the Directory Store. If your Exchange server has a large database, this cleanup operation can add 15 minutes to 1 hour or more to your upgrade time, as well as slow mail delivery. So be sure you allocate sufficient time for the upgrade.

The SP6a README file indicates that SP6a includes NT 4.0 Option Pack fixes, but the description of the Option Pack updates that the service pack applies isn't clear. Apparently, you receive these updates only if you order SP6a on CD-ROM. Also, you must perform a separate update procedure for Option Pack components. We can only hope that Microsoft's test team verified that these updates work with all versions of all components that ship in the Option Pack collection. Be aware that the IIS 4.0 update doesn't correctly set script execute permission for the Microsoft Proxy Server Web Administration Tool. If the Web Administration Tool doesn't start after you install SP6a, you can correct the problem by adding script execute permission to the Virtual Directory in PrxAdmin. When you start the update procedure, you might see a message stating that Microsoft hasn't tested the Option Pack updates on SP4. You can safely click Yes to proceed with the update.

To correct known problems, SP6a automatically updates 3Com EtherLink 905B drivers to version 3.40.40.0 if the installed version is 3.38.40.0 or earlier. If you have problems with your network adapter card after the reboot, you might want to upgrade to a newer version of the 3Com driver, which you can download from http://www.3com.com. Check the version of your driver before you perform the upgrade so that you know whether SP6 will modify the running copy.

Compaq has released Revision G of the hardware abstraction layer (HAL) for its Alpha systems, and SP6a includes support for the enhanced HAL functions, including the Tsunami chip. You can read about other HAL improvements in the Microsoft article "Compaq HALs (Including Revision G) for Alpha with Windows NT 4.0" at http://support.microsoft.com/support/kb/articles/q239/9/29.asp. You can download the new HALs from Compaq's firmware page (http://www.compaq.com/support/files/alphant/firmware).

Finally, if you're upgrading a system running Microsoft Cluster Server (MSCS), IIS 4.0, or MSMQ—or if you're dual-booting Windows 2000 (Win2K) and NT 4.0—you need to be aware of one more potential installation roadblock. See the SP6a README file for instructions about additional preparation that you'll need to perform.

Post-SP6a Hotfixes and Patches
You need to apply three hotfixes after you upgrade to SP6a: the Remote Access Service Manager hotfix, the Winlogon hotfix (which corrects a sporadic logoff problem that will otherwise drive end users crazy), and the C2 Security hotfix. You also need to apply the Syskey and Local Security Authority (LSA) security patch, which eliminates known security vulnerabilities. You can find the URLs to download all three hotfixes and the LSA Vulnerability security update in the sidebar "Recommended Post-SP6a Hotfix URLs," page 86.

Remote Access Service Manager hotfix. Microsoft released the Rasman-fix hotfix just before releasing SP6 and was therefore unable to include it in SP6 or SP6a. Rasman-fix changes the ACL on rasman.exe to prevent an unprivileged user from substituting another executable file for rasman.exe. Because Rasman runs in the system context, this situation presents a gaping security hole, which you can easily correct with this hotfix.

Winlogon hotfix. After you upgrade to SP6a, you might experience a problem when you select Logoff from the Start menu. In some cases—particularly when programs are running—the screen will become gray and the mouse pointer will remain an hourglass indefinitely. According to Microsoft, changes in the SP6a version of Winlogon cause the logoff problem. To work around the behavior, use the three-finger salute (i.e., Ctrl+Alt+Del) and click Logoff in the Windows NT Security window. The Winlogon-fix corrects the problem and is an important update for NT workstations.

C2 Security hotfix. If you run a C2-secure facility, you need to download security hotfix q244599i.exe. (You'll find the URL in the sidebar "Recommended Post-SP6a Hotfix URLs.") The C2-fix tightens access to NT objects in compliance with three C2 security requirements:

  • TCP and UDP ports—C2 security requirements mandate that an unprivileged user-mode application might not listen to TCP ports that NT services use, regardless of the cryptographic protection you apply to the NT service traffic that uses these ports. The ports in question are TCP port 137 and UDP ports 138 and 139. In SP6a and earlier, unprivileged applications can access these ports through calls to the API ZwCreateFile function in netbt.sys. The post-SP6a C2 hotfix lets you change netbt.sys's behavior so that netbt.sys doesn't allow file-share access to these ports. The Microsoft article "Enabling NetBT to Open IP Ports Exclusively" (http://support.microsoft.com/support/ kb/articles/q241/0/41.asp) documents the Registry path and data values the hotfix uses to disable unprivileged access to these TCP and UDP ports.
  • Jet500.dll objects—WINS and DHCP rely on the Jet500 database engine to manage their databases. The jet500.dll file creates several objects (e.g., events, semaphores, mutexes) that manage synchronization among multiple instances of the .dll file, and these objects by default have no access controls. The C2 hotfix restricts access to the Jet500 objects to members of the Administrators group. You can read about the affected objects in the Microsoft article "Winobj.exe May Permit You to View Securable Objects Created or Opened by the Jet500.dll File" (http://support.microsoft.com/support/ kb/articles/q243/4/04.asp).
  • Device driver objects—If a driver opens a device and passes a filename length of zero, or if the path contains a trailing backslash, several native drivers bypass standard security controls in the open call. The C2 hotfix installs new versions of seven NT drivers that follow the secure open-procedure guidelines: beep.sys, floppy.sys, netdetect.sys, paraport.sys, null.sys, tcpip.sys, and scsiport.sys.

Syskey and LSA patch. The LsaLookupSids() function returns the SID associated with a user or group account. In some cases, the function doesn't correctly handle invalid or contradictory arguments, thereby corrupting the running copy of the LSA. The LSA provides security services for NT by authenticating logon requests, verifying user privileges, determining whether users can gain access to resources, and overseeing security auditing. This vulnerability essentially renders a system useless because the corrupted LSA denies all requests for services.

When a user makes a service request that calls LsaLookupSids(), NT performs a security check to verify the user's privileges before fulfilling the request. The vulnerability doesn't let anyone bypass the security check. However, the computer stops responding before it makes the check, so any user—regardless of privilege—can issue this call and cause the LSA to stop responding.

If you experience LSA corruption and your system hangs, reboot to load a clean working copy of the LSA. This vulnerability leaves a gaping hole, and I recommend that you acquire and test this security patch (i.e., q248183.exe) as soon as possible.

Ready for Prime Time
Because Microsoft hasn't released additional SP6a-specific updates during the past several months, I believe SP6a is ready for prime time. SP7 might be available upon publication of this article. Although I've seen numerous references to bug fixes that Microsoft intends for SP7, I have no information about when SP7 will become available.

As long as you install the hotfixes I mentioned, your SP6a systems should be stable and happy. Just be sure you allocate extra time to performing the SP6a update on your Exchange servers—you don't want to get caught with a downed mail server when everyone shows up for work.