Network Computingwww.networkcomputing.com

Patch strategies for Windows NT 4.0 or any other OS involve a couple of different areas, including lab testing, roll-out tactics and consistency planning. We recently tested Service Pack (SP) 5 for NT 4.0 in our Savannah, Ga., labs by updating NT servers running third-party software, such as older virus-protection applications and Novell's NDS for NT. We also tested several recovery utilities, including tools from Winternals Software and Stac Software, all of which can help you recover a crashed NT system's NTFS (NT File System) partition.

Microsoft points to SP5 as the latest manifestation of its intention to release "feature-free" service packs on a regular basis. These builds are meant to be bug fixes, not functionality add-ons. Microsoft will continue to support SP4 by releasing security and Y2K hot fixes until 2000 (see "A Windows Patch Time Line" to the left.)

SP5 packs all the post-SP4 hot fixes into one convenient package, which sure beats looking up and applying more than two-dozen discrete fixes. But does "no new features" mean "no new bugs"? Though it looks good so far, not all bugs have been discovered yet--witness the WINHLP32 security exploit, reported and hot-fixed two weeks after SP5 shipped.

There's surely a good argument to be made for leaving your NT servers alone. If you have a reasonably generic NT configuration, a hot fix or two won't cause much damage, but any time you introduce complexity into a patch situation, such as when using third-party system software, you may encounter serious problems.

Naturally, you follow the Microsoft README advice of stopping third-party system services and making sure that you're current on device drivers before embarking on a patch adventure. But any time you touch a server--updating a device driver doing routine administration, for instance--you risk mishaps.

In the final analysis, however, there are more compelling reasons to patch than not to patch. In particular, NT's much-publicized security bugs make a case for patching (check out www.ntbugtraq.com, probably the Internet's best source of NT bug reports).

Your production network should have both a firewall and an intrusion-detection system, but whether or not it does, fixing known NT security problems should remain a high priority on your network checklist.

Getting There
In a complex and heterogeneous environment, paying close attention to third-party vendors will help you decide on patch timing; it doesn't do much good to install a hot fix quickly to squash the latest bug, only to have it render your backup software useless. You may also want to pay attention to newsgroups and mailing lists, but remember that you can't believe everything you read. For example, right after SP4 was released, I saw postings that said SP4 would destroy Novell's NDS for NT. Empirical tests in our labs proved this wrong, and it wasn't long before Novell began issuing documentation confirming that NDS for NT worked fine with SP4. (Incidentally, it also works well with SP5.)

We suggest starting your own lab testing as soon as a fix is released, and giving it three months before you begin limited deployment. Of course, vital security or denial-of-services fixes, such as the post-Service Pack 4 DOMAIN_CREATE_ALIAS exploit, may bump up this schedule.

When deploying a fix, consider three levels of risk: none, low and high. No risk, of course, is the lab environment. When building it, you'll need to ensure that you duplicate the kind of environment that exists in your production servers. Though you may not be able to replicate the hardware, you can at least install the same kinds of third-party software. (You should, however, use as much of the same hardware as possible.) Our site has run into patch difficulties related to RAID controllers--we caught this in the labs and resolved it before entering the field.

You'll also want to test vital software, such as backup, virus protection, directory services or metadirectory applications. Because our enterprise relies on NDS for NT, we decided to test it with a beta copy of NT SP5 (we haven't seen any problems surface thus far).