Microsoft is beginning to fulfill promises it made under the "Stay Secure" portion of its Strategic Technology Protection Program by releasing the first scheduled cumulative security hotfix for Windows 2000 and updating a tool that helps administrators determine which hotfixes have been applied on a computer.

Security Rollup Package 1

The Windows 2000 Security Rollup Package 1 (SRP1) delivers 19 separate hotfixes—all the hotfixes Microsoft has released to address operating system (OS) vulnerabilities identified in the security bulletins issued since Windows 2000 Service Pack 2—in a package that an administrator can apply as a single unit. Hotfixes issued after the release of SRP1 will come in future SRPs, which the company has promised to deliver every two months.

Missing from SRP1 is the hotfix for MS01-022 (Q296441): "WebDAV Service Provider Can Allow Scripts to Levy Requests as User." The SRP does not include this hotfix because it does not affect Windows 2000 itself, but applies to the Microsoft Data Access Internet Publishing Provider, which is a code library for applications that retrieve and update documents with the Web Distributed Authoring and Versioning (WebDAV) protocol. Administrators will need to apply the WebDAV hotfix separately to most Windows 2000 systems that need SRP1.

Administrators should note that the primary purpose of an SRP is to make it easier to apply the hotfixes. Hotfixes in an SRP are not integration-tested to the same degree as patches in a Service Pack.

SRP1 can be installed on Windows 2000 Professional, Server, and Advanced Server only if Service Pack 2 (SP2) has already been installed, and it can be installed on all systems, even if some of the individual hotfixes have already been installed. SRP1 can be uninstalled or rolled back as a complete unit if a hotfix should cause a problem with the OS.

Updated Hotfix Checker Tool

Microsoft’s hotfix checker tool, Hfnetchk, has been updated to support the latest versions of Windows and Internet Explorer (IE). This command-line tool enables administrators to find out what security hotfixes are installed on a computer. It can assess the hotfix status of Windows NT 4.0, 2000, or XP; Internet Information Server (IIS) 4.0 or 5.0; SQL Server 7.0 or 2000 (including Microsoft Data Engine [MSDE]); and IE 5.01 or later.

The tool is still merely a means of determining the state of security hotfixes on a machine at a given point in time. The updated tool contains several minor improvements, including the ability to

• Specify a username and password for scanning remote systems so that an administrator can check many machines from a single console
• Write the results to an output file, rather than to the screen
• Scan a group of systems based on a list of IP addresses or machine names that are provided via input files.

Microsoft has also released a Systems Management Server (SMS) add-on that uses Hfnetchk to automatically detect and then apply missing hotfixes on a machine.

Availability and Resources

A list of the hotfixes included in SRP1 is available at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/w2ksrp1.asp.

Security Rollup Package 1 (SRP1) is available at www.microsoft.com/windows2000/downloads/critical/q311401/default.asp.

Version 3.3 of the hotfix checker tool is available at www.microsoft.com/downloads/release.asp?releaseid=31154.

Information on the use of SMS to deploy hotfixes is at www.microsoft.com/smserver/techinfo/deployment/20/deployosapps/smsseckit.asp.

For Microsoft’s security bulletins and other security information, see www.microsoft.com/security.

For more information on Windows 2000 SP2, see "Second Service Pack for Windows 2000" on page 10 of the June 2001 Update.