Summary of Exam Objectives | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

Keeping your Windows 2000 computers up to date, and therefore secure, is a big responsibility no matter how many computers you have. The number of computers you have and their geographic locations does become important, however, as you seek to implement a consistent (and usable) change management system on your network.

The first major hurdle that you must cross is to identify any and all required updates for your various computers. How will you accomplish this seemingly unmanageable task? The choice is up to you, but you can use several tools from Microsoft (as well as plenty of others from third parties) to analyze each of your computers and then determine the updates that need to be installed.

Windows Update can be used on a single local computer to quickly create a listing of all missing updates on that computer. If you have only a few computers or you have computers that are separated from the rest of the network, Windows Update could be a viable solution for you. The Microsoft Network Security Hotfix Checker, HFNetChk, is a command-line tool that can be used to quickly and efficiently scan all the computers on your network (or any smaller group) for missing updates. You can save the output results into a tab-delimited text file for later importation into Excel to examine the state of your computers. From this output, you can begin to create an update plan.

You can also use the Microsoft Baseline Security Analyzer, MBSA, in order to help you determine the current needs of your computers. The MBSA can be run from either the GUI or from the command line and includes fairly detailed information about each update that needs to be applied. Be aware, however, that the MBSA tool is primarily concerned with all sorts of security issues that could be occurring on your computers. Items such as weak or blank passwords, for example, will be shown in the MBSA analysis. You will often get more than you bargained for when you use MBSA, which is not a bad thing when it comes to securing your computers.

After identifying the updates you need, the next phase of the update process comes into play: downloading and deploying the updates. Downloading the updates can be done in any number of ways, whether directly from the specific Knowledge Base article discussing a specific issue at hand or by an automated means, such as Windows Update or Software Update Services.

Windows Update, as mentioned previously, is most useful when you have only a small number of computers to update, because it is both time and network resource intensive. Corporate Windows Update has been replaced by two new services: Software Update Services and the Windows Update Catalog. In a sense, Windows Update Catalog functions pretty much identically to the way Corporate Windows Update used to: You select the updates you want to download and then download them to a network location of your choosing.

Software Update Services takes this idea a step further and actually turns an IIS server inside your network into a functioning Windows Update server. SUS can be scheduled to regularly synchronize with Windows Update, ensuring that you always have the most up-to-date fixes and updates available to you. After you have approved an SUS update, it is made available to your Automatic Updates clients in the mode of operation you have configured. The configuration for Automatic Updates is most commonly performed from within Group Policy, whether at the local, domain, site, or OU level, but it can be accomplished by editing the Registry directly if the usage of Group Policy is not desired.

Scripts or batch files can also be used to deploy hotfixes and make a very powerful change management tool when used with the Qchain.exe tool. Qchain.exe acts to ensure that the most up-to-date file versions are maintained on your computer and should be used with all deployments of more than one hotfix. Regardless of how you deploy your hotfixes or the number you deploy, you must always restart the computer to complete the update process and prevent file system version and compatibility issues-problems that Qchain.exe can prevent for you. Alternatively, you can also use dedicated software management packages, such as Systems Management Server or any other third-party application for the deployment of updates on your network.

Although it doesn't happen very often in Windows 2000, you could have some issues after an update has been deployed. Most times you can quickly and safely resolve the problem by uninstalling the update. When asked, always elect to provide for service pack removal at a later date. Most hotfixes and other updates can be removed via the Add/Remove Programs applet with no extra configuration required at the time of installation. Should you not be able to properly start your computer after applying an update, starting in Safe mode and removing the update will usually fix the problem.

Version conflicts can be avoided when performing updates by either installing only one update a time, followed by a restart, or using the Qchain.exe tool to ensure that the correct file versions are installed or maintained on your computer. Permissions (or the lack of proper permissions) will most often cause an update to fail to install properly. This problem can be resolved by verifying the group membership and explicit permissions that have been applied to a specific user or system account. Above all else, a solid and easy-to-use disaster recovery plan is an absolute must when it comes to performing updates to critical production computers. The job you save might be your own.