News

Microsoft Releases Security Utility to Check that W2K, NT4 Have Latest Patches

• By Stephen Swoyer
• 08/16/2001

The software giant’s move was seen by many as a response to the Code Red attack worms that have ravaged Windows 2000 systems for over a month.

The two tools – HFNetChk and Microsoft Personal Security Advisor (MPSA) – stem from a technology partnership between Microsoft and security specialist Shavlik Technologies, which in late March launched an XML-based security Web site in tandem with the software giant.

Microsoft’s revamped security Web site allows users to perform searches for potential security problems based on their existing product or service pack levels.

HFNetChk.exe is a free command-line tool that is supported under Windows NT 4.0 and Windows 2000. HFNetChk is based on Microsoft’s own HFCheck utility, a hotfix management tool that scans Windows NT 4.0 and Windows 2000 systems to make sure that they’re up to date on the latest IIS patches. HFNetChk, on the other hand, scans not only for IIS, but also for Windows NT 4.0 and for Windows 2000 patches, as well.

MPSA is geared toward small business and home users and is strictly a Web site-based tool. According to Microsoft, users will be able to direct their Web browsers to the MPSA Web site, scan their systems, and read a report that MPSA prepares for them.

Microsoft says that it will publish the XML schema for its security patch database, a move which it hopes will encourage other vendors to incorporate support for it into their own tools.

According to Christopher DeMarco, a Unix systems administrator with sysadmin outsourcing company Taos, hotfix management is one of the most frustrating aspects of administration in the Windows NT 4.0 and Windows 2000 worlds.

“It’s really confusing, and I’m surprised that [Microsoft hasn’t] done anything like this before,” DeMarco confirms. “People ask how something like Code Red could proliferate like it did, but then when you realize that there’s no centralized way to manage and monitor hotfixes, the answer’s pretty obvious. If you’re administering hundreds of servers, how can you be sure that they’re all patched if you don’t have a centralized way of monitoring what’s patched and what’s not?”

And in some cases, even savvy administrators who are for the most part on top of things can miss a patch or two. Just ask Bill Tillson, a Windows NT systems operations manager with Primus Managed Hosting Solutions, who was hit hard by an IIS attack in mid-July.

“We’d been putting together 2000 systems, and keeping an eye on those patches, but we didn’t even know that this thing affected NT 4.0 [systems], too,” he says.

Taos’ DeMarco says that Unix operating systems have provided patch management features for quite some time. “Solaris provides a patch subsystem that will tell you what patches are installed and [which] will allow you to back out of patches or even replace flawed patches. It’s about time that Microsoft developed something like this,” he says.