4HOTFIXES TO YOUR BASE SERVER INSTALLATIONS AND TO KEEP THEM CURRENT...

5. - MCSA MCSE EXAM 70 296 STUDY GUIDE PHẦN 7 POTX 5. - MCSA MCSE EXAM 70 296 STUDY GUIDE PHẦN 7 POTX 5. - MCSA MCSE EXAM 70 296 STUDY GUIDE PHẦN 7 POTX 5. - MCSA MCSE EXAM 70 296 STUDY GUIDE PHẦN 7 POTX
MCSA MCSE EXAM 70 296 STUDY GUIDE PHẦN 7 POTX

5.4

hotfixes to your base server installations and to keep them current as you assigned new rolesto them.The process of keeping your servers and workstations up to date has to start some-where—by identifying the updates you need for each of them. Updates typically come intwo different varieties: service packs and hotfixes. (Hotfixes are sometimes known by avariety of other names, such as security hotfix, security fix,or update.) The bottom line is thatthere are two major types of updates you need to worry about, differentiated by both sizeand scope. In the next section we look at the difference between service packs and hotfixes.After we’ve gotten a good understanding of them and where we can look to find them, wemove on to identifying and procuring required updates.

Types of Updates

As mentioned, you need to apply two basic types of updates to your network computersover time: service packs and hotfixes. Both can be found at the Windows Update Web site,located at https://traloihay.net. Updates often have very different pur-poses, reliability levels, and application methods and tools.

Service Packs

Service packs are large executables that Microsoft issues periodically (usually every 6 to 15months) to keep the product current and correct problems and known issues. Often servicepacks include new utilities and tools that can extend a computer’s functionality. Forexample,Windows 2000 Service Pack 3 includes the ability to remove shortcuts toMicrosoft middleware products (Windows and MSN Messenger, Outlook Express, and thelike) from your computer, if desired. Service packs also include updated drivers and filesthat have been developed for the product after its initial release.Windows 2000 servicepacks are all-inclusive and self-executing and typically contain all fixes and previous servicepacks that have been issued for the product.

N

OTEAlthough the topic is beyond the scope of this exam, you might be wondering justwhy Microsoft would willingly allow you to remove shortcuts to its middlewareproducts. This action is a result of the settlement of the Microsoft antitrust lawsuitwith the U.S. Department of Justice. You can read more about the settlementterms on Microsoft’s Press Pass Web site at https://traloihay.net one of the greatest improvements in Windows 2000,Windows XP, andWindows Server 2003 service packs is that you can slipstreamthem into the original instal-lation source and create integrated installation media that can be used to install an updatedversion of the operating system on later new installations without the need to subsequentlyapply the latest service pack.These updated installation sources can be placed back onto aCD-ROM for a single-instance installation method or can be used for any form of remoteinstallation, including Windows 2000 or Windows Server 2003 Remote InstallationServices, or for disk cloning through use of a third-party application.Although can you get service packs from the Windows Update Web site, the best loca-tion to get them for later installation or distribution on your network is directly from theMicrosoft Service Packs page at https://traloihay.net. From there you will be able to download the service pack without having to installit immediately, as you would if you were using Windows Update.

Hotfixes

Hotfixes, also known as security fixes, security patches, patches,or quick-fix engineering, are small,single-purpose executable files that have been developed to correct a specific criticalproblem or flaw in a product for which timing is critical. Hotfixes do not typically undergothe same level of testing as service packs to ensure that they are stable and compatible anddo not cause further critical issues. Some hotfixes are not made available to the generalpublic and must be obtained directly from Microsoft Product Support (PSS). Others can befound and downloaded from various sources, such as Windows Update, at https://traloihay.net or the TechNet Security page located atwww.microsoft.com/technet/security/default.asp.Hotfixes can be used to correct both client-side and server-side issues. Recently, a fairlyeven division of client and server hotfixes have been issued as new flaws and weaknesseshave been discovered. Perhaps one of the most famous server-side issues that received ahotfix was the Code Red exploitation of the Index service. MS02-018 was issued to cor-rect this problem and stop the propagation of the Code Red worm.You can rely onWindows Update to inform you of missing hotfixes, but you can also use the HFNetChktool included with the Microsoft Baseline Security Analyzer (MBSA) tool to perform thisfunction for you.The benefit of using HFNetChk is that when it is run against an entirenetwork with a script, it quickly returns the status of all networked Windows Server 2003computers, thus allowing you to determine the computers that require particular hotfixes.

E

XAM

W

ARNINGAs you read this text and through the rest of this chapter, remember the differ-ences between a service pack and a hotfix in terms of what they are designed todo, how they are obtained, and how they are installed. On the exam, youshouldn’t expect to be asked directly what a service pack or hotfix is, but yourunderstanding of each will be tested in other, more covert, ways.

Get Those Hotfixes!

Because service packs are only issued once in a long while, hotfixes will be your pri-mary means of correcting vulnerabilities and flaws in Windows. You need to makeit a regular practice—at least weekly—to check your computers for missingupdates. Once you have identified the missing updates, you need to acquire andtest them as quickly as you can, but not so quickly that you miss something criticalthat could cause you new problems down the road. After testing has been com-pleted to your satisfaction, you should take steps to deploy updates as quickly aspossible. Sometimes keeping your computers safe from attacks and other vulnera-bilities comes down to just a matter of days—perhaps even less. For example, whenthe Code Red worm struck, it was able to compromise over 250,000 vulnerable sys-tems in less than nine hours. Locating, testing, and deploying required updates assoon as they become available can go great lengths toward keeping your networksecure and protected. In the case of the Code Red worm, the vulnerability wasknown and the fix had been available for some time before the “need” to updateand apply fixes and patches was shown to administrators.

Configuring & Implementing…

Deploying and Managing Updates

Identifying the updates that your computers need might seem like the toughest part of thistask; however, that’s not the case. Deploying updates, which includes testing them thor-oughly before deployment, is in most cases the most time-consuming and problematic partof the update process.After you have thoroughly tested the updates in a safe environment, usually a lab or anisolated section of the network, you then face the task of actually getting them deployed tothe computers that require them.You have a few options available to you when it comes todeployment time, ranging from creating update-integrated installation media, using GroupPolicy and Remote Installation Service to install updates for you, using other products suchas Systems Management Server, or even using scripting.Of course, all of this assumes that you have actually gone out and gotten the updatesyou need.You can go about getting the required updates in a variety of ways, some easierthan others. How you get the updates you need depends on the method you plan to use todeploy them.The method you use to deploy updates depends on several issues, such aswhether the computers are new or existing, the physical location of the computers to beupdated, and the number of computers to be updated.The most common deployment methods for new computers include slipstreaming andscripting. For existing computers,Windows Update, Software Update Services, AutomaticUpdate, Systems Management Server, scripting, and Group Policy are the more commonmethods. Of these, Automatic Updates (which has recently replaced the now defunctCritical Notification Service) and Windows Update only apply to the specific computerthat they are running on; the rest of the methods can be used to apply fixes and updates tomultiple computers.The Software Update Service, a relatively new service that replaces Windows CorporateUpdate, can be found at https://traloihay.net; however, it only works with Windows 2000,Windows XP, and WindowsServer 2003 computers and is not an intelligent updater when it comes to applying patches.Systems Management Server (SMS) has been around for quite some time and is due for anew version release in the near future. SMS can be used to deploy all sorts of fixes andupdates to all versions of Windows computers.Scripting can also apply fixes and updates to all versions of Windows computers and isperhaps the best choice when you have a large number of computers requiring the sameupdates.The same holds true for Group Policy software installation. Of course, there isalways good old-fashioned “sneaker-net,” which could utilize collected fixes on trans-portable media and interactive installations at the machines.If you need to manually download fixes and patches, you can get them from the fol-lowing locations:

For downloading service packs, your best bet is to go straight to the Service Packhomepage located at https://traloihay.net.

For hotfixes and other updates, you have several viable options: