In light of the endless influx of Internet-based worms, scanning scripts, and intruder attacks, patch management has become a growing concern among network administrators. A security guide, checklist, or hardening document wouldn't be complete without some recommendation to keep up with current hotfixes and service packs. But keeping up with patches isn't always as simple as visiting Windows Update and installing the recommended updates. I recommend automated patch-management solutions for updating workstations and noncrucial servers, but you might want to implement more advanced patch-management techniques to protect high-visibility or high-security servers. The strategies that I discuss in this article might not work for all organizations, but those willing to go the extra mile will benefit from the stability and security of careful patch management.
Check the Signatures
Depending on your server's security policy, when you install hotfixes you might receive a warning that the file doesn't contain a valid signature. However, Microsoft claims that it signs all its hotfixes. So why do you get the warning?
The confusion comes because two types of signatures exist: an Authenticode signature and a Windows Hardware Quality Labs (WHQL) signature. A software developer ensures a file's authenticity by appending an Authenticode signature to the file. Windows doesn't automatically check the Authenticode signature for hotfixes. You can verify the signature by right-clicking the file and selecting Properties. You can also use the Chktrust command-line tool that comes with the Microsoft Platform software development kit (SDK) to verify the Authenticode signature. Chktrust.exe will tell you whether a certificate is valid but won't tell you who owns it.
Microsoft stores the WHQL signature in a separate catalog file to show that the company has tested a driver file for Windows XP or Windows 2000 compatibility. Microsoft includes a WHQL signature for each driver file in a hotfix. The warning appears when the WHQL signature for a driver file doesn't match what's stored in the catalog file.
So if the Authenticode signature verifies the hotfix before installation and the WHQL signature verifies the driver files after you install the hotfix, why does the warning still appear? It appears because the hotfix installs new files with new WHQL signatures. Because the new WHQL signatures aren't available until the installation is finished, Windows can't verify the new signatures until the hotfix is installed. You can verify these signatures by running the Windows File Signature Verification tool (sigverif.exe) after you install the hotfix. If you check the Authenticode signature before you install the hotfix and run Sigverif to check the WHQL signatures after installation, you can safely ignore the invalid-signature warning.
Check the Files
Before you install any hotfix on a production server, you should know which files you'll be installing and which files the hotfix will update. By identifying which files will change, you can spot file-version conflicts and determine which changes a hotfix will make to your server. This step adds to the updating process, but it's worth the effort if it prevents downtime of a crucial server.
To list the files in a hotfix, you can manually extract them by using the /x switch. For example, the following command extracts the files from the q123456.exe hotfix:
q123456.exe /x
The /x switch also has an undocumented feature that lets you extract the files to a specific path. When combined with the /q switch, the file extraction requires no user interaction, which means you can use scripts to automate the file-extraction process. For example, the following command extracts the files from the q123456.exe hotfix to the C:\temp directory:
q123456.exe /x:c:\temp\ /q
After you extract the files, you can view them and their properties. To make this task easier, you can use the hfinfo.vbs script that I've created. Because Microsoft packages hotfixes differently in Windows Server 2003, this script will work only in Win2K. (To find the script, go to the Windows & .NET Magazine Web site, enter InstantDoc ID 41980 in the InstantDoc ID box, then click the 41980.zip hotlink.) This script extracts the hotfix files and displays each file's date, time, size, and version. To use hfinfo.vbs, type
cscript.exe hfinfo.vbs <HotfixFilename>
where HotfixFilename >is the name of the hotfix file. Knowing which files and file versions you're installing will make identifying potential conflicts or other problems easier. But most of all, knowing which files you're about to install on your server is simply a good idea.
Previous
Register
