Export (0) Print
Expand All
1 out of 2 rated this helpful - Rate this topic

Using Systems Management Server 2.0 to Deploy Security Tool Kit Fixes

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
On This Page

Introduction
SMS Tools Provided with the Security Tool Kit
Files and Directories
Deploying Security Fixes Using SMS

Introduction

Note: This document assumes you already have an SMS infrastructure in place and you know how to use Systems Management Server to distribute software.

To automate the distribution and installation of the recommended Internet Information Services (IIS) security fixes to Windows 2000 Professional, Windows 2000 Server and Windows 2000 Advanced Server, and Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition, Microsoft has supplied a set of queries and package definition files in the SMS directory of the Microsoft Security Tool Kit compact disc. SMS can help you determine which computers need the security fixes, and then deploy the fixes to the appropriate resources. The objects that the Systems Management Server (SMS) team has built can be imported into an existing SMS 2.0 hierarchy to help facilitate the deployment of these security fixes and ensure that your environment complies with Microsoft recommendations.

The steps described in this document automate manual steps that are described in the Guide to Baseline Security, which is included in the Microsoft Security Tool Kit. It is recommended that you read this document in conjunction with the steps described in the Guide to Baseline Security.

Note: Due to the dynamic nature of the security fixes, this document may not provide automated steps for all security fixes provided in the Security Tool Kit. For the latest information about using SMS to deploy security fixes, see the Security Tool Kit Release Notes on the Microsoft Web site at: http://support.microsoft.com/default.aspx?scid=KB;EN-US;309536&sd=tech

SMS Tools Provided with the Security Tool Kit

The following SMS tools are included on the Security Tool Kit compact disc.

Table 1 SMS Tools Included with the Security Tool Kit

Tool Name

Location

Files

Description

Microsoft Security Tool Kit Import Utility

Included with the Security Tool Kit

MSTImport.exe

Enables you to import all collection objects necessary to deploy the security fixes in an SMS infrastructure. It accesses multiple text files, for example MST Queries.txt to build the Collection tree.

Forced Determination of Internet Explorer Version

Included with the Security Tool Kit

FDIESniffer.exe

SMS Installer executable file used to detect the current version of Internet Explorer. It generates a NOIDMIF containing the value of HKLM: Software\Microsoft\Internet Explorer\IEVERS, and then triggers SMS Hardware Inventory to collect the resulting MIF.

Forced Determination of IIS Version 3.0 or Above

Included with the Security Tool Kit

FDIISniffer.exe

SMS Installer executable file used to detect the current version of Internet Explorer. It generates a NOIDMIF containing the HKLM: Software\Microsoft\IIVERS. It then triggers a hardware inventory cycle to collect the resulting MIF.

Forced Determination of Windows Media Player Version

Included with the Security Tool Kit

FDWMSniffer.exe

SMS Installer executable file used to detect the current version of Internet Explorer. It generates up to 3 NOID MIFs.
WMPatch MIF: Denotes that the Windows MEdia 6.4 Patch is not Installed.
WMVer.MIF: Reports the current Version of Windows Media Player if 7.0 Greater
WMError.MIF: Returned when the client does not have Windows Media Player 7.0 or greater.

Forced Determination Wrapper Tool

Included with the Security Tool Kit

FDWrapper.exe

SMS Installer executable file used to "wrap" the execution of other fixes. This tool does the following:

  • Passes SMS the status of an update.

  • Generates a NOIDMIF.

  • Triggers a hardware inventory cycle to collect the NOIDMIF.

Forced Determination Wrapper Tool 2

Included with the Security Tool Kit

FDWrapper2.exe

Special version of FDWrapper used to distribute the IIS 4.0 Security Update. This tool distributes that particular QFE support fix silently and suppresses the reboot. This tool also does the following:

  • Passes SMS the status of an update.

  • Generates a NOIDMIF.

  • Triggers a hardware inventory cycle to collect the NOIDMIF.

QChain

Included with the Security Tool Kit

QChain.exe

Windows Sustained Engineering Team tool that ensures QFEs were applied in the correct order. After QChain verifies the order, the computer will reboot, which completes the process.

Files and Directories

SMS files are located in the SMS directory on the Security Tool Kit compact disc as follows. Note that many files in the SMS directory are also available in other directories on the compact disc.

SMS\

Documentation\

SMSDeploy.doc

Forced Determination Wrapper(s)

FDW2

Fdwrapper2.exe

FDISniffer.EXE

FDIISSniffer.EXE

FDWrapper.Exe

WMPSniffer.EXE

MSTImport

MSTImport.Exe

Package Definition Files

Cun.sms

IE501SP2.sms

IE55SP2.sms

Iedetect.sms

Iidetect.sms

kickhinv.sms

nt4sp6.pdf

265714i.sms

269049i.sms

280119i.sms

279328.sms

299444i.sms

301625.sms

301625i.sms

305929i.sms

307866i.sms

QChain.sms

SchemaMod.sms

TSSP6.sms

w2ksp2.sms

wmp64.sms

wmp71.sms

wmpsnif.sms

Deploying Security Fixes Using SMS

You must perform the following steps to use SMS to deploy the Security Tool Kit fixes. These steps are described in detail in the following sections.

  • Step 1: Verifying Prerequisites

  • Step 2: Configuring SMS to Deploy the Security Tool Kit

  • Step 3: Monitoring Progress

Step 1: Verifying Prerequisites

Before you use Systems Management Server 2.0 to deploy the Security Tool Kit, your site and all child sites must meet the following criteria:

  • Your hierarchy must be running SMS 2.0 Service Pack 3 (SP3) or later.

  • If you are planning to deploy Windows NT 4.0 Terminal Server SP3, the following SMS 2.0 SP3 hot fix must be applied to your site:

    • 309437 SMS 2.0 SP3: client components fail to start after upgrading Windows NT 4.0 Terminal Server Edition SP3 to SP6

  • The Advertised Programs Client Agent must be enabled and installed in your hierarchy.

  • The Hardware Inventory Client Agent must be enabled and installed in your hierarchy.

Note: If you are using IntelliPoint mouse devices earlier than version 2.2, read Knowledge Base article 305462 on the Microsoft Support Online Web site at http://support.microsoft.com/default.aspx?scid=KB;en-us;305462&sd=tech

Step 2: Configuring SMS to Deploy the Security Tool Kit

The queries and packages included with the Microsoft Security Tool Kit are designed and tested to work with SMS 2.0 SP3 or later.

In an effort to structure the deployment process most effectively, the utilities that SMS provides are designed so that a series of related collections are created in the targeted SMS 2.0 site. These objects can be imported into any primary site of an SMS 2.0 hierarchy. The fixes must be deployed throughout the hierarchy. As a result, it is recommended that you import or create the objects at the point in the SMS hierarchy that has the largest number of potentially affected resources reporting up to it. (This should be the central site, unless there is a specifically designated reporting site at the top of the hierarchy that does not have administrative control from the site.) Note that the new collections created will be replicated throughout the hierarchy from the site at which they were imported, down through all child sites.

The series of collections resulting from importing the collection objects enable administrators to view the status of their hierarchy and determine where the appropriate updates from the Microsoft Security Tool Kit must be applied. These collections can be used for targeting the resources that require the appropriate updates. The required updates are contained in the packages that were either imported or manually created. Programs exist within these packages that refer to the appropriate updates to be targeted to a collection.

In order to deploy the security fixes, you must perform the following steps.

  1. Import collections, queries, and packages using the Microsoft Security Tool Kit Import Utility provided with the Security Tool Kit.

  2. Assign a distribution point to each package that requires distribution in your hierarchy. See the SMS product documentation for more information about how to assign distribution points to packages.

  3. Create advertisements to target particular programs to specific collections. This is the most critical step for deploying the security updates, because advertisements must target the correct program to the appropriate collection in order for the updates to be successfully deployed. Note that you can schedule advertisements to run at a time that is most convenient for your organization.

Note: All collections and packages related to the SMS deployment of the security fixes are prefixed with MST, so you can easily identify the objects that are created on your system.

Importing SMS Objects Using the MSTImport Tool

To import the objects needed to deploy the security fixes, run the Microsoft Security Tool Kit Import Utility (MSTImport.exe) provided in the SMS directory of the Microsoft Security Tool Kit compact disc. After you run the utility, the following collections, queries, and packages will be available in the SMS hierarchy. Only collections will be replicated through the hierarchy. Queries will not be replicated. If the queries are needed at the lower sites, then you will need to run the MSTImport.exe utility at the child sites to import queries.

Note: Prior to running MSTImport.exe utility, it is recommended that you review 295157: The Microsoft BackOffice Server 4.5 Resource Kit utilities, Preinst.exe and Delgrp.exe, may return errors when they are run on Systems Management Server (SMS) running Microsoft SQL Server 2000. The problem described in this KB article can occur because the default client network protocol was changed from Named Pipes in Microsoft SQL Server 7.0 (and earlier) to TCP/IP in SQL Server 2000. These errors occur when running the MSTImport tool if SQL Server Authentication is selected. As a result of these errors, the Queries Import phase of this tool will fail, although the collections are successfully created.

Object

Name

Queries

MST-All Windows 2000 Computers

 

MST(Win2K)-Stage 1 All Win2K Computers Not Running SP2

 

MST(Win2K)-Stage 2 All Win2K Computers Running SP2

 

MST(Win2K)-Stage 3 All Win2K Computers Running IIS

 

MST(Win2K)-Stage 4 All Win2K Computers Apply 301625 Success

 

MST(Win2K)-Stage 5 All Win2K Computers FDIESnif Success

 

MST(Win2K)-Stage 6 All Windows 2000 Computers No Updated IE

 

MST(Win2K)-Stage 7 All Win2K Computers Updated IE

 

MST(Win2K)-Stage 8 All Win2K Computers Update Success

Queries

MST All Windows 2000 WMPSniff Success

 

MST(Win2k)-Stage 9 All Windows 2000 Media Player need Patch

 

MST(Win2k)-Stage 10 All Windows 2000 Media Player 7.0

 

MST All Windows 2000 Media Player 7.1

 

MST All Windows 2000 Media Player Security Patch Success

 

MST-All Windows NT 4.0 Servers

 

MST-All Windows NT 4.0 Servers Running IIS

 

MST-All Windows NT 4.0 Servers FDIESnif Success

 

MST-All Windows NT 4.0 Servers No Updated IE

 

MST(NT4Svr)-Stage 1 All Windows NT 4.0 Servers Not Running SP6

 

MST(NT4Svr)-Stage 2 All Windows NT 4.0 Servers Running SP6a

 

MST(NT4Svr)-Stage 3 Windows NT 4.0 IIS Servers-Smart Array Controllers

 

MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success

 

ST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success

 

MST(NT4Svr)-Stage 6 All Windows NT 4.0 Servers Apply 305929 Success

 

MST(NT4Svr)-Stage 7 All Windows NT 4.0 Servers Apply 301625i Success

 

MST(NT4Svr)-Stage 8 All Windows NT 4.0 Servers N0 Updated IE

 

MST(NT4Svr)-Stage 9 All Windows NT 4.0 Servers Updated IE

 

MST(NT4Svr)-Stage 10 All Windows NT 4.0 Servers Update Success

 

MST(NT4Svr)-Stage 11 Windows NT 4.0 Server Media Player Need Patch

 

MST-All Windows NT 4.0 Workstations

Queries

MST-All Windows NT 4.0 Workstations Running IIS

 

MST-All Windows NT 4.0 Workstations FDIESnif Success

 

MST-All Windows NT4.0 Workstations Media Player Security Patch Success

 

MST(NT4Wks)-Stage 1 All Windows NT 4.0 Workstations Not running SP6a

 

MST(NT4Wks)-Stage 2 All Windows NT 4.0 Workstations Running SP6a

 

MST(NT4Wks)-Stage 3 Windows NT 4.0 IIS Workstations-Smart Array Controllers

 

MST(NT4Wks)-Stage 4 All Windows NT 4.0 Workstations Security Rollup Success

 

MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 305929 Success

 

MST(NT4Wks)-Stage 6 All Windows NT 4.0 Workstations Apply 301625i Success

 

MST(NT4Wks)-Stage 7 All Windows NT 4.0 Servers Apply 307866i Success

 

MST(NT4Wks)-Stage 8 All Windows NT 4.0 Workstations No Updated IE

 

MST(NT4Wks)-Stage 9 All Windows NT 4.0 Workstations Updated IE

 

MST(NT4Wks)-Stage 10 All Windows NT 4.0 Workstations Update Success

 

MST(NT4Wks)-Stage 11 Windows NT 4.0 Workstation Media Player Need Patch

 

MST(NT4TS)-Stage 1 All Windows NT 4.0 Terminal Servers Not Running SP6

 

MST(NT4TS)-Stage 2 All Windows NT 4.0 IIS and Terminal Servers Running SP6

 

MST(NT4TS) –Stage 3 All Windows NT 4.0 Terminal Servers apply 265714 Success

Queries

MST(NT4TS) –Stage 4 All Windows NT 4.0 Terminal Servers apply 266433 Success

 

MST(NT4TS) –Stage 5 All Windows NT 4.0 Terminal Servers apply 269049 Success

 

MST(NT4TS) –Stage 6 All Windows NT 4.0 Terminal Servers Updated Success. (This Query should be a rollup of all 4 QFEs)

 

MST(NT4TS) –Stage 7 All Windows NT 4.0 Terminal Servers No Updated IE

 

MST(NT4TS)-Stage 8 All Windows NT 4.0 Terminal Servers Updated IE

 

MST(NT4Svr)-Stage 9 Windows NT 4.0 Terminal Server Media Player need Patch

 

MST- Windows NT 4.0 Terminal Servers Media Player Security Patch Success

 

MST - All Windows 2000 Computers Apply 301625 Failed

 

MST - All Windows 2000 Computers FDIESnif Failed

 

MST - All Windows 2000 Computers Update Failed

Queries

MST - All Windows NT 4.0 Servers Apply 305929 Failed

 

MST - All Windows NT 4.0 Servers FDIESnif Failed

 

MST - All Windows NT 4.0 Servers Security Rollup Failed

 

MST - All Windows NT 4.0 Servers Update Failed

 

MST-All Windows NT4.0 Server Media Player Security Patch Success

 

MST - All Windows NT 4.0 Terminal Servers FDIESnif Failed

 

MST - All Windows NT 4.0 Terminal Servers QChain Failed

 

MST - All Windows NT 4.0 Terminal Servers Update Failed

 

MST - All Windows NT 4.0 Workstation Security Rollup Failed

 

MST - All Windows NT 4.0 Workstations Apply 305929 Failed

 

MST - All Windows NT 4.0 Workstations FDIESnif Failed

 

MST - All Windows NT 4.0 Workstations Update Failed

 

MST - All Windows NT 4.0 Workstations Apply 301625i Failed

 

MST - All Windows NT 4.0 Servers FDIISnif Failed

 

MST - All Windows NT 4.0 Servers Apply 301625i Failed

 

MST - All Windows NT 4.0 Workstations FDIISnif Failed

Collections

MST(Win2K)-Stage 1 All Win2K Computers Not Running SP2

 

MST(Win2K)-Stage 2 All Win2K Computers Running SP2

Collections

MST(Win2K)-Stage 3 All Win2K Computers Running IIS

 

MST(Win2K)-Stage 4 All Win2K Computers Apply 301625 Success

 

MST(Win2K)-Stage 5 All Win2K Computers FDIESnif Success

 

MST(Win2K)-Stage 6 All Windows 2000 Computers No Updated IE

 

MST(Win2K)-Stage 7 All Win2K Computers Updated IE

 

MST(Win2K)-Stage 8 All Win2K Computers Update Success

 

MST(Win2k)-Stage 9 All Windows 2000 Media Player need Patch

 

MST(Win2k)-Stage 10 All Windows 2000 Media Player 7.0

 

MST(NT4Svr)-Stage 1 All Windows NT 4.0 Servers Not Running SP6

 

MST(NT4Svr)-Stage 2 All Windows NT 4.0 Servers Running SP6a

 

MST(NT4Svr)-Stage 3 Windows NT 4.0 IIS Servers-Smart Array Controllers

 

MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success

Collections

MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success

 

MST(NT4Svr)-Stage 6 All Windows NT 4.0 Servers Apply 305929 Success

 

MST(NT4Svr)-Stage 7 All Windows NT 4.0 Servers Apply 301625i Success

 

MST(NT4Svr)-Stage 8 All Windows NT 4.0 Servers N0 Updated IE

 

MST(NT4Svr)-Stage 9 All Windows NT 4.0 Servers Updated IE

 

MST(NT4Svr)-Stage 10 All Windows NT 4.0 Servers Update Success

 

MST(NT4Wks)-Stage 1 All Windows NT 4.0 Workstations Not running SP6a

 

MST(NT4Wks)-Stage 2 All Windows NT 4.0 Workstations Running SP6a

 

MST(NT4Wks)-Stage 3 Windows NT 4.0 IIS Workstations-Smart Array Controllers

 

MST(NT4Wks)-Stage 4 All Windows NT 4.0 Workstations Security Rollup Success

 

MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 305929 Success

 

MST(NT4Wks)-Stage 6 All Windows NT 4.0 Workstations Apply 301625i Success

 

MST(NT4Wks)-Stage 7 All Windows NT 4.0 Servers Apply 307866i Success

 

MST(NT4Wks)-Stage 8 All Windows NT 4.0 Workstations No Updated IE

 

MST(NT4Wks)-Stage 9 All Windows NT 4.0 Workstations Updated IE

 

MST(NT4Wks)-Stage 10 All Windows NT 4.0 Workstations Update Success

 

MST(NT4TS)-Stage 1 All Windows NT 4.0 Terminal Servers Not Running SP6

 

MST(NT4TS)-Stage 2 All Windows NT 4.0 IIS and Terminal Servers Running SP6

 

MST(NT4TS) –Stage 3 All Windows NT 4.0 Terminal Servers apply 265714 Success

 

MST(NT4TS) –Stage 4 All Windows NT 4.0 Terminal Servers apply 266433 Success

 

MST(NT4TS) –Stage 5 All Windows NT 4.0 Terminal Servers apply 269049 Success

 

MST(NT4TS) –Stage 6 All Windows NT 4.0 Terminal Servers Updated Success. (This Query should be a rollup of all 4 QFEs)

 

MST(NT4TS) –Stage 7 All Windows NT 4.0 Terminal Servers No Updated IE

 

MST(NT4TS)-Stage 8 All Windows NT 4.0 Terminal Servers Updated IE

 

MST(NT4Svr)-Stage 9 Windows NT 4.0 Terminal Server Media Player need Patch

 

MST(NT4Svr)-Stage 11 Windows NT 4.0 Server Media Player need Patch

 

MST(NT4Wks)-Stage 11 Windows NT 4.0 Workstation Media Player Need Patch

After you have run the Microsoft Security Tool Kit Import Utility (MSTImport.exe), the following package definition files (.pdf or .sms ) are available for you to use to build packages using the Create Package from Definition wizard in the SMS Administrator console.

Table 2 Package Definition Files Included with the Security Tool Kit

Filename

Package Created

Programs Created

Description

nt4sp6.pdf

Service Pack 6 Microsoft Windows NT 4.0

Update x86 Windows NT Version 4.0

This package definition file imports the programs necessary to distribute Windows NT 4.0 Service Pack 6.
For more information about this service pack, see: http://support.microsoft.com/default.aspx?scid=KB;en-us;246009&sd=tech

w2ksp2.sms

Service Pack 2 for Windows 2000

Manual Update
Unattended Update

This package definition file imports the programs necessary to distribute Windows 2000 Service Pack 2.

IIdetect.sms

MST:II Detect

MST:Detect

This package definition file imports the program necessary to distribute a utility that can be used to determine the version of IIS running on Windows NT Server 4.0 and Windows NT 4.0 Workstation.

iedetect.sms

MST:IE Detect

MST:Detect

This package definition file imports the programs necessary to distribute a tool that can be used to determine the version of Internet Explorer.

IE501SP2.sms

MST:Internet Explorer 5.01 Service Pack 2

MST:Required Update

This package definition file imports the program necessary to distribute Internet Explorer 5.01 Service Pack 2.
For more information about this service pack, see: http://support.microsoft.com/default.aspx?scid=kb;en-us;267954&sd=tech

IE55SP2.sms

MST:Internet Explorer 5.5 SP2

MST:Required Update

This package definition file imports the program necessary to distribute Internet Explorer 5.5 Service Pack 2.
For more information about this service pack, see: http://support.microsoft.com/default.aspx?scid=KB;en-us;276369&sd=tech

kickhinv.sms

MST:Start Hardware Inventory

MST:Start

This package definition file imports the program necessary to remotely trigger hardware inventory on clients.

299444i.sms

MST:NT Security Rollup

MST:Required Update

This package definition file imports the program necessary to distribute the Security Rollup Package (SRP) for Windows NT 4.0 that includes the functionality from all security patches released for Windows NT 4.0 since the release of Windows NT 4.0 Service Pack 6a (SP6a). This small, comprehensive rollup of post-SP6a fixes provides an easier mechanism for managing the rollout of security fixes. Applying the SRP does not change the encryption level of the system.
For more information about this SRP, see:

http://www.microsoft.com/technet/archive/security/news/nt4srp.mspx

301625.sms

MST:IIS W2k Security Rollup Package

MST:Required Update

This package definition file imports the program necessary to distribute the Security Rollup Package (SRP) for IIS versions 4.0 and 5.0 on Windows 2000.

301625i.sms

MST:IIS NT4 Security Rollup Package

MST:Required Update

This package definition file imports the program necessary to distribute the Security Rollup Package (SRP) for IIS versions 4.0 and 5.0 on Windows NT 4.0 without Terminal Services.

307866i.sms

MST:IIS NT4 Security Rollup Package 2

MST:Required Update

This package definition file imports the program necessary to distribute the Security Rollup Package (SRP) for IIS versions 4.0 and 5.0 on Windows NT 4.0 without Terminal Services.

305929i.sms

MST:Invalid Digital Signature

MST:Required Update

This package definition file imports the program necessary to distribute a fix for servers that generate digital signature errors.
For more information about this fix, see: http://support.microsoft.com/default.aspx?scid=KB;en-us;305929&sd=tech

QChain.sms

MST:QChain

MST:Required Update

This package definition file imports the program necessary to distribute QChain.exe to install multiple hot fixes with only one reboot.
For more information about QChain.exe, see: http://support.microsoft.com/default.aspx?scid=KB;en-us;296861&sd=tech

Step 3: Monitoring Progress

As each stage of the deployment progresses successfully, the MST collections must be updated. The default collection update schedule is set to two hours for each of the MST collections. Alternatively, the collections schedule can be updated manually by the administrator.

Note: Because additional collections are created by the Microsoft Security Tool Kit Import Utility, these collections are automatically replicated to all the child sites. This increases site-to-site communication traffic during collection replication cycles.

As advertisements are run and security updates are deployed, resources are removed from their original collections because they no longer meet the membership rules for that collection. The resources then become members of other collections based on their membership rules. This is not an immediate process, instead it occurs according to the configured collection update schedule or when the administrator manually updates the collection. When this happens, if there is an advertisement targeted to that collection, the resources receive the next advertised program that applies the appropriate update.

Queries are provided that match the collections that allow administrators to track the progress of resources through the appropriate stages of the deployment without causing excessive replication traffic.

In addition to using the pre-created collections and queries to monitor status, you can use Advertisement Status to track the success and failures of each of the advertisements.

Using SMS to Automate Deployment

These fixes are specifically designed for the operating system of the resource targeted to receive the fix. The following sections describe how to deploy the fixes to different operating systems.

  • How SMS deploys fixes to Windows 2000

  • How SMS deploys fixes to Windows NT 4.0

  • How SMS Deploys Fixes to Windows NT Server 4.0, Terminal Server Edition

How SMS Deploys Fixes to Windows 2000

This section describes how to use SMS to deploy the security fixes to computers running Windows 2000 or Windows 2000 SP1 or later. These steps automate the manual steps that are described in the Guide to Baseline Security, which is included in the Security Tool Kit. It is recommended that you read these steps in conjunction with the steps described in the Guide to Baseline Security.

The following queries, collections, and packages are provided in the Security Tool Kit for computers running Windows 2000 or Windows 2000 SP1 or later.

Table 3 Queries, Collections, and Packages for Computers Running Windows 2000

Steps Automated by SMS

SMS Query Name

SMS Package Name

Success SMS Query Name

Step 2a: Install Windows 2000 SP2

MST(Win2K) Stage 1 All Win2K Computers not running SP2

MST: Service Pack 2 for Windows 2000 (from W2KSP2.sms)

MST(Win2K) Stage 2 All Win2K Computers running SP2

Step 2b: Install the IIS Security Rollup Package

MST(Win2K) Stage 3 All Win2K Computers Running IIS

MST:IIS W2k Security Rollup Package (from 301625.sms)

MST(Win2K) Stage 4 All W2K Computers Apply 301625 Success

Step 2c: Run Qchain
(Will cause the machine to restart)

MST(Win2K) Stage 4 All W2K Computers Apply 301625
Success

MST:QChain (from Qchain.sms)

Not provided

Step 2d: Run FDIESnif to determine installed version of Internet Explorer.

MST(Win2K) Stage 4 All W2K Computers Apply 301625 Success

MST:IE Detect (from iedetect.sms)

MST(W2K) Stage 5 All W2K Computers FDIESnif Success

Step 2e: Optional: Install Internet Explorer 5.5 SP2

MST(Win2K) Stage 6 All W2K Computers no Updated IE

MST:Internet Explorer 5.5 SP2 (from IE55SP2.sms)

MST(Win2K) Stage 7 All Win2K Computers Updated IE

Step 2f: Optional: Install the Critical Update Notification 3.0 Tool

MST(Win2K) Stage 8 All Win2K Computers Update Success

Cun.sms

Not provided

Step 2g: Run WMPSnif to determine installed version of Windows Media Player

MST(Win2K) Stage 8 All Win2K Computers Update Success

MST:FDWMSniffer (from FDQMSniffer.sms)

MST All W2K Computers WMPSnif Success

Step 2h: Apply the Windows Media Player Security Patch to WMP Versions 6.4, 7.0 or 7.1

MST(W2K)-Stage 9 All Windows 2000 Media Player Need Patch

Wmp64.sms

MST- All Windows 2000 Media Player Security Patch Success

Step 2i: If the Version of Windows Media player is 7.0 Upgrade the Version to 7.1

MST(W2K)-Stage 10 All Windows 2000 Media Player 7.0

Wmp71.sms

MST-All Windows 2000 Media Player 7.1

Step 2j: Run Qchain
(This will cause the computer to reboot)

MST All Windows 2000 Media Player Patch Success

MST:QChain (from Qchain.sms)

Not provided

Step 2a: Installing Windows 2000 SP2

An SMS query and collection is provided called MST(Win2K) Stage 1 All Win2K Computers not running SP2 that targets all computers running Windows 2000 Professional, Windows 2000 Server, or Windows 2000 Advanced Server that do not already have Service Pack 2 installed.

The W2KSP2.sms package targets this collection and installs Windows 2000 Service Pack 2. When this package runs, it triggers a reboot.

The installation of Windows 2000 SP2 updates the CSD version field in the operating system class provided by SMS hardware inventory. When hardware inventory runs at its next scheduled interval, this information is updated in the SMS database. This update to the SMS database, and the subsequent update of the collections, causes the resources to report to the Windows 2000 Computers Running IIS collection. These collections are then available as targets for the advertisement described in the next section, "Installing the IIS Security Rollup Package."

Note: A package, Kickhinv.sms, is included that can force a hardware inventory schedule to occur immediately for a particular client.

You can run the query MST(Win2K) Stage 2 All Win2K Computers running SP2 to report on systems that successfully completed Step 2a.

Step 2b: Installing the IIS Security Rollup Package

An SMS query and collection is provided called MST(Win2K) Stage 3 All Win2K Computers Running IIS. This query identifies all computers running Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server that are also running IIS. This is determined by detecting the IIS Admin service and Windows 2000 SP2 installation.

When the 301625.sms package runs, it triggers a reboot. This installation of the IIS Security Rollup Package updates a field named IsInstalled in a table containing the QFE Update data with a value of 2 for the ProductName 301625. This indicate the IIS Security Rollup Package has successfully run.

You can run the query MST(Win2K) Stage 4 All W2K Computers Apply 301625 to report on systems that successfully completed Step 2b.

Step 2c: Installing and Running QChain

The QChain tool does not install any files on a system. QChain organizes the entries in the PendingFileRename registry key from the based on the specified updates. A rebooted is required for these registry changes to take affect.

Step 2d: Installing and Running the FDIESnif Utility

An SMS query and collection is provided called MST(Win2K) Stage 4 All W2K Computers Apply 301625 that identifies all computers running Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server with Service Pack 2 installed.

When the iedetect.sms package runs, it detects the version of Internet Explorer that is installed on the targeted collection of computers. The FDIESnif MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 that indicates the utility successfully identified the Internet Explorer version. The updateID field displays FDIESnif and the contents of the Description Field lists the specific version of Internet Explorer detected.

You can run the query MST(W2K) Stage 5 All W2K Computers FDIESnif Success to report on systems that successfully completed Step 2d.

Step 2e: Installing Internet Explorer 5.5 SP2

An SMS query and collection is provided called MST(Win2K) Stage 6 All W2K Computers no Updated IE that identifies all computers running Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server that are not running either Internet Explorer 5.01 SP2 or Internet Explorer 5.5 SP2.

If the IES55SP2.sms package is run, this installation of the updated Internet Explorer install MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 that indicates the IE55SP2 package has successfully run.

You can run the query MST(Win2K) Stage 6 All Win2K Computers Update Success to report on Windows 2000 systems that successfully completed Step 2e.

Step 2f: Optional: Install the Critical Update Notification 3.0 Tool

As discussed in the Microsoft Security Tool Kit document, "Installing and Securing and Existing Windows 2000 System," as part of your ongoing maintenance program, it is recommended that you install the Critical Update Notification 3.0 Tool. When this tool is installed on a computer, you will be notified whenever a new Critical Fix is released.

In order to assist you in deploying this tool, an SMS query and collection is provided called MST(Win2K) Stage 8 All Win2K Computers Update Success that identifies all computers running Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server that have installed the IIS Security Rollup Patch and have updated their version of Internet Explorer, and are ready to have this tool deployed to them.

Step 2g: Run WMPSniffer to determine installed version of Windows Media Player

The Windows Media Player Detection Utility is a utility created by the SMS team to assist administrators in identifying the version of Media Player that is running on systems, without enabling software inventory.

When FDWMSiffer.sms.sms package runs, it updates a table containing the QFE Update data with the IsInstalled value of 2 with the UpdateID of FDWMSnif. The description field displays the version of Windows Media Player detected by the utility.

After the utility runs on the targeted systems, you can run the following query to report on systems that have successfully completed running the IIS Version Detection Utility.

  • MST All W2K Computers WMPSnif Success

Step 2h: Apply the Windows Media Player Security Patch.to WMP Versions 6.4, 7.0 or 7.1

The following SMS query and collection are provided that target all computers running Windows 2000 Windows Media Player 6.4, 7.0 and 7.1 to install the Windows Media Player Security Patch.

  • Apply the Windows Media Player Security Patch.to WMP Versions 6.4, 7.0 or 7.1

When the Wmp64.sms package runs, this installation of the IIS 4.0 Security Rollup Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName WMP64.

You can run the following query to report on systems that successfully completed Step 2h

  • MST- All Windows 2000 Media Player Security Patch Success

Step 2i: IF the Version of Windows Media player is 7.0 Upgrade the Version to 7.1

The SMS query and collection is provided that will identify all computers running Windows 2000 machines that are running Windows Media Player 7.0.

  • MST(W2K)-Stage 10 All Windows 2000 Media Player 7.0

When the WMP71.sms package is run, a reboot is triggered. The installation of the Internet Explorer SP2 is imported into a table containing the QFE Update data with the IsInstalled value of 2 where the ProductName displays the appropriate Internet Explorer update.

You can run the following query to report on systems that successfully completed Step i.

  • MST-All Windows 2000 Media Player 7.1

Step 2j: Run Qchain

The QChain tool does not install any files on a system. QChain organizes the entries in the PendingFileRename registry key from the based on the specified updates. A rebooted is required for these registry changes to take affect.

How SMS Deploys Fixes to Windows NT 4.0

This section describes how SMS deploys security fixes to computers running Windows NT 4.0 SP3. These steps automate the manual steps that are described in the Guide to Baseline Security, which is included in the Security Tool Kit. It is recommended that you read these steps in conjunction with the steps described in the Guide to Baseline Security.

The following queries, collections, and packages are provided in the Security Tool Kit for computers running Windows NT 4.0, or Windows NT 4.0 SP3.

Table 4 Queries, Collections, and Packages for Computers Running Windows NT 4.0

Steps Automated by SMS

SMS Query Name

SMS Collection Name

SMS Package Name

Success SMS Query Name

Prerequisite Step – Verify IIS Version is 3.0 or later using the FDIISnif Utility.

MST-All Windows NT 4.0 Servers
MST-All Windows NT 4.0 Servers

Not provided

MST:IIS Detect (from iidetect.sms)

All Windows NT 4.0 Servers FDIISnif Success
All Windows NT 4.0 Workstations FDIISnif Success

Pre-Requisite Step: Install either the Windows NT4.0 Server Option Pack or the Windows NT 4.0 Workstation Option Pack if IIS is installed and running.

All Windows NT 4.0 Workstations Running IIS
All Windows NT 4.0 Servers Running IIS

Not provided

Not provided

Not provided

Step 2a: Install Windows NT 4.0 Service Pack 6a

MST(NT4Svr) – Stage 1 Windows NT 4.0 Servers not running SP6a
MST(NT4Wks) – Stage 1 Windows NT 4.0 Workstations not Running SP6a

Same as the queries

Service Pack 6 Microsoft Windows NT 4.0 (from Nt4sp6.pdf)

MST(NT4Svr)- Stage 2 Windows NT 4.0 Servers running SP6a
MST(NT4Wks) – Stage 2 Windows NT 4.0 Workstations Running SP6a

Step 2b: Verify Need for 305228 Updates.
Note Do not proceed with this step until you have verified that your computers are affected by 305228.

MST(NT4Svr)-Stage 3 Windows NT 4.0 IIS Servers – Smart Array Controllers
MST(NT4Wks)-Stage 3 Windows NT 4.0 IIS Workstations – Smart Array Controllers

Not provided

Not provided

Not provided

Step 2c: Install the Windows NT 4.0 Security Roll-up Package 1

MST(NT4Svr)- Stage 2 Windows NT 4.0 Servers running SP6a
MST(NT4Wks) – Stage 2 Windows NT 4.0 Workstations Running SP6a

Same as the queries

MST:NT Security Rollup (from Q29944i.sms)

MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success
MST(NT4Wks)-Stage 4 All Windows NT 4.0 Workstations Security Rollup Success

Step 2d: Install the Windows NT 4.0 Security Patch
(307866i)

MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success
MST(NT4Wks)-Stage 4 All Windows NT 4.0 Workstations Security Rollup Success

Same as the queries

MST:IIS NT4 Security Rollup Patch (from Q 307866i.sms)

MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success
MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 307866i Success

Step 2e: Install the Windows NT 4.0 Security Patch
(307866i) a Second Time

MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success
MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 307866i Success

Same as the queries

MST:IIS NT4 Security Patch (from 307866i.sms)

MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success
MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 307866i Success

Step 2f: Install the Invalid Digital Signature 305929i Patch

MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success
MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 307866i Success

Same as the queries

MST:Invalid Digital Signature (from 305929i.sms)

MST(NT4Svr)-Stage 6 All Windows NT 4.0 Servers 305929i Apply Success
MST(NT4Wks)-Stage 6 All Windows NT 4.0 Workstations Apply 305929i

Step 2g: Install the IIS 4.0 Security Roll up Patch

MST(NT4Svr)-Stage 6 All Windows NT 4.0 Servers 305929i Apply Success
MST(NT4Wks)-Stage 6 All Windows NT 4.0 Workstations Apply 305929i

Same as the queries

MST:IIS NT4 Security Rollup Package (from 301625i.sms)

MST(NT4Svr)-Stage 7 All Windows NT 4.0 Servers Apply 301625i Success
MST(NT4Wks)-Stage 7 All Windows NT 4.0 Workstations Apply 301625i Success

Step 2h: Run Qchain (This will cause the computer to restart)

MST(NT4Svr)-Stage 7 All Windows NT 4.0 Servers Apply 301625i Success
MST(NT4Wks)-Stage 7 All Windows NT 4.0 Workstations Apply 301625i Success

Not provided

MST:QChain (from Qchain.sms)

Not provided

Step 2i: Run the IE Version Detection Utility

Not Applicable

Not applicable

MST:IE Detect (from iedetect.sms)

MST-All Windows NT 4.0 Servers FDIESnif Success
MST-All Windows NT 4.0 Workstations FDIESnif Success

Step 2j: Install Internet Explorer 5.01 SP2 or 5.5 SP2

MST(NTSvr)-Stage 8 All Windows NT 4.0 Servers no Updated IE
MST(NTWKS)-Stage 8 All Windows NT 4.0 Workstations No Updated IE

Same as the queries

MST:Internet Explorer 5.01 SP2 or MST:Internet Explorer 5.5 SP2 (from ie501sp2.sms or ie55sp2.sms)

MST(NT4 Svr)-Stage 9 All Windows NT 4.0 Servers Updated IE
MST(NT4 Wks)-Stage 9 All Windows NT 4.0 Workstations Updated IE

Step 2k: Run WMPSnif to determine installed version of Windows Media Player

MST(NT4 Svr)-Stage 9 All Windows NT 4.0 Servers Updated IE
MST(NT4 Wks)-Stage 9 All Windows NT 4.0 Workstations Updated IE

Not provided

MST:WMP Detect (from mpdetect.sms)

MST All Windows NT 4.0 Servers WMPSnif Success
MST All Windows NT 4.0 Workstation WMPShif Success

Step 2l: Install the Windows Media Player 6.4 Patch

MST(NT4Svr)-Stage 10 All Windows NT 4.0 Server Media Player need Patch
MST(NT4Wks)-Stage 10 All Windows NT 4.0 Workstation Media Player Need Patch

Same as the queries

Wmp64.sms

MST- All Windows NT 4.0 Servers Media Player Security Patch Success
MST-All Windows NT 4.0 Workstations Media Player Security Patch Success

Prerequisite Step – Verify IIS Version is 3.0 or later

The IIS Version Detection Utility is a tool created by the SMS team to assist administrators in identifying the version of Internet Explorer that is running on systems, without enabling software inventory. The SMS queries and collections are provided that identifies all Windows NT 4.0 Server computers and Windows NT 4.0 Workstation computers that are running IIS.

  • All Windows NT 4.0 Servers Running IIS

  • All Windows NT 4.0 Workstations Running IIS

After the utility runs on the targeted systems, the following queries can be run to report on systems that have successfully completed running the IIS Version Detection Utility.

  • All Windows NT 4.0 Servers FIIESnif Success

  • All Windows NT 4.0 Workstations FIIESnif Success

Pre-Requisite Step - Install either the Windows NT 4.0 Server Option Pack or the Windows NT 4.0 Workstation Option Pack if IIS is installed and running.

This step currently needs to be performed manually. However, SMS provides the following queries to identify which Windows NT 4.0 Server or Workstation computers are running IIS, so that you can target them for deploying either Option Pack.

  • All Windows NT 4.0 Servers Running IIS

  • All Windows NT 4.0 Workstations Running IIS

Step 2a: Windows NT 4.0 Service Pack 6a

The SMS queries and collections are provided that identify all Windows NT 4.0 computers that are not running Service Pack 6a. The queries and collections are:

  • MST(NT4Svr) – Stage 1 Windows NT 4.0 Servers not running SP6a

  • MST(NT4Wks) – Stage 1 Windows NT 4.0 Workstations not Running SP6a

The nt4sp6mst.sms package targets these collections and installs Windows NT 4.0 Service Pack 6a. When this package runs, it triggers a reboot.

The installation of Windows NT 4.0 SP6a updates the CSD version field in the operating system class provided by SMS hardware inventory. When hardware inventory runs at its next scheduled interval, this information is updated in the SMS database. This update to the SMS database and the subsequent update of the collections causes the resources to report to either the All Windows NT 4.0 Servers running SP6a collection or the All Windows NT 4.0 Workstations running SP6a collection. These collections are then available as targets for the Windows NT 4.0 Security Rollup Package.

Note: A package, Kickhinv.sms, is included that can force a hardware inventory schedule to occur immediately for a particular client.

You can run the following queries to report on systems that successfully completed Step 2a.

  • MST(NT4Svr) – Stage 2 Windows NT 4.0 Servers running SP6a

  • MST(NT4Wks) – Stage 2 Windows NT 4.0 Workstations Running SP6a

Step b: Verify Need for 305228 Updates

Warning: Do not proceed with this step until you have verified that your systems are affected by 305228.

The following queries are provided so that you can easily identify any computers that are affected by Knowledge Base article 305228. These queries target all Windows NT 4.0 Server, Windows NT 4.0 Terminal Server Edition, and Windows NT 4.0 Workstation computers running IIS and that have installed the Smart Array Controllers from Knowledge Base article 305228.

  • MST Windows NT 4.0 IIS Servers – Smart Array Controllers

  • MST Windows NT 4.0 IIS Workstations – Smart Array Controllers

Step 2c: Windows NT 4.0 Security Rollup Package 1

SMS queries and collections are provided that identify all computers running Windows NT 4.0 SP6a and IIS, as determined by detecting the IIS Admin service and the Windows NT 4.0 Service Pack 6a installation. The queries and collections are:

  • MST(NT4Svr) – Stage 2 Windows NT 4.0 Servers running SP6a

  • MST(NT4Wks) – Stage 2 Windows NT 4.0 Workstations Running SP6a

When the 299444i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 Security Rollup Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 299444i. This indicates the Windows NT 4.0 Security Rollup Package has successfully run.

You can run the following queries to report on systems that successfully completed Step 2b.

  • MST(NT4Svr)-Stage 3 All Windows NT 4.0 Servers Security Rollup Success

  • MST(NT4Wks)-Stage 3 All Windows NT 4.0 Workstations Security Rollup Success

Step 2d: Windows NT 4.0 Security Patch 307866

SMS queries and collections are provided that identify all computers running Windows NT 4.0 SP6a and IIS, as determined by detecting the IIS Admin service and the Windows NT 4.0 Service Pack 6a installation. The queries and collections are:

  • MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success

  • MST(NT4Wks)-Stage 4 All Windows NT 4.0 Workstations Security Rollup Success

When the 307866i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 Security Rollup Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 307866i. This indicates the Windows NT 4.0 Security Rollup Package has successfully run.

You can run the following queries to report on systems that successfully completed Step 2d.

  • MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success

  • MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 307866i Success

Step 2e: Windows NT 4.0 Security Patch 307866i, again.

SMS queries and collections are provided that identify all computers running Windows NT 4.0 SP6a and IIS, as determined by detecting the IIS Admin service and the Windows NT 4.0 Service Pack 6a installation. The queries and collections are:

  • MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success

  • MST(NT4Wks)-Stage 4 All Windows NT 4.0 Workstations Security Rollup Success

When the 307866i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 Security Rollup Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 307866i. This indicates the Windows NT 4.0 Security Rollup Package has successfully run.

You can run the following queries to report on systems that successfully completed Step 2e.

  • MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success

  • MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 307866i Success

Step 2f: Invalid Digital Signature 305929i Patch

SMS queries and collections are provided that install the 305929i patch on all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition. The following collections provided are based on queries of the same name that target all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition with the Windows NT 4.0 Security Rollup installed.

  • MST(NT4Svr)-Stage 3 All Windows NT 4.0 Servers Security Rollup Success

  • MST(NT4Wks)-Stage 3 All Windows NT 4.0 Workstations Security Rollup Success

When the 305929i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 305929i Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 305929i. This indicates that the package has successfully run.

You can run the following queries to report on systems that successfully completed Step 2f.

  • MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 305929i Success

  • MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 305929i Success

Step 2g: IIS 4.0 Security Rollup Patch

SMS queries and collections are provided that target all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition to install the IIS 4.0 Security Rollup Package. The following collections provided are based upon queries of the same name that targets all Windows NT 4.0 Workstation, Windows NT 4.0 Server, and Windows NT Server 4.0 Enterprise Edition computers running IIS (as determined by detecting the IIS Admin service and Windows NT 4.0 Security Rollup Patch installation).

When the 301625i.sms package runs, it triggers a reboot. This installation of the IIS 4.0 Security Rollup Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 301625i.

You can run the following queries to report on systems that successfully completed Step 2g.

  • MST(NT4Svr)-Stage 6 All Windows NT 4.0 Servers Apply 301625i Success

  • MST(NT4Wks)-Stage 6 All Windows NT 4.0 Workstations Apply 301625i Success

Step 2h: Installing and Running QChain

The QChain tool does not install any files on a system. QChain organizes the entries in the PendingFileRename registry key from the based on the specified updates. A rebooted is required for these registry changes to take affect.

Step 2i: IE Version Detection Utility

The IE Version Detection Utility is a utility created by the SMS team to assist administrators in identifying the version of Internet Explorer that is running on systems, without enabling software inventory.

When the iedetect.sms package runs, it updates a table containing the QFE Update data with the IsInstalled value of 2 with the UpdateID of FDIESnif. The description field displays the version of Internet Explorer detected by the utility.

After the utility runs on the targeted systems, you can run the following queries to report on systems that have successfully completed running the IIS Version Detection Utility.

  • MST-All Windows NT 4.0 Servers FDIESnif Success

  • MST-All Windows NT 4.0 Workstations FDIESnif Success

Step j: Install Internet Explorer 5.01 SP2 or Internet Explorer 5.5 SP2

SMS queries and collections are provided that will identify all computers running Windows NT 4.0 Workstation, Windows NT 4.0 Server, and Windows NT Server 4.0 Enterprise Edition that do not have either Internet Explorer 5.01 SP2 or Internet Explorer 5.5 SP2. The queries and collections are:

  • MST(NTSvr)-Stage 6 All Windows NT 4.0 Servers no Updated IE

  • MST(NTWKS)-Stage 6 All Windows NT 4.0 Workstations No Updated IE

When either the ie501sp2.sms package or the ie55sp2.sms runs, a reboot is triggered. The installation of either Service Pack 2 is imported into a table containing the QFE Update data with the IsInstalled value of 2 where the ProductName displays the appropriate Internet Explorer update.

You can run the following queries to report on systems that successfully completed Step j.

  • MST(NTSvr)-Stage 7 All Windows NT 4.0 Servers Updated IE

  • MST(NTWKS)-Stage 7 All Windows NT 4.0 Workstations Updated IE

Step 2k: Windows Media Player Detection Utility

The Windows Media Player Detection Utility is a utility created by the SMS team to assist administrators in identifying the version of Media Player that is running on systems, without enabling software inventory.

When mpdetect.sms package runs, it updates a table containing the QFE Update data with the IsInstalled value of 2 with the UpdateID of MPIESnif. The description field displays the version of Windows Media Player detected by the utility.

After the utility runs on the targeted systems, you can run the following queries to report on systems that have successfully completed running the Windows Media Player Detection Utility.

  • MST-All Windows NT 4.0 Servers MPIESnif Success

  • MST-All Windows NT 4.0 Workstations MPIESnif Success

  • Step 2l: Install the Windows Media Player 6.4 Patch

SMS queries and collections are provided that install the Media Player Security patch on all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition. The following collections provided are based on queries of the same name that target all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition with the Windows NT 4.0 Security Rollup installed.

  • MST(NT4Svr)-Stage 11 All Windows NT 4.0 Server Media Player 6.4

  • MST(NT4Wks)-Stage 11 All Windows NT 4.0 Workstation Media Player 6.4

When the wmp64.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 Windows Media Play Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName Wmp64.sms. This indicates that the package has successfully run.

You can run the following queries to report on systems that successfully completed Step 2f.

  • MST- All Windows NT 4.0 Servers Media Player Security Patch Success

  • MST-All Windows NT 4.0 Workstations Media Player Security Patch Success

How SMS Deploys Fixes to Windows NT Server 4.0, Terminal Server Edition

This section describes how SMS deploys security fixes to computers running Windows NT 4.0 Terminal Server. These steps automate the manual steps that are described in the Guide to Baseline Security, which is included in the Security Tool Kit. It is recommended that you read these steps in conjunction with the steps described in the Guide to Baseline Security.

The following queries, collections, and packages are provided in the Security Tool Kit for computers running Windows NT 4.0 Terminal Server

Table 5 Queries, Collections, and Packages for Computers Running Windows NT 4.0 Terminal Server Edition

Steps automated by SMS

SMS Query Name

SMS Collection Name

SMS Package Name

Success SMS Query Name

Step 2a: Install Windows NT 4.0 Terminal Server Edition Service Pack 6

MST(NT4TS) –Stage 1 Windows NT 4.0 Terminal Servers that are not at Service Pack 6

Same as the query

TSSPA6.sms

MST(NT4TS) –Stage 2 Windows NT 4.0 IIS and Terminal Servers Running Pack 6

Step 2b: Install the 265714 for Terminal Server Edition (MS00-095)

MST(NT4TS) –Stage 2 Windows NT 4.0 IIS and Terminal Servers Running Pack 6

Same as the query

265714i.sms

MST(NT4TS) –Stage 3 All Windows NT 4.0 Servers apply 265714 Success

Step 2c:Install the 266433 for Terminal Server Edition (MS00-070)

MST(NT4TS) –Stage 3 All Windows NT 4.0 Servers apply 265714 Success

Same as the query

266433i.sms

MST(NT4TS) –Stage 4 All Windows NT 4.0 Servers apply 266433 Success

Step 2d: Install the 269049 for Terminal Server Edition (MS00-052)

MST(NT4TS) –Stage 4 All Windows NT 4.0 Servers apply 266433 Success

Same as the query

269049i.sms

MST(NT4TS) –Stage 5 All Windows NT 4.0 Servers apply 269049 Success

Step 2e: Install the 280119 for Terminal Server Edition (MS01-008)

MST(NT4TS) –Stage 5 All Windows NT 4.0 Servers apply 269049 Success

Same as the query

280119i.sms

MST(NT4TS) –Stage 6 All Windows NT 4.0 Terminal Servers Updated Success.

Step 2f: Install the critical security fix Qchain package

MST(NT4TS) –Stage 6 All Windows NT 4.0 Terminal Servers Updated Success.

Same as the query

Qchain.sms

Not provided

Step 2g: Run the IE version detection utility

MST(NT4TS) –Stage 6 All Windows NT 4.0 Terminal Servers Updated Success

Same as the query

iedetect.sms

All NT 4.0 Terminal Servers FDIESnif Success

Step 2h: Install 5.01 SP2 or 5.5 SP2

MST(NT4TS) –Stage 7 All Windows NT 4.0 Terminal Servers No Updated IE

Same as the query

ie501sp2.sms or ie55sp2.sms

MST(NT4TS) –Stage 8 All Windows NT 4.0 Terminal Servers Updated IE

Step 2i: Run WMPSnif to determine installed version of Windows Media Player

MST(NT4 Svr)-Stage 9 All Windows NT 4.0 Terminal Servers Updated IE

Not provided

MST:WMP Detect (from mpdetect.sms)

MST All Windows NT 4.0 Terminal Servers WMPSnif Success

Step 2j: Install the Windows Media Player 6.4 Patch

MST(NT4Svr)-Stage 10 Windows NT 4.0 Terminal Server Media Player need Patch

Same as the query

Wmp64.sms

MST- Windows NT 4.0 Terminal Servers Media Player Security Patch Success

Step 2a: Install Windows NT 4.0 Terminal Server Edition Service Pack 6

The SMS query and collections provided identifies all Windows NT 4.0 Terminal Server computers that are not running Service Pack 6. The query and collection are:

  • All Windows NT 4.0 Terminal Servers not running SP6

The TSSPA6.sms package targets these collections and installs Windows NT 4.0 Service Pack 6. When this package runs, it triggers a reboot.

The installation of Windows NT 4.0 SP6 updates the CSD version field in the operating system class provided by SMS hardware inventory. When hardware inventory runs at its next scheduled interval, this information is updated in the SMS database. This update to the SMS database, and the subsequent update of the collections, causes the resources to report to either the All Windows NT 4.0 Servers running SP6 collection or the All Windows NT 4.0 Workstations running SP6 collection. These collections are then available as targets for the next step.

Note: A package, Kickhinv.sms, is included that can force a hardware inventory schedule to occur immediately for a particular client.

You can run the following query to report on systems that successfully completed Step 2a.

  • All Windows NT 4.0 Servers running SP6

Step 2b: Install the 265714 for Terminal Server Edition (MS00-095)

The SMS query and collection provided install the 265714 patch on all computers running Windows NT 4.0 Terminal Server. The following collection is provided based on the query of the same name that target all computers running Windows NT 4.0 Terminal Server.

  • All Windows NT 4.0 Servers Terminal Server that are at SP6

When the 265714i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 265714i Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 265714i. This indicates that the package has successfully run.

You can run the following query to report on systems that successfully completed Step 2b.

  • All Windows NT 4.0 Servers apply 265714 Success

Step 2c: Install the 266433 for Terminal Server Edition (MS00-070)

The SMS query and collection provided install the 266433 patch on all computers running Windows NT 4.0 Terminal Server. The following collection is provided based on the query of the same name that targets all computers running Windows NT 4.0 Terminal Server with 265714 successfully applied.

  • All Windows NT 4.0 Servers apply 265714 Success

When the 266433i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 266433i Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 266433i. This indicates that the package has successfully run.

You can run the following query to report on systems that successfully completed Step 2c.

  • All Windows NT 4.0 Servers apply 266433 Success

Step 2d: Install the 269049 for Terminal Server Edition (MS00-052)

The SMS query and collection provided install the 269049 patch on all computers running Windows NT 4.0 Terminal Server. The following collection is provided based on the query of the same name that targets all computers running Windows NT 4.0 Terminal Server with 266433 successfully applied.

  • All Windows NT 4.0 Servers apply 266433 Success

When the 269049i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 269049i Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 269049i. This indicates that the package has successfully run.

You can run the following query to report on systems that successfully completed Step 2d.

  • All Windows NT 4.0 Servers apply 269049 Success

Step 2e: Install the 280119 for Terminal Server Edition (MS01-008)

The SMS query and collection provided install the 280119 patch on all computers running Windows NT 4.0 Terminal Server. The following collection is provided based on the query of the same name that targets all computers running Windows NT 4.0 Terminal Server with 269049 successfully applied.

  • All Windows NT 4.0 Servers apply 269049 Success

When the 280119i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 280119i Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 280119i. This indicates that the package has successfully run.

You can run the following query to report on systems that successfully completed Step 2e.

  • All Windows NT 4.0 Servers apply 280119 Success

Step 2f: Installing and Running QChain

The QChain tool does not install any files on a system. QChain organizes the entries in the PendingFileRename registry key from the based on the specified updates. A rebooted is required for these registry changes to take affect.

Step 2g: IE Version Detection Utility

The IE Version Detection Utility is a utility created by the SMS team to assist administrators in identifying the version of Internet Explorer that is running on systems, without enabling software inventory.

When iedetect.sms package runs, it updates a table containing the QFE Update data with the IsInstalled value of 2 with the UpdateID of FDIESnif. The description field displays the version of Internet Explorer detected by the utility.

After the utility runs on the targeted systems, you can run the following queries to report on systems that have successfully completed running the IIS Version Detection Utility.

  • All Windows NT 4.0 Terminal Servers FDIESnif Success

Step 2h: Install Internet Explorer 5.01 SP2 or Internet Explorer 5.5 SP2

The SMS query and collection provided will identify all computers running Windows NT Server 4.0 Terminal Server that do not have either Internet Explorer 5.01 SP2 or 5.5 SP2. The query and collection are:

  • All Windows NT 4.0 Terminal Servers No Updated IE

When either the ie501sp2.sms package or the ie55sp2.sms runs, a reboot is triggered. The installation of Internet Explorer with SP2 is imported into a table containing the QFE Update data with the IsInstalled value of 2 where the ProductName displays the appropriate Internet Explorer update.

You can run the following query to report on systems that successfully completed Step 2h.

  • All Windows NT 4.0 Terminal Servers Updated IE

Step 2i: Windows Media Player Detection Utility

The Windows Media Player Detection Utility is a utility created by the SMS team to assist administrators in identifying the version of Media Player that is running on systems, without enabling software inventory.

When mpdetect.sms package runs, it updates a table containing the QFE Update data with the IsInstalled value of 2 with the UpdateID of MPIESnif. The description field displays the version of Windows Media Player detected by the utility.

After the utility runs on the targeted systems, you can run the following query to report on systems that have successfully completed running the Windows Media Player Detection Utility.

  • MST-All Windows NT 4.0 Terminal Servers MPIESnif Success

Step 2j: Install the Windows Media Player 6.4 Patch

SMS queries and collections are provided that install the Media Player Security patch on all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition. The following collections provided are based on queries of the same name that target all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition with the Windows NT 4.0 Security Rollup installed.

  • MST(NT4Svr)-Stage 11 Windows Terminal Server NT 4.0 Server Media Player 6.4

When the wmp64.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 Windows Media Play Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName Wmp64.sms This indicates that the package has successfully run.

You can run the following query to report on systems that successfully completed Step 2j.

  • MST- Windows NT 4.0 Terminal Servers Media Player Security Patch Success

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.