Of Service Packs and Hotfixes: Err on the Side of Caution

Most AS/400 users are familiar with PTFs, IBM's solution for introducing temporary patches or fixes for bugs into the AS/400 environment in between major upgrades or overhauls of the OS/400 operating system. Microsoft has its own mechanism in this regard: Windows NT Service Packs or hotfixes. Because service packs and hotfixes often provide crucial security or software fixes, administrators often have no choice but to implement them as they become available. AS/400 administrators beginning to deploy Windows NT in their environments should be aware, however, of some of the risks.

Microsoft's release of Service Pack 2 (SP2) for Windows NT 4.0 was a complete debacle. All tolled, more than 140 bugs were discovered in SP2, many of which contributed to notorious Windows NT blue-screens-of-death (BSOD) and other bizarre phenomena.

In the wake of SP2, Microsoft implemented a beta testing program for its next service pack release, Service Pack 3 for Windows NT 4.0, as well as for all subsequent service pack releases.

Microsoft hotfixes are not always to be trusted, either. Such was the case with Microsoft's much-hyped LM-FIX hotfix, among others. The LM-FIX hotfix disabled LAN Manager authentication in Windows NT systems in the wake of hacker-engineered programs such as l0phtcrack 1.5, and was removed from the Microsoft FTP site after software testing determined that problems existed between it and certain features of Microsoft's DCOM technology.

In late April, Microsoft flubbed another hotfix release when it introduced its LSA2 hotfix, a temporary patch engineered to correct Event Log security problems and provide stronger encryption for the Windows NT Local Security Authority's (LSA) LSA Secrets. LSA Secrets stores the usernames and passwords of Windows NT user accounts that must log onto the system as services in order to run. In early June, Microsoft released a revamped version of the same LSA2 hotfix -- only to yank it from its Web site yet again, citing unspecified problems.

Both the LM-FIX and LSA2 fix are essential for administrators seeking to secure their Windows NT environments.

In the Windows NT world, administrators are often loathe to apply a hotfix or service pack because Microsoft specifically warns in its hotfix documentation that the software patch has not been thoroughly regression-tested and may cause problems or downtime in some environments.

"Basically, the documentation says specifically that these [hotfixes] are not regression-tested, that they are not supported in any way, and that Microsoft does not recommend that you install these hotfixes unless you're experiencing severe problems," concludes Jiva Devoe, a network engineer with a Phoenix-based IT organization and principal developer with his own development company, DevWare.

The good news, however, is that Microsoft's beta testing program seems to be working - at least in the area of service packs. SP3 introduced no significant new problems of its own, and SP4 -- in development for more than a year now - is due to be introduced some time this summer.

In the final analysis, says Phil Cox, a staff member with the U.S. Government's Computer Incident Advisory Capability (CIAC, Livermore, Calif., ciac.llnl.gov) administrators should use caution when deploying hotfixes and service packs. In the area of Windows NT hotfixes especially, Cox maintains, IT managers should only implement software patches applicable to their specific environments.