Security Patch Scripts for Microsoft Windows NT 4.0 / 2000 / XP
produced by Doc Rice

(updated 8/9/05 - this site is a work-in-progress)

The Scripts:
OS Detection
Windows NT 4.0 SP-6a
Windows 2000 SP-3
Windows 2000 SP-4
Windows XP SP-1
Windows XP SP-2
Windows 2003
Required Utilities:
reg.exe
qfecheck.exe
sleep.exe
qchain.exe
Other Tools:
Hfnetchk 3.86
Baseline Security Analyzer 1.2.1
MS03-026 / 039 Scanning Tool
Slammer Assessment Tool
Code Red II Cleaner
IIS Lockdown Tool
CIS Scoring Tools
Recommended:
Microsoft HotFix & Security Bulletin
Microsoft Technet Security
Microsoft Security E-mail Notification
Hacking Windows 2000 Exposed
The Ten Immutable Laws of Security
Other Scripting Resources:
Microsoft TechNet Script Center
Windows NT Shell Scripting
Windows Scripting Solutions
Rob van der Woude's Scripting Pages
Disclaimer:
This site is in no way endorsed by Microsoft. I am providing this service because I'm tired of hearing about all these Windows machines that get compromised because lazy sysadmins do not apply patches in a timely fashion (Nimda, Slammer, Blaster, etc.).
Contact me:
I check e-mail often

Frequently Asked Questions
.What:
Security / hotfix patch scripts for Windows NT 4.0 / 2000 / XP (does not apply to Win9x systems due to lack of lack of account-based security context and RPC mechanisms).

.Why:
To increase operating system security, reliability, and overall effectiveness as productivity tools (and to reduce OS vulnerabilities for Windows systems as much as possible).

As a system administrator responsible for a number of Windows machines and considering the large number of corporations still apparently not proactively securing their networks, I have decided to make available the patching methodology I use to keep my systems up to date against insecure coding practices from Microsoft. Each day I hear about another security issue and how Company X was exploited by a vulnerability for which there existed a patch a month or more prior (Blaster, Slammer, etc.).

I am not a believer of Microsoft's secure-coding practices nor their laughable, out-of-the-box security configuration, and since most corporations will continue to use Microsoft's operating systems as their business platforms with default security settings, the only way to maintain user productivity is to proactively defend against new potential exploits by securing the core operating system as well as implementing best practices to all users.

.How:
Basic batch scripts that can be ran via domain logon scripts, Group Policies, drive shares, CD media, etc., to be distributed to machines running within a domain environment to automate patching without the need for third-party utilities like UpdateEXPERT or administrative methods such as SMS, SUS, Automatic Updates, and most importantly, WindowsUpdate as using a web browser itself can be a security issue (it's been said that WindowsUpdate doesn't always install patches reliably anyway).

As of this update, these patch scripts are not "perfect." I don't consider myself an expert script writer but these scripts should be a starting point to enable any Windows sysadmin to automated the patching process for their end user systems. This is a work-in-progress and this website will be updated as my time allows and as Microsoft releases new security bulletins.

For each of these scripts, you will need to:

  1. Determine the hotfixes that you require for your environment - consider such factors such as desktop or server-based applications which may be impacted by these patches. Microsoft tends to release bad patches from time to time, so be sure to test new patches before deploying them!
  2. Determine the current patch levels for your systems. I use a command line tool such as Hfnetchk 3.86 or the Microsoft Baseline Security Analyzer 1.1.1 (for all you GUI fans).
  3. Download the individual patch files from Microsoft (use the URL syntax http://support.microsoft.com/?kbid=(hotfix number) - for example: http://support.microsoft.com/?kbid=824146). I don't provide them here since you should never trust executable files from someone you don't know (after all, how can you be sure that I didn't trojan the executables?).
  4. Keep your documentation up-to-date as to which machines have which patches applied.
  5. Download the Resource Kit utilities reg.exe, sleep.exe, and qfecheck.exe.
  6. Modify the scripts as needed to work for your specific environment. Season to taste.
Each of the following scripts assumes that the base Service Pack is installed on the operating system (SP-6a for Windows NT 4.0, SP-3 for Windows 2000, SP-1 or SP-1a for Windows XP. SP-4 for Windows 2000 is relatively new at the moment and most companies won't have this tested and deployed yet). Also, the default version of IE is assumed to be installed as well (IE 5.01 for Windows 2000, IE 6 for XP, etc.).

You will also need to create the proper directory structure to hold these patches. Download a zipped copy of the directory structure here (note: this file is outdated).

In a directory, I created subdirectories to house each of the categories. For example:

\IE_5.01
\IIS
\MDAC
\OS
\Qchain
\REG
\SLEEP

If you would like to contribute any efforts to grow this script to encompass other areas or to make it more efficient, please feel free to e-mail me. I am providing these scripts for "Open Source" distribution. Keep in mind that I would like to keep this as a batch file as much as possible and use native commands and free utilities (to reduce the need for VB or WMI scripting since WSH isn't installed by default on NT 4.0 systems).

Yes, this site intentionally looks like Microsoft's homepage. And in Microsoft tradition, this site is hosted on a secure, non-Windows host - OpenBSD.

© 2004 Wicked-Styles.com. There is no support or warranty of any kind for these scripts. Use at your own risk.