Using Systems Management Server 2.0 to Deploy Security Tool Kit Fixes
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
On This Page
Introduction
SMS Tools Provided with the Security Tool Kit
Files and Directories
Deploying Security Fixes Using SMS
Introduction
Note: This document assumes you already have an SMS infrastructure in place and you know how to use Systems Management Server to distribute software.
To automate the distribution and installation of the recommended Internet Information Services (IIS) security fixes to Windows 2000 Professional, Windows 2000 Server and Windows 2000 Advanced Server, and Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition, Microsoft has supplied a set of queries and package definition files in the SMS directory of the Microsoft Security Tool Kit compact disc. SMS can help you determine which computers need the security fixes, and then deploy the fixes to the appropriate resources. The objects that the Systems Management Server (SMS) team has built can be imported into an existing SMS 2.0 hierarchy to help facilitate the deployment of these security fixes and ensure that your environment complies with Microsoft recommendations.
The steps described in this document automate manual steps that are described in the Guide to Baseline Security, which is included in the Microsoft Security Tool Kit. It is recommended that you read this document in conjunction with the steps described in the Guide to Baseline Security.
Note: Due to the dynamic nature of the security fixes, this document may not provide automated steps for all security fixes provided in the Security Tool Kit. For the latest information about using SMS to deploy security fixes, see the Security Tool Kit Release Notes on the Microsoft Web site at: https://support.microsoft.com/default.aspx?scid=KB;EN-US;309536&sd=tech
SMS Tools Provided with the Security Tool Kit
The following SMS tools are included on the Security Tool Kit compact disc.
Table 1 SMS Tools Included with the Security Tool Kit
Tool Name |
Location |
Files |
Description |
|---|---|---|---|
Microsoft Security Tool Kit Import Utility |
Included with the Security Tool Kit |
MSTImport.exe |
Enables you to import all collection objects necessary to deploy the security fixes in an SMS infrastructure. It accesses multiple text files, for example MST Queries.txt to build the Collection tree. |
Forced Determination of Internet Explorer Version |
Included with the Security Tool Kit |
FDIESniffer.exe |
SMS Installer executable file used to detect the current version of Internet Explorer. It generates a NOIDMIF containing the value of HKLM: Software\Microsoft\Internet Explorer\IEVERS, and then triggers SMS Hardware Inventory to collect the resulting MIF. |
Forced Determination of IIS Version 3.0 or Above |
Included with the Security Tool Kit |
FDIISniffer.exe |
SMS Installer executable file used to detect the current version of Internet Explorer. It generates a NOIDMIF containing the HKLM: Software\Microsoft\IIVERS. It then triggers a hardware inventory cycle to collect the resulting MIF. |
Forced Determination of Windows Media Player Version |
Included with the Security Tool Kit |
FDWMSniffer.exe |
SMS Installer executable file used to detect the current version of Internet Explorer. It generates up to 3 NOID MIFs. |
Forced Determination Wrapper Tool |
Included with the Security Tool Kit |
FDWrapper.exe |
SMS Installer executable file used to "wrap" the execution of other fixes. This tool does the following:
|
Forced Determination Wrapper Tool 2 |
Included with the Security Tool Kit |
FDWrapper2.exe |
Special version of FDWrapper used to distribute the IIS 4.0 Security Update. This tool distributes that particular QFE support fix silently and suppresses the reboot. This tool also does the following:
|
QChain |
Included with the Security Tool Kit |
QChain.exe |
Windows Sustained Engineering Team tool that ensures QFEs were applied in the correct order. After QChain verifies the order, the computer will reboot, which completes the process. |
Files and Directories
SMS files are located in the SMS directory on the Security Tool Kit compact disc as follows. Note that many files in the SMS directory are also available in other directories on the compact disc.
SMS\
Documentation\
SMSDeploy.doc
Forced Determination Wrapper(s)
FDW2
Fdwrapper2.exe
FDISniffer.EXE
FDIISSniffer.EXE
FDWrapper.Exe
WMPSniffer.EXE
MSTImport
MSTImport.Exe
Package Definition Files
Cun.sms
IE501SP2.sms
IE55SP2.sms
Iedetect.sms
Iidetect.sms
kickhinv.sms
nt4sp6.pdf
265714i.sms
269049i.sms
280119i.sms
279328.sms
299444i.sms
301625.sms
301625i.sms
305929i.sms
307866i.sms
QChain.sms
SchemaMod.sms
TSSP6.sms
w2ksp2.sms
wmp64.sms
wmp71.sms
wmpsnif.sms
Deploying Security Fixes Using SMS
You must perform the following steps to use SMS to deploy the Security Tool Kit fixes. These steps are described in detail in the following sections.
Step 1: Verifying Prerequisites
Step 2: Configuring SMS to Deploy the Security Tool Kit
Step 3: Monitoring Progress
Step 1: Verifying Prerequisites
Before you use Systems Management Server 2.0 to deploy the Security Tool Kit, your site and all child sites must meet the following criteria:
Your hierarchy must be running SMS 2.0 Service Pack 3 (SP3) or later.
If you are planning to deploy Windows NT 4.0 Terminal Server SP3, the following SMS 2.0 SP3 hot fix must be applied to your site:
- 309437 SMS 2.0 SP3: client components fail to start after upgrading Windows NT 4.0 Terminal Server Edition SP3 to SP6
The Advertised Programs Client Agent must be enabled and installed in your hierarchy.
The Hardware Inventory Client Agent must be enabled and installed in your hierarchy.
Note: If you are using IntelliPoint mouse devices earlier than version 2.2, read Knowledge Base article 305462 on the Microsoft Support Online Web site at https://support.microsoft.com/default.aspx?scid=KB;en-us;305462&sd=tech
Step 2: Configuring SMS to Deploy the Security Tool Kit
The queries and packages included with the Microsoft Security Tool Kit are designed and tested to work with SMS 2.0 SP3 or later.
In an effort to structure the deployment process most effectively, the utilities that SMS provides are designed so that a series of related collections are created in the targeted SMS 2.0 site. These objects can be imported into any primary site of an SMS 2.0 hierarchy. The fixes must be deployed throughout the hierarchy. As a result, it is recommended that you import or create the objects at the point in the SMS hierarchy that has the largest number of potentially affected resources reporting up to it. (This should be the central site, unless there is a specifically designated reporting site at the top of the hierarchy that does not have administrative control from the site.) Note that the new collections created will be replicated throughout the hierarchy from the site at which they were imported, down through all child sites.
The series of collections resulting from importing the collection objects enable administrators to view the status of their hierarchy and determine where the appropriate updates from the Microsoft Security Tool Kit must be applied. These collections can be used for targeting the resources that require the appropriate updates. The required updates are contained in the packages that were either imported or manually created. Programs exist within these packages that refer to the appropriate updates to be targeted to a collection.
In order to deploy the security fixes, you must perform the following steps.
Import collections, queries, and packages using the Microsoft Security Tool Kit Import Utility provided with the Security Tool Kit.
Assign a distribution point to each package that requires distribution in your hierarchy. See the SMS product documentation for more information about how to assign distribution points to packages.
Create advertisements to target particular programs to specific collections. This is the most critical step for deploying the security updates, because advertisements must target the correct program to the appropriate collection in order for the updates to be successfully deployed. Note that you can schedule advertisements to run at a time that is most convenient for your organization.
Note: All collections and packages related to the SMS deployment of the security fixes are prefixed with MST, so you can easily identify the objects that are created on your system.
Importing SMS Objects Using the MSTImport Tool
To import the objects needed to deploy the security fixes, run the Microsoft Security Tool Kit Import Utility (MSTImport.exe) provided in the SMS directory of the Microsoft Security Tool Kit compact disc. After you run the utility, the following collections, queries, and packages will be available in the SMS hierarchy. Only collections will be replicated through the hierarchy. Queries will not be replicated. If the queries are needed at the lower sites, then you will need to run the MSTImport.exe utility at the child sites to import queries.
Note: Prior to running MSTImport.exe utility, it is recommended that you review 295157: The Microsoft BackOffice Server 4.5 Resource Kit utilities, Preinst.exe and Delgrp.exe, may return errors when they are run on Systems Management Server (SMS) running Microsoft SQL Server 2000. The problem described in this KB article can occur because the default client network protocol was changed from Named Pipes in Microsoft SQL Server 7.0 (and earlier) to TCP/IP in SQL Server 2000. These errors occur when running the MSTImport tool if SQL Server Authentication is selected. As a result of these errors, the Queries Import phase of this tool will fail, although the collections are successfully created.
Object |
Name |
|---|---|
Queries |
MST-All Windows 2000 Computers |
|
MST(Win2K)-Stage 1 All Win2K Computers Not Running SP2 |
|
MST(Win2K)-Stage 2 All Win2K Computers Running SP2 |
|
MST(Win2K)-Stage 3 All Win2K Computers Running IIS |
|
MST(Win2K)-Stage 4 All Win2K Computers Apply 301625 Success |
|
MST(Win2K)-Stage 5 All Win2K Computers FDIESnif Success |
|
MST(Win2K)-Stage 6 All Windows 2000 Computers No Updated IE |
|
MST(Win2K)-Stage 7 All Win2K Computers Updated IE |
|
MST(Win2K)-Stage 8 All Win2K Computers Update Success |
Queries |
MST All Windows 2000 WMPSniff Success |
|
MST(Win2k)-Stage 9 All Windows 2000 Media Player need Patch |
|
MST(Win2k)-Stage 10 All Windows 2000 Media Player 7.0 |
|
MST All Windows 2000 Media Player 7.1 |
|
MST All Windows 2000 Media Player Security Patch Success |
|
MST-All Windows NT 4.0 Servers |
|
MST-All Windows NT 4.0 Servers Running IIS |
|
MST-All Windows NT 4.0 Servers FDIESnif Success |
|
MST-All Windows NT 4.0 Servers No Updated IE |
|
MST(NT4Svr)-Stage 1 All Windows NT 4.0 Servers Not Running SP6 |
|
MST(NT4Svr)-Stage 2 All Windows NT 4.0 Servers Running SP6a |
|
MST(NT4Svr)-Stage 3 Windows NT 4.0 IIS Servers-Smart Array Controllers |
|
MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success |
|
ST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success |
|
MST(NT4Svr)-Stage 6 All Windows NT 4.0 Servers Apply 305929 Success |
|
MST(NT4Svr)-Stage 7 All Windows NT 4.0 Servers Apply 301625i Success |
|
MST(NT4Svr)-Stage 8 All Windows NT 4.0 Servers N0 Updated IE |
|
MST(NT4Svr)-Stage 9 All Windows NT 4.0 Servers Updated IE |
|
MST(NT4Svr)-Stage 10 All Windows NT 4.0 Servers Update Success |
|
MST(NT4Svr)-Stage 11 Windows NT 4.0 Server Media Player Need Patch |
|
MST-All Windows NT 4.0 Workstations |
Queries |
MST-All Windows NT 4.0 Workstations Running IIS |
|
MST-All Windows NT 4.0 Workstations FDIESnif Success |
|
MST-All Windows NT4.0 Workstations Media Player Security Patch Success |
|
MST(NT4Wks)-Stage 1 All Windows NT 4.0 Workstations Not running SP6a |
|
MST(NT4Wks)-Stage 2 All Windows NT 4.0 Workstations Running SP6a |
|
MST(NT4Wks)-Stage 3 Windows NT 4.0 IIS Workstations-Smart Array Controllers |
|
MST(NT4Wks)-Stage 4 All Windows NT 4.0 Workstations Security Rollup Success |
|
MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 305929 Success |
|
MST(NT4Wks)-Stage 6 All Windows NT 4.0 Workstations Apply 301625i Success |
|
MST(NT4Wks)-Stage 7 All Windows NT 4.0 Servers Apply 307866i Success |
|
MST(NT4Wks)-Stage 8 All Windows NT 4.0 Workstations No Updated IE |
|
MST(NT4Wks)-Stage 9 All Windows NT 4.0 Workstations Updated IE |
|
MST(NT4Wks)-Stage 10 All Windows NT 4.0 Workstations Update Success |
|
MST(NT4Wks)-Stage 11 Windows NT 4.0 Workstation Media Player Need Patch |
|
MST(NT4TS)-Stage 1 All Windows NT 4.0 Terminal Servers Not Running SP6 |
|
MST(NT4TS)-Stage 2 All Windows NT 4.0 IIS and Terminal Servers Running SP6 |
|
MST(NT4TS) –Stage 3 All Windows NT 4.0 Terminal Servers apply 265714 Success |
Queries |
MST(NT4TS) –Stage 4 All Windows NT 4.0 Terminal Servers apply 266433 Success |
|
MST(NT4TS) –Stage 5 All Windows NT 4.0 Terminal Servers apply 269049 Success |
|
MST(NT4TS) –Stage 6 All Windows NT 4.0 Terminal Servers Updated Success. (This Query should be a rollup of all 4 QFEs) |
|
MST(NT4TS) –Stage 7 All Windows NT 4.0 Terminal Servers No Updated IE |
|
MST(NT4TS)-Stage 8 All Windows NT 4.0 Terminal Servers Updated IE |
|
MST(NT4Svr)-Stage 9 Windows NT 4.0 Terminal Server Media Player need Patch |
|
MST- Windows NT 4.0 Terminal Servers Media Player Security Patch Success |
|
MST - All Windows 2000 Computers Apply 301625 Failed |
|
MST - All Windows 2000 Computers FDIESnif Failed |
|
MST - All Windows 2000 Computers Update Failed |
Queries |
MST - All Windows NT 4.0 Servers Apply 305929 Failed |
|
MST - All Windows NT 4.0 Servers FDIESnif Failed |
|
MST - All Windows NT 4.0 Servers Security Rollup Failed |
|
MST - All Windows NT 4.0 Servers Update Failed |
|
MST-All Windows NT4.0 Server Media Player Security Patch Success |
|
MST - All Windows NT 4.0 Terminal Servers FDIESnif Failed |
|
MST - All Windows NT 4.0 Terminal Servers QChain Failed |
|
MST - All Windows NT 4.0 Terminal Servers Update Failed |
|
MST - All Windows NT 4.0 Workstation Security Rollup Failed |
|
MST - All Windows NT 4.0 Workstations Apply 305929 Failed |
|
MST - All Windows NT 4.0 Workstations FDIESnif Failed |
|
MST - All Windows NT 4.0 Workstations Update Failed |
|
MST - All Windows NT 4.0 Workstations Apply 301625i Failed |
|
MST - All Windows NT 4.0 Servers FDIISnif Failed |
|
MST - All Windows NT 4.0 Servers Apply 301625i Failed |
|
MST - All Windows NT 4.0 Workstations FDIISnif Failed |
Collections |
MST(Win2K)-Stage 1 All Win2K Computers Not Running SP2 |
|
MST(Win2K)-Stage 2 All Win2K Computers Running SP2 |
Collections |
MST(Win2K)-Stage 3 All Win2K Computers Running IIS |
|
MST(Win2K)-Stage 4 All Win2K Computers Apply 301625 Success |
|
MST(Win2K)-Stage 5 All Win2K Computers FDIESnif Success |
|
MST(Win2K)-Stage 6 All Windows 2000 Computers No Updated IE |
|
MST(Win2K)-Stage 7 All Win2K Computers Updated IE |
|
MST(Win2K)-Stage 8 All Win2K Computers Update Success |
|
MST(Win2k)-Stage 9 All Windows 2000 Media Player need Patch |
|
MST(Win2k)-Stage 10 All Windows 2000 Media Player 7.0 |
|
MST(NT4Svr)-Stage 1 All Windows NT 4.0 Servers Not Running SP6 |
|
MST(NT4Svr)-Stage 2 All Windows NT 4.0 Servers Running SP6a |
|
MST(NT4Svr)-Stage 3 Windows NT 4.0 IIS Servers-Smart Array Controllers |
|
MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success |
Collections |
MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success |
|
MST(NT4Svr)-Stage 6 All Windows NT 4.0 Servers Apply 305929 Success |
|
MST(NT4Svr)-Stage 7 All Windows NT 4.0 Servers Apply 301625i Success |
|
MST(NT4Svr)-Stage 8 All Windows NT 4.0 Servers N0 Updated IE |
|
MST(NT4Svr)-Stage 9 All Windows NT 4.0 Servers Updated IE |
|
MST(NT4Svr)-Stage 10 All Windows NT 4.0 Servers Update Success |
|
MST(NT4Wks)-Stage 1 All Windows NT 4.0 Workstations Not running SP6a |
|
MST(NT4Wks)-Stage 2 All Windows NT 4.0 Workstations Running SP6a |
|
MST(NT4Wks)-Stage 3 Windows NT 4.0 IIS Workstations-Smart Array Controllers |
|
MST(NT4Wks)-Stage 4 All Windows NT 4.0 Workstations Security Rollup Success |
|
MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 305929 Success |
|
MST(NT4Wks)-Stage 6 All Windows NT 4.0 Workstations Apply 301625i Success |
|
MST(NT4Wks)-Stage 7 All Windows NT 4.0 Servers Apply 307866i Success |
|
MST(NT4Wks)-Stage 8 All Windows NT 4.0 Workstations No Updated IE |
|
MST(NT4Wks)-Stage 9 All Windows NT 4.0 Workstations Updated IE |
|
MST(NT4Wks)-Stage 10 All Windows NT 4.0 Workstations Update Success |
|
MST(NT4TS)-Stage 1 All Windows NT 4.0 Terminal Servers Not Running SP6 |
|
MST(NT4TS)-Stage 2 All Windows NT 4.0 IIS and Terminal Servers Running SP6 |
|
MST(NT4TS) –Stage 3 All Windows NT 4.0 Terminal Servers apply 265714 Success |
|
MST(NT4TS) –Stage 4 All Windows NT 4.0 Terminal Servers apply 266433 Success |
|
MST(NT4TS) –Stage 5 All Windows NT 4.0 Terminal Servers apply 269049 Success |
|
MST(NT4TS) –Stage 6 All Windows NT 4.0 Terminal Servers Updated Success. (This Query should be a rollup of all 4 QFEs) |
|
MST(NT4TS) –Stage 7 All Windows NT 4.0 Terminal Servers No Updated IE |
|
MST(NT4TS)-Stage 8 All Windows NT 4.0 Terminal Servers Updated IE |
|
MST(NT4Svr)-Stage 9 Windows NT 4.0 Terminal Server Media Player need Patch |
|
MST(NT4Svr)-Stage 11 Windows NT 4.0 Server Media Player need Patch |
|
MST(NT4Wks)-Stage 11 Windows NT 4.0 Workstation Media Player Need Patch |
After you have run the Microsoft Security Tool Kit Import Utility (MSTImport.exe), the following package definition files (.pdf or .sms ) are available for you to use to build packages using the Create Package from Definition wizard in the SMS Administrator console.
Table 2 Package Definition Files Included with the Security Tool Kit
Filename |
Package Created |
Programs Created |
Description |
|---|---|---|---|
nt4sp6.pdf |
Service Pack 6 Microsoft Windows NT 4.0 |
Update x86 Windows NT Version 4.0 |
This package definition file imports the programs necessary to distribute Windows NT 4.0 Service Pack 6. |
w2ksp2.sms |
Service Pack 2 for Windows 2000 |
Manual Update |
This package definition file imports the programs necessary to distribute Windows 2000 Service Pack 2. |
IIdetect.sms |
MST:II Detect |
MST:Detect |
This package definition file imports the program necessary to distribute a utility that can be used to determine the version of IIS running on Windows NT Server 4.0 and Windows NT 4.0 Workstation. |
iedetect.sms |
MST:IE Detect |
MST:Detect |
This package definition file imports the programs necessary to distribute a tool that can be used to determine the version of Internet Explorer. |
IE501SP2.sms |
MST:Internet Explorer 5.01 Service Pack 2 |
MST:Required Update |
This package definition file imports the program necessary to distribute Internet Explorer 5.01 Service Pack 2. |
IE55SP2.sms |
MST:Internet Explorer 5.5 SP2 |
MST:Required Update |
This package definition file imports the program necessary to distribute Internet Explorer 5.5 Service Pack 2. |
kickhinv.sms |
MST:Start Hardware Inventory |
MST:Start |
This package definition file imports the program necessary to remotely trigger hardware inventory on clients. |
299444i.sms |
MST:NT Security Rollup |
MST:Required Update |
This package definition file imports the program necessary to distribute the Security Rollup Package (SRP) for Windows NT 4.0 that includes the functionality from all security patches released for Windows NT 4.0 since the release of Windows NT 4.0 Service Pack 6a (SP6a). This small, comprehensive rollup of post-SP6a fixes provides an easier mechanism for managing the rollout of security fixes. Applying the SRP does not change the encryption level of the system. https://www.microsoft.com/technet/archive/security/news/nt4srp.mspx |
301625.sms |
MST:IIS W2k Security Rollup Package |
MST:Required Update |
This package definition file imports the program necessary to distribute the Security Rollup Package (SRP) for IIS versions 4.0 and 5.0 on Windows 2000. |
301625i.sms |
MST:IIS NT4 Security Rollup Package |
MST:Required Update |
This package definition file imports the program necessary to distribute the Security Rollup Package (SRP) for IIS versions 4.0 and 5.0 on Windows NT 4.0 without Terminal Services. |
307866i.sms |
MST:IIS NT4 Security Rollup Package 2 |
MST:Required Update |
This package definition file imports the program necessary to distribute the Security Rollup Package (SRP) for IIS versions 4.0 and 5.0 on Windows NT 4.0 without Terminal Services. |
305929i.sms |
MST:Invalid Digital Signature |
MST:Required Update |
This package definition file imports the program necessary to distribute a fix for servers that generate digital signature errors. |
QChain.sms |
MST:QChain |
MST:Required Update |
This package definition file imports the program necessary to distribute QChain.exe to install multiple hot fixes with only one reboot. |
Step 3: Monitoring Progress
As each stage of the deployment progresses successfully, the MST collections must be updated. The default collection update schedule is set to two hours for each of the MST collections. Alternatively, the collections schedule can be updated manually by the administrator.
Note: Because additional collections are created by the Microsoft Security Tool Kit Import Utility, these collections are automatically replicated to all the child sites. This increases site-to-site communication traffic during collection replication cycles.
As advertisements are run and security updates are deployed, resources are removed from their original collections because they no longer meet the membership rules for that collection. The resources then become members of other collections based on their membership rules. This is not an immediate process, instead it occurs according to the configured collection update schedule or when the administrator manually updates the collection. When this happens, if there is an advertisement targeted to that collection, the resources receive the next advertised program that applies the appropriate update.
Queries are provided that match the collections that allow administrators to track the progress of resources through the appropriate stages of the deployment without causing excessive replication traffic.
In addition to using the pre-created collections and queries to monitor status, you can use Advertisement Status to track the success and failures of each of the advertisements.
Using SMS to Automate Deployment
These fixes are specifically designed for the operating system of the resource targeted to receive the fix. The following sections describe how to deploy the fixes to different operating systems.
How SMS deploys fixes to Windows 2000
How SMS deploys fixes to Windows NT 4.0
How SMS Deploys Fixes to Windows NT Server 4.0, Terminal Server Edition
How SMS Deploys Fixes to Windows 2000
This section describes how to use SMS to deploy the security fixes to computers running Windows 2000 or Windows 2000 SP1 or later. These steps automate the manual steps that are described in the Guide to Baseline Security, which is included in the Security Tool Kit. It is recommended that you read these steps in conjunction with the steps described in the Guide to Baseline Security.
The following queries, collections, and packages are provided in the Security Tool Kit for computers running Windows 2000 or Windows 2000 SP1 or later.
Table 3 Queries, Collections, and Packages for Computers Running Windows 2000
Steps Automated by SMS |
SMS Query Name |
SMS Package Name |
Success SMS Query Name |
|---|---|---|---|
Step 2a: Install Windows 2000 SP2 |
MST(Win2K) Stage 1 All Win2K Computers not running SP2 |
MST: Service Pack 2 for Windows 2000 (from W2KSP2.sms) |
MST(Win2K) Stage 2 All Win2K Computers running SP2 |
Step 2b: Install the IIS Security Rollup Package |
MST(Win2K) Stage 3 All Win2K Computers Running IIS |
MST:IIS W2k Security Rollup Package (from 301625.sms) |
MST(Win2K) Stage 4 All W2K Computers Apply 301625 Success |
Step 2c: Run Qchain |
MST(Win2K) Stage 4 All W2K Computers Apply 301625 |
MST:QChain (from Qchain.sms) |
Not provided |
Step 2d: Run FDIESnif to determine installed version of Internet Explorer. |
MST(Win2K) Stage 4 All W2K Computers Apply 301625 Success |
MST:IE Detect (from iedetect.sms) |
MST(W2K) Stage 5 All W2K Computers FDIESnif Success |
Step 2e: Optional: Install Internet Explorer 5.5 SP2 |
MST(Win2K) Stage 6 All W2K Computers no Updated IE |
MST:Internet Explorer 5.5 SP2 (from IE55SP2.sms) |
MST(Win2K) Stage 7 All Win2K Computers Updated IE |
Step 2f: Optional: Install the Critical Update Notification 3.0 Tool |
MST(Win2K) Stage 8 All Win2K Computers Update Success |
Cun.sms |
Not provided |
Step 2g: Run WMPSnif to determine installed version of Windows Media Player |
MST(Win2K) Stage 8 All Win2K Computers Update Success |
MST:FDWMSniffer (from FDQMSniffer.sms) |
MST All W2K Computers WMPSnif Success |
Step 2h: Apply the Windows Media Player Security Patch to WMP Versions 6.4, 7.0 or 7.1 |
MST(W2K)-Stage 9 All Windows 2000 Media Player Need Patch |
Wmp64.sms |
MST- All Windows 2000 Media Player Security Patch Success |
Step 2i: If the Version of Windows Media player is 7.0 Upgrade the Version to 7.1 |
MST(W2K)-Stage 10 All Windows 2000 Media Player 7.0 |
Wmp71.sms |
MST-All Windows 2000 Media Player 7.1 |
Step 2j: Run Qchain |
MST All Windows 2000 Media Player Patch Success |
MST:QChain (from Qchain.sms) |
Not provided |
Step 2a: Installing Windows 2000 SP2
An SMS query and collection is provided called MST(Win2K) Stage 1 All Win2K Computers not running SP2 that targets all computers running Windows 2000 Professional, Windows 2000 Server, or Windows 2000 Advanced Server that do not already have Service Pack 2 installed.
The W2KSP2.sms package targets this collection and installs Windows 2000 Service Pack 2. When this package runs, it triggers a reboot.
The installation of Windows 2000 SP2 updates the CSD version field in the operating system class provided by SMS hardware inventory. When hardware inventory runs at its next scheduled interval, this information is updated in the SMS database. This update to the SMS database, and the subsequent update of the collections, causes the resources to report to the Windows 2000 Computers Running IIS collection. These collections are then available as targets for the advertisement described in the next section, "Installing the IIS Security Rollup Package."
Note: A package, Kickhinv.sms, is included that can force a hardware inventory schedule to occur immediately for a particular client.
You can run the query MST(Win2K) Stage 2 All Win2K Computers running SP2 to report on systems that successfully completed Step 2a.
Step 2b: Installing the IIS Security Rollup Package
An SMS query and collection is provided called MST(Win2K) Stage 3 All Win2K Computers Running IIS. This query identifies all computers running Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server that are also running IIS. This is determined by detecting the IIS Admin service and Windows 2000 SP2 installation.
When the 301625.sms package runs, it triggers a reboot. This installation of the IIS Security Rollup Package updates a field named IsInstalled in a table containing the QFE Update data with a value of 2 for the ProductName 301625. This indicate the IIS Security Rollup Package has successfully run.
You can run the query MST(Win2K) Stage 4 All W2K Computers Apply 301625 to report on systems that successfully completed Step 2b.
Step 2c: Installing and Running QChain
The QChain tool does not install any files on a system. QChain organizes the entries in the PendingFileRename registry key from the based on the specified updates. A rebooted is required for these registry changes to take affect.
Step 2d: Installing and Running the FDIESnif Utility
An SMS query and collection is provided called MST(Win2K) Stage 4 All W2K Computers Apply 301625 that identifies all computers running Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server with Service Pack 2 installed.
When the iedetect.sms package runs, it detects the version of Internet Explorer that is installed on the targeted collection of computers. The FDIESnif MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 that indicates the utility successfully identified the Internet Explorer version. The updateID field displays FDIESnif and the contents of the Description Field lists the specific version of Internet Explorer detected.
You can run the query MST(W2K) Stage 5 All W2K Computers FDIESnif Success to report on systems that successfully completed Step 2d.
Step 2e: Installing Internet Explorer 5.5 SP2
An SMS query and collection is provided called MST(Win2K) Stage 6 All W2K Computers no Updated IE that identifies all computers running Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server that are not running either Internet Explorer 5.01 SP2 or Internet Explorer 5.5 SP2.
If the IES55SP2.sms package is run, this installation of the updated Internet Explorer install MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 that indicates the IE55SP2 package has successfully run.
You can run the query MST(Win2K) Stage 6 All Win2K Computers Update Success to report on Windows 2000 systems that successfully completed Step 2e.
Step 2f: Optional: Install the Critical Update Notification 3.0 Tool
As discussed in the Microsoft Security Tool Kit document, "Installing and Securing and Existing Windows 2000 System," as part of your ongoing maintenance program, it is recommended that you install the Critical Update Notification 3.0 Tool. When this tool is installed on a computer, you will be notified whenever a new Critical Fix is released.
In order to assist you in deploying this tool, an SMS query and collection is provided called MST(Win2K) Stage 8 All Win2K Computers Update Success that identifies all computers running Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server that have installed the IIS Security Rollup Patch and have updated their version of Internet Explorer, and are ready to have this tool deployed to them.
Step 2g: Run WMPSniffer to determine installed version of Windows Media Player
The Windows Media Player Detection Utility is a utility created by the SMS team to assist administrators in identifying the version of Media Player that is running on systems, without enabling software inventory.
When FDWMSiffer.sms.sms package runs, it updates a table containing the QFE Update data with the IsInstalled value of 2 with the UpdateID of FDWMSnif. The description field displays the version of Windows Media Player detected by the utility.
After the utility runs on the targeted systems, you can run the following query to report on systems that have successfully completed running the IIS Version Detection Utility.
- MST All W2K Computers WMPSnif Success
Step 2h: Apply the Windows Media Player Security Patch.to WMP Versions 6.4, 7.0 or 7.1
The following SMS query and collection are provided that target all computers running Windows 2000 Windows Media Player 6.4, 7.0 and 7.1 to install the Windows Media Player Security Patch.
- Apply the Windows Media Player Security Patch.to WMP Versions 6.4, 7.0 or 7.1
When the Wmp64.sms package runs, this installation of the IIS 4.0 Security Rollup Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName WMP64.
You can run the following query to report on systems that successfully completed Step 2h
- MST- All Windows 2000 Media Player Security Patch Success
Step 2i: IF the Version of Windows Media player is 7.0 Upgrade the Version to 7.1
The SMS query and collection is provided that will identify all computers running Windows 2000 machines that are running Windows Media Player 7.0.
- MST(W2K)-Stage 10 All Windows 2000 Media Player 7.0
When the WMP71.sms package is run, a reboot is triggered. The installation of the Internet Explorer SP2 is imported into a table containing the QFE Update data with the IsInstalled value of 2 where the ProductName displays the appropriate Internet Explorer update.
You can run the following query to report on systems that successfully completed Step i.
- MST-All Windows 2000 Media Player 7.1
Step 2j: Run Qchain
The QChain tool does not install any files on a system. QChain organizes the entries in the PendingFileRename registry key from the based on the specified updates. A rebooted is required for these registry changes to take affect.
How SMS Deploys Fixes to Windows NT 4.0
This section describes how SMS deploys security fixes to computers running Windows NT 4.0 SP3. These steps automate the manual steps that are described in the Guide to Baseline Security, which is included in the Security Tool Kit. It is recommended that you read these steps in conjunction with the steps described in the Guide to Baseline Security.
The following queries, collections, and packages are provided in the Security Tool Kit for computers running Windows NT 4.0, or Windows NT 4.0 SP3.
Table 4 Queries, Collections, and Packages for Computers Running Windows NT 4.0
Steps Automated by SMS |
SMS Query Name |
SMS Collection Name |
SMS Package Name |
Success SMS Query Name |
|---|---|---|---|---|
Prerequisite Step – Verify IIS Version is 3.0 or later using the FDIISnif Utility. |
MST-All Windows NT 4.0 Servers |
Not provided |
MST:IIS Detect (from iidetect.sms) |
All Windows NT 4.0 Servers FDIISnif Success |
Pre-Requisite Step: Install either the Windows NT4.0 Server Option Pack or the Windows NT 4.0 Workstation Option Pack if IIS is installed and running. |
All Windows NT 4.0 Workstations Running IIS |
Not provided |
Not provided |
Not provided |
Step 2a: Install Windows NT 4.0 Service Pack 6a |
MST(NT4Svr) – Stage 1 Windows NT 4.0 Servers not running SP6a |
Same as the queries |
Service Pack 6 Microsoft Windows NT 4.0 (from Nt4sp6.pdf) |
MST(NT4Svr)- Stage 2 Windows NT 4.0 Servers running SP6a |
Step 2b: Verify Need for 305228 Updates. |
MST(NT4Svr)-Stage 3 Windows NT 4.0 IIS Servers – Smart Array Controllers |
Not provided |
Not provided |
Not provided |
Step 2c: Install the Windows NT 4.0 Security Roll-up Package 1 |
MST(NT4Svr)- Stage 2 Windows NT 4.0 Servers running SP6a |
Same as the queries |
MST:NT Security Rollup (from Q29944i.sms) |
MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success |
Step 2d: Install the Windows NT 4.0 Security Patch |
MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success |
Same as the queries |
MST:IIS NT4 Security Rollup Patch (from Q 307866i.sms) |
MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success |
Step 2e: Install the Windows NT 4.0 Security Patch |
MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success |
Same as the queries |
MST:IIS NT4 Security Patch (from 307866i.sms) |
MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success |
Step 2f: Install the Invalid Digital Signature 305929i Patch |
MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success |
Same as the queries |
MST:Invalid Digital Signature (from 305929i.sms) |
MST(NT4Svr)-Stage 6 All Windows NT 4.0 Servers 305929i Apply Success |
Step 2g: Install the IIS 4.0 Security Roll up Patch |
MST(NT4Svr)-Stage 6 All Windows NT 4.0 Servers 305929i Apply Success |
Same as the queries |
MST:IIS NT4 Security Rollup Package (from 301625i.sms) |
MST(NT4Svr)-Stage 7 All Windows NT 4.0 Servers Apply 301625i Success |
Step 2h: Run Qchain (This will cause the computer to restart) |
MST(NT4Svr)-Stage 7 All Windows NT 4.0 Servers Apply 301625i Success |
Not provided |
MST:QChain (from Qchain.sms) |
Not provided |
Step 2i: Run the IE Version Detection Utility |
Not Applicable |
Not applicable |
MST:IE Detect (from iedetect.sms) |
MST-All Windows NT 4.0 Servers FDIESnif Success |
Step 2j: Install Internet Explorer 5.01 SP2 or 5.5 SP2 |
MST(NTSvr)-Stage 8 All Windows NT 4.0 Servers no Updated IE |
Same as the queries |
MST:Internet Explorer 5.01 SP2 or MST:Internet Explorer 5.5 SP2 (from ie501sp2.sms or ie55sp2.sms) |
MST(NT4 Svr)-Stage 9 All Windows NT 4.0 Servers Updated IE |
Step 2k: Run WMPSnif to determine installed version of Windows Media Player |
MST(NT4 Svr)-Stage 9 All Windows NT 4.0 Servers Updated IE |
Not provided |
MST:WMP Detect (from mpdetect.sms) |
MST All Windows NT 4.0 Servers WMPSnif Success |
Step 2l: Install the Windows Media Player 6.4 Patch |
MST(NT4Svr)-Stage 10 All Windows NT 4.0 Server Media Player need Patch |
Same as the queries |
Wmp64.sms |
MST- All Windows NT 4.0 Servers Media Player Security Patch Success |
Prerequisite Step – Verify IIS Version is 3.0 or later
The IIS Version Detection Utility is a tool created by the SMS team to assist administrators in identifying the version of Internet Explorer that is running on systems, without enabling software inventory. The SMS queries and collections are provided that identifies all Windows NT 4.0 Server computers and Windows NT 4.0 Workstation computers that are running IIS.
All Windows NT 4.0 Servers Running IIS
All Windows NT 4.0 Workstations Running IIS
After the utility runs on the targeted systems, the following queries can be run to report on systems that have successfully completed running the IIS Version Detection Utility.
All Windows NT 4.0 Servers FIIESnif Success
All Windows NT 4.0 Workstations FIIESnif Success
Pre-Requisite Step - Install either the Windows NT 4.0 Server Option Pack or the Windows NT 4.0 Workstation Option Pack if IIS is installed and running.
This step currently needs to be performed manually. However, SMS provides the following queries to identify which Windows NT 4.0 Server or Workstation computers are running IIS, so that you can target them for deploying either Option Pack.
All Windows NT 4.0 Servers Running IIS
All Windows NT 4.0 Workstations Running IIS
Step 2a: Windows NT 4.0 Service Pack 6a
The SMS queries and collections are provided that identify all Windows NT 4.0 computers that are not running Service Pack 6a. The queries and collections are:
MST(NT4Svr) – Stage 1 Windows NT 4.0 Servers not running SP6a
MST(NT4Wks) – Stage 1 Windows NT 4.0 Workstations not Running SP6a
The nt4sp6mst.sms package targets these collections and installs Windows NT 4.0 Service Pack 6a. When this package runs, it triggers a reboot.
The installation of Windows NT 4.0 SP6a updates the CSD version field in the operating system class provided by SMS hardware inventory. When hardware inventory runs at its next scheduled interval, this information is updated in the SMS database. This update to the SMS database and the subsequent update of the collections causes the resources to report to either the All Windows NT 4.0 Servers running SP6a collection or the All Windows NT 4.0 Workstations running SP6a collection. These collections are then available as targets for the Windows NT 4.0 Security Rollup Package.
Note: A package, Kickhinv.sms, is included that can force a hardware inventory schedule to occur immediately for a particular client.
You can run the following queries to report on systems that successfully completed Step 2a.
MST(NT4Svr) – Stage 2 Windows NT 4.0 Servers running SP6a
MST(NT4Wks) – Stage 2 Windows NT 4.0 Workstations Running SP6a
Step b: Verify Need for 305228 Updates
Warning: Do not proceed with this step until you have verified that your systems are affected by 305228.
The following queries are provided so that you can easily identify any computers that are affected by Knowledge Base article 305228. These queries target all Windows NT 4.0 Server, Windows NT 4.0 Terminal Server Edition, and Windows NT 4.0 Workstation computers running IIS and that have installed the Smart Array Controllers from Knowledge Base article 305228.
MST Windows NT 4.0 IIS Servers – Smart Array Controllers
MST Windows NT 4.0 IIS Workstations – Smart Array Controllers
Step 2c: Windows NT 4.0 Security Rollup Package 1
SMS queries and collections are provided that identify all computers running Windows NT 4.0 SP6a and IIS, as determined by detecting the IIS Admin service and the Windows NT 4.0 Service Pack 6a installation. The queries and collections are:
MST(NT4Svr) – Stage 2 Windows NT 4.0 Servers running SP6a
MST(NT4Wks) – Stage 2 Windows NT 4.0 Workstations Running SP6a
When the 299444i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 Security Rollup Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 299444i. This indicates the Windows NT 4.0 Security Rollup Package has successfully run.
You can run the following queries to report on systems that successfully completed Step 2b.
MST(NT4Svr)-Stage 3 All Windows NT 4.0 Servers Security Rollup Success
MST(NT4Wks)-Stage 3 All Windows NT 4.0 Workstations Security Rollup Success
Step 2d: Windows NT 4.0 Security Patch 307866
SMS queries and collections are provided that identify all computers running Windows NT 4.0 SP6a and IIS, as determined by detecting the IIS Admin service and the Windows NT 4.0 Service Pack 6a installation. The queries and collections are:
MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success
MST(NT4Wks)-Stage 4 All Windows NT 4.0 Workstations Security Rollup Success
When the 307866i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 Security Rollup Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 307866i. This indicates the Windows NT 4.0 Security Rollup Package has successfully run.
You can run the following queries to report on systems that successfully completed Step 2d.
MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success
MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 307866i Success
Step 2e: Windows NT 4.0 Security Patch 307866i, again.
SMS queries and collections are provided that identify all computers running Windows NT 4.0 SP6a and IIS, as determined by detecting the IIS Admin service and the Windows NT 4.0 Service Pack 6a installation. The queries and collections are:
MST(NT4Svr)-Stage 4 All Windows NT 4.0 Servers Security Rollup Success
MST(NT4Wks)-Stage 4 All Windows NT 4.0 Workstations Security Rollup Success
When the 307866i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 Security Rollup Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 307866i. This indicates the Windows NT 4.0 Security Rollup Package has successfully run.
You can run the following queries to report on systems that successfully completed Step 2e.
MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 307866i Success
MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 307866i Success
Step 2f: Invalid Digital Signature 305929i Patch
SMS queries and collections are provided that install the 305929i patch on all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition. The following collections provided are based on queries of the same name that target all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition with the Windows NT 4.0 Security Rollup installed.
MST(NT4Svr)-Stage 3 All Windows NT 4.0 Servers Security Rollup Success
MST(NT4Wks)-Stage 3 All Windows NT 4.0 Workstations Security Rollup Success
When the 305929i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 305929i Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 305929i. This indicates that the package has successfully run.
You can run the following queries to report on systems that successfully completed Step 2f.
MST(NT4Svr)-Stage 5 All Windows NT 4.0 Servers Apply 305929i Success
MST(NT4Wks)-Stage 5 All Windows NT 4.0 Workstations Apply 305929i Success
Step 2g: IIS 4.0 Security Rollup Patch
SMS queries and collections are provided that target all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition to install the IIS 4.0 Security Rollup Package. The following collections provided are based upon queries of the same name that targets all Windows NT 4.0 Workstation, Windows NT 4.0 Server, and Windows NT Server 4.0 Enterprise Edition computers running IIS (as determined by detecting the IIS Admin service and Windows NT 4.0 Security Rollup Patch installation).
When the 301625i.sms package runs, it triggers a reboot. This installation of the IIS 4.0 Security Rollup Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 301625i.
You can run the following queries to report on systems that successfully completed Step 2g.
MST(NT4Svr)-Stage 6 All Windows NT 4.0 Servers Apply 301625i Success
MST(NT4Wks)-Stage 6 All Windows NT 4.0 Workstations Apply 301625i Success
Step 2h: Installing and Running QChain
The QChain tool does not install any files on a system. QChain organizes the entries in the PendingFileRename registry key from the based on the specified updates. A rebooted is required for these registry changes to take affect.
Step 2i: IE Version Detection Utility
The IE Version Detection Utility is a utility created by the SMS team to assist administrators in identifying the version of Internet Explorer that is running on systems, without enabling software inventory.
When the iedetect.sms package runs, it updates a table containing the QFE Update data with the IsInstalled value of 2 with the UpdateID of FDIESnif. The description field displays the version of Internet Explorer detected by the utility.
After the utility runs on the targeted systems, you can run the following queries to report on systems that have successfully completed running the IIS Version Detection Utility.
MST-All Windows NT 4.0 Servers FDIESnif Success
MST-All Windows NT 4.0 Workstations FDIESnif Success
Step j: Install Internet Explorer 5.01 SP2 or Internet Explorer 5.5 SP2
SMS queries and collections are provided that will identify all computers running Windows NT 4.0 Workstation, Windows NT 4.0 Server, and Windows NT Server 4.0 Enterprise Edition that do not have either Internet Explorer 5.01 SP2 or Internet Explorer 5.5 SP2. The queries and collections are:
MST(NTSvr)-Stage 6 All Windows NT 4.0 Servers no Updated IE
MST(NTWKS)-Stage 6 All Windows NT 4.0 Workstations No Updated IE
When either the ie501sp2.sms package or the ie55sp2.sms runs, a reboot is triggered. The installation of either Service Pack 2 is imported into a table containing the QFE Update data with the IsInstalled value of 2 where the ProductName displays the appropriate Internet Explorer update.
You can run the following queries to report on systems that successfully completed Step j.
MST(NTSvr)-Stage 7 All Windows NT 4.0 Servers Updated IE
MST(NTWKS)-Stage 7 All Windows NT 4.0 Workstations Updated IE
Step 2k: Windows Media Player Detection Utility
The Windows Media Player Detection Utility is a utility created by the SMS team to assist administrators in identifying the version of Media Player that is running on systems, without enabling software inventory.
When mpdetect.sms package runs, it updates a table containing the QFE Update data with the IsInstalled value of 2 with the UpdateID of MPIESnif. The description field displays the version of Windows Media Player detected by the utility.
After the utility runs on the targeted systems, you can run the following queries to report on systems that have successfully completed running the Windows Media Player Detection Utility.
MST-All Windows NT 4.0 Servers MPIESnif Success
MST-All Windows NT 4.0 Workstations MPIESnif Success
Step 2l: Install the Windows Media Player 6.4 Patch
SMS queries and collections are provided that install the Media Player Security patch on all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition. The following collections provided are based on queries of the same name that target all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition with the Windows NT 4.0 Security Rollup installed.
MST(NT4Svr)-Stage 11 All Windows NT 4.0 Server Media Player 6.4
MST(NT4Wks)-Stage 11 All Windows NT 4.0 Workstation Media Player 6.4
When the wmp64.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 Windows Media Play Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName Wmp64.sms. This indicates that the package has successfully run.
You can run the following queries to report on systems that successfully completed Step 2f.
MST- All Windows NT 4.0 Servers Media Player Security Patch Success
MST-All Windows NT 4.0 Workstations Media Player Security Patch Success
How SMS Deploys Fixes to Windows NT Server 4.0, Terminal Server Edition
This section describes how SMS deploys security fixes to computers running Windows NT 4.0 Terminal Server. These steps automate the manual steps that are described in the Guide to Baseline Security, which is included in the Security Tool Kit. It is recommended that you read these steps in conjunction with the steps described in the Guide to Baseline Security.
The following queries, collections, and packages are provided in the Security Tool Kit for computers running Windows NT 4.0 Terminal Server
Table 5 Queries, Collections, and Packages for Computers Running Windows NT 4.0 Terminal Server Edition
Steps automated by SMS |
SMS Query Name |
SMS Collection Name |
SMS Package Name |
Success SMS Query Name |
|---|---|---|---|---|
Step 2a: Install Windows NT 4.0 Terminal Server Edition Service Pack 6 |
MST(NT4TS) –Stage 1 Windows NT 4.0 Terminal Servers that are not at Service Pack 6 |
Same as the query |
TSSPA6.sms |
MST(NT4TS) –Stage 2 Windows NT 4.0 IIS and Terminal Servers Running Pack 6 |
Step 2b: Install the 265714 for Terminal Server Edition (MS00-095) |
MST(NT4TS) –Stage 2 Windows NT 4.0 IIS and Terminal Servers Running Pack 6 |
Same as the query |
265714i.sms |
MST(NT4TS) –Stage 3 All Windows NT 4.0 Servers apply 265714 Success |
Step 2c:Install the 266433 for Terminal Server Edition (MS00-070) |
MST(NT4TS) –Stage 3 All Windows NT 4.0 Servers apply 265714 Success |
Same as the query |
266433i.sms |
MST(NT4TS) –Stage 4 All Windows NT 4.0 Servers apply 266433 Success |
Step 2d: Install the 269049 for Terminal Server Edition (MS00-052) |
MST(NT4TS) –Stage 4 All Windows NT 4.0 Servers apply 266433 Success |
Same as the query |
269049i.sms |
MST(NT4TS) –Stage 5 All Windows NT 4.0 Servers apply 269049 Success |
Step 2e: Install the 280119 for Terminal Server Edition (MS01-008) |
MST(NT4TS) –Stage 5 All Windows NT 4.0 Servers apply 269049 Success |
Same as the query |
280119i.sms |
MST(NT4TS) –Stage 6 All Windows NT 4.0 Terminal Servers Updated Success. |
Step 2f: Install the critical security fix Qchain package |
MST(NT4TS) –Stage 6 All Windows NT 4.0 Terminal Servers Updated Success. |
Same as the query |
Qchain.sms |
Not provided |
Step 2g: Run the IE version detection utility |
MST(NT4TS) –Stage 6 All Windows NT 4.0 Terminal Servers Updated Success |
Same as the query |
iedetect.sms |
All NT 4.0 Terminal Servers FDIESnif Success |
Step 2h: Install 5.01 SP2 or 5.5 SP2 |
MST(NT4TS) –Stage 7 All Windows NT 4.0 Terminal Servers No Updated IE |
Same as the query |
ie501sp2.sms or ie55sp2.sms |
MST(NT4TS) –Stage 8 All Windows NT 4.0 Terminal Servers Updated IE |
Step 2i: Run WMPSnif to determine installed version of Windows Media Player |
MST(NT4 Svr)-Stage 9 All Windows NT 4.0 Terminal Servers Updated IE |
Not provided |
MST:WMP Detect (from mpdetect.sms) |
MST All Windows NT 4.0 Terminal Servers WMPSnif Success |
Step 2j: Install the Windows Media Player 6.4 Patch |
MST(NT4Svr)-Stage 10 Windows NT 4.0 Terminal Server Media Player need Patch |
Same as the query |
Wmp64.sms |
MST- Windows NT 4.0 Terminal Servers Media Player Security Patch Success |
Step 2a: Install Windows NT 4.0 Terminal Server Edition Service Pack 6
The SMS query and collections provided identifies all Windows NT 4.0 Terminal Server computers that are not running Service Pack 6. The query and collection are:
- All Windows NT 4.0 Terminal Servers not running SP6
The TSSPA6.sms package targets these collections and installs Windows NT 4.0 Service Pack 6. When this package runs, it triggers a reboot.
The installation of Windows NT 4.0 SP6 updates the CSD version field in the operating system class provided by SMS hardware inventory. When hardware inventory runs at its next scheduled interval, this information is updated in the SMS database. This update to the SMS database, and the subsequent update of the collections, causes the resources to report to either the All Windows NT 4.0 Servers running SP6 collection or the All Windows NT 4.0 Workstations running SP6 collection. These collections are then available as targets for the next step.
Note: A package, Kickhinv.sms, is included that can force a hardware inventory schedule to occur immediately for a particular client.
You can run the following query to report on systems that successfully completed Step 2a.
- All Windows NT 4.0 Servers running SP6
Step 2b: Install the 265714 for Terminal Server Edition (MS00-095)
The SMS query and collection provided install the 265714 patch on all computers running Windows NT 4.0 Terminal Server. The following collection is provided based on the query of the same name that target all computers running Windows NT 4.0 Terminal Server.
- All Windows NT 4.0 Servers Terminal Server that are at SP6
When the 265714i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 265714i Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 265714i. This indicates that the package has successfully run.
You can run the following query to report on systems that successfully completed Step 2b.
- All Windows NT 4.0 Servers apply 265714 Success
Step 2c: Install the 266433 for Terminal Server Edition (MS00-070)
The SMS query and collection provided install the 266433 patch on all computers running Windows NT 4.0 Terminal Server. The following collection is provided based on the query of the same name that targets all computers running Windows NT 4.0 Terminal Server with 265714 successfully applied.
- All Windows NT 4.0 Servers apply 265714 Success
When the 266433i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 266433i Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 266433i. This indicates that the package has successfully run.
You can run the following query to report on systems that successfully completed Step 2c.
- All Windows NT 4.0 Servers apply 266433 Success
Step 2d: Install the 269049 for Terminal Server Edition (MS00-052)
The SMS query and collection provided install the 269049 patch on all computers running Windows NT 4.0 Terminal Server. The following collection is provided based on the query of the same name that targets all computers running Windows NT 4.0 Terminal Server with 266433 successfully applied.
- All Windows NT 4.0 Servers apply 266433 Success
When the 269049i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 269049i Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 269049i. This indicates that the package has successfully run.
You can run the following query to report on systems that successfully completed Step 2d.
- All Windows NT 4.0 Servers apply 269049 Success
Step 2e: Install the 280119 for Terminal Server Edition (MS01-008)
The SMS query and collection provided install the 280119 patch on all computers running Windows NT 4.0 Terminal Server. The following collection is provided based on the query of the same name that targets all computers running Windows NT 4.0 Terminal Server with 269049 successfully applied.
- All Windows NT 4.0 Servers apply 269049 Success
When the 280119i.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 280119i Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName 280119i. This indicates that the package has successfully run.
You can run the following query to report on systems that successfully completed Step 2e.
- All Windows NT 4.0 Servers apply 280119 Success
Step 2f: Installing and Running QChain
The QChain tool does not install any files on a system. QChain organizes the entries in the PendingFileRename registry key from the based on the specified updates. A rebooted is required for these registry changes to take affect.
Step 2g: IE Version Detection Utility
The IE Version Detection Utility is a utility created by the SMS team to assist administrators in identifying the version of Internet Explorer that is running on systems, without enabling software inventory.
When iedetect.sms package runs, it updates a table containing the QFE Update data with the IsInstalled value of 2 with the UpdateID of FDIESnif. The description field displays the version of Internet Explorer detected by the utility.
After the utility runs on the targeted systems, you can run the following queries to report on systems that have successfully completed running the IIS Version Detection Utility.
- All Windows NT 4.0 Terminal Servers FDIESnif Success
Step 2h: Install Internet Explorer 5.01 SP2 or Internet Explorer 5.5 SP2
The SMS query and collection provided will identify all computers running Windows NT Server 4.0 Terminal Server that do not have either Internet Explorer 5.01 SP2 or 5.5 SP2. The query and collection are:
- All Windows NT 4.0 Terminal Servers No Updated IE
When either the ie501sp2.sms package or the ie55sp2.sms runs, a reboot is triggered. The installation of Internet Explorer with SP2 is imported into a table containing the QFE Update data with the IsInstalled value of 2 where the ProductName displays the appropriate Internet Explorer update.
You can run the following query to report on systems that successfully completed Step 2h.
- All Windows NT 4.0 Terminal Servers Updated IE
Step 2i: Windows Media Player Detection Utility
The Windows Media Player Detection Utility is a utility created by the SMS team to assist administrators in identifying the version of Media Player that is running on systems, without enabling software inventory.
When mpdetect.sms package runs, it updates a table containing the QFE Update data with the IsInstalled value of 2 with the UpdateID of MPIESnif. The description field displays the version of Windows Media Player detected by the utility.
After the utility runs on the targeted systems, you can run the following query to report on systems that have successfully completed running the Windows Media Player Detection Utility.
- MST-All Windows NT 4.0 Terminal Servers MPIESnif Success
Step 2j: Install the Windows Media Player 6.4 Patch
SMS queries and collections are provided that install the Media Player Security patch on all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition. The following collections provided are based on queries of the same name that target all computers running Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT Server 4.0 Enterprise Edition with the Windows NT 4.0 Security Rollup installed.
- MST(NT4Svr)-Stage 11 Windows Terminal Server NT 4.0 Server Media Player 6.4
When the wmp64.sms package runs, it triggers a reboot. This installation of the Windows NT 4.0 Windows Media Play Patch Package MIF is imported into a table containing the QFE Update data with the IsInstalled value of 2 for the ProductName Wmp64.sms This indicates that the package has successfully run.
You can run the following query to report on systems that successfully completed Step 2j.
- MST- Windows NT 4.0 Terminal Servers Media Player Security Patch Success