Is your security system up to date?

Is your security system up to date?

By Scott Dunn WindowsSecrets.com maintains a WSN Security Baseline page to keep you current on the bare minimum you need to protect your home or small-business systems against malware. This list is based on our analysis of the reviews and editor’s choices from leading PC publications and Web sites, including PC Magazine, PC World, CNET, and others.

The basic tools you need

You need at least three categories of tools to secure your system:

• A hardware firewall, usually in the form of a router;
• A software security suite (a separate antispyware app is no longer needed, as I explain below); and
• A patch-management system for staying current with the latest updates.

Routers: the story doesn’t ‘n’ here

The most economical way to get a hardware firewall is to get an Internet router with built-in firewall features — preferably one that includes wireless capability.

Most wireless routers in use today follow the 802.11b or 802.11g standard, which specifies the speed and range of data transfers. The newest draft specification is 802.11n, whose multiple data streams promise faster transfers and longer range than before. It’s also intended to eliminate the problems of interference and spotty coverage that sometimes occur with the current standard. A number of "n"-based routers are already available.

Unfortunately for consumers, the "n" standard is still in draft stage and is not expected to be ratified by the Institute of Electrical and Electronics Engineers (IEEE) until 2009. An unratified status means the specification could change, leaving consumers stranded with an incompatible product that may or may not be easy to upgrade. For this reason, a number of reviewers shied away in 2006 from recommending "n"-based products.

Now the climate seems to be changing. Manufacturers have worked together over the last year to create "n"-based routers that work well and work together. A number of commentators and reviewers, including PC Magazine and the computing column of the Houston Chronicle, have begun to recommend these products.

Here’s my advice: If you aren’t suffering from the problems that the "n" standard is meant to solve — slow speeds and inadequate range — there’s little reason to risk isolating yourself with a product that may be outdated soon by a changing standard. I suspect that most home and small-business users are not likely to need the new technology in the near term.

Netgear is the hardware firewall of choice

There’s no clear winner in the latest batch of router reviews, but Netgear’s RangeMax 240 WPNT834 has garnered an Editor’s Choice from PC Magazine and got high marks from other publications as well. This pre-"n" router includes the WPA2 encryption standard (which is the current leader and one I recommend) and includes four LAN ports, in addition to wireless capabilities. Its price online ranges from US$50 to US$120. The separate NetGear WPNT511 notebook adapter card is not required, but is likely to improve speed and compatibility. It sells for US$85 (street).

ZoneAlarm remains the top-rated suite

Long a favorite among testers, ZoneAlarm Internet Security Suite ($50 street) is still the preferred security suite among respected reviewers. Like other products in this category, this suite includes software firewall, antivirus, and antispyware as well as other OS and privacy-protection features. It recently received an Editor’s Choice from CNET, which cited its "perfect balance between best-of-breed security protection and ease of use."

In previous editions of the WSN Security Baseline, we’ve recommended a separate antispyware utility because the tools in the security suites weren’t yet up to snuff. That no longer appears to be the case. CNET notes that the antispyware tools in ZoneAlarm Internet Security Suite continue to improve, and the Apr. 10, 2007, PC Magazine goes so far as to say that the ZoneAlarm suite "blocked and removed spyware better than the best standalone antispyware products (and better than NIS 2007)."

NIS 2007, known formally as Norton Internet Security 2007, is a major alternative to ZoneAlarm and received an Editor’s Choice designation in the Apr. 10 PC Magazine.

MS Update and PatchLink for patch management

For novices, we continue to recommend the free Microsoft Update (which requires Internet Explorer) to update Microsoft Office and a few other Microsoft products as well as Windows itself. As before, we advise users to configure Microsoft Update to Notify me but don’t automatically download and install. Then, keep reading Windows Secrets to learn which updates might be risky or undesirable to install.

For businesses with solid IT experience, it’s useful to have an independent tool for downloading and installing Windows patches and upgrades. Windows IT Pro Magazine recently gave its Editor’s Choice to PatchLink Update, which costs $1,495 for a network server plus $18 annually per Windows machine. The same product received a Best Patch Management award from SC Magazine during its 2006 SC Awards Europe. The product gets especially high marks for networks that support a mixture of operating systems.

For larger networks, the Window Security site gives its recently updated gold rating to GFI LANguard Network Security Scanner ($575 for 32 machines).

The WSN Security Baseline as it stands

To see a summary of the end-user security products that are currently top-rated by test labs, visit the WSN Security Baseline page. As changes occur in the ratings, we’ll give you updates here in the newsletter.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.

Microsoft licenses OEM software for single users

MS site encourages OEM sales to individuals

Reader Richard Edwards sent us some Web pages from Microsoft’s Partner Program site, which is accessible only to registered users. These Microsoft pages support the view that any “system builder” can legally purchase and install OEM software — even a home hobbyist who just works with a single machine. Microsoft’s OEM license agreement defines a system builder as “an original equipment manufacturer, an assembler, refurbisher, or pre-installer of software on computer systems.” [Emphasis added.]

Naturally, the other limitations of the OEM version, which I mentioned in the Apr. 26 issue, still apply, including the lack of technical support from Microsoft and the fact that the license can’t be transferred to another machine under the license terms.

A February blog posting on the Partner Program site asks, "Can a system builder sell an OEM copy of Windows Vista without attaching it to a piece of hardware?" The answer that follows is:

• "YES! YES! YES you can!!!!!!! As long as you do not open the package AND the end user is assembling their own PC (at that point the user is considered a system builder). [Emphasis added.] As of August 2005, the licensing changed on all of the OEM licensing packs — 1, 3, and 30."

Another page on this private site states:

• "OEM system builder software packs are intended for PC and server manufacturers or assemblers ONLY. They are not intended for distribution to end users. Unless the end user is actually assembling his/her own PC, in which case, that end user is considered a system builder as well." [Emphasis added.]

Figure 1. This image from Microsoft’s Partner Program site, which is available only to registered users, clearly states that vendors can sell the OEM version of Windows as a 1-pack to individuals who are building a system, as long as the packaging is not opened by the vendor.

Unfortunately, Microsoft has chosen to hide some of its clearest statements about the sale of OEM software to end users on a Web site that is only available to those who join the Microsoft Partner Program (see Figure 1).

A further annoyance is that the license agreement states that OEM software must be installed using Microsoft’s OEM Preinstallation Kit (OPK). According to a Microsoft Web page, although the OPK tool is included with the “3-pack” OEM version of Windows and Office 2003, it is not included with the 1-user OEM version of Windows and Office 2003. To obtain the tool, an individual system builder must download it from the members-only Microsoft Partner Program Web site.

The good news, however, is that any business (however small) can join the Partner Program at no charge.

Quick fixes for subscription subterfuge

Reader responses poured in after my May 17 story on security firms that make it difficult for you to opt out of automatic credit-card charges.

We received a lot of good tips, tricks, and suggestions for avoiding surprises on your credit-card statements. Many people sent in solutions, like this one from Steve Himel:

• "I avoid the whole automatic subscription renewal of security products by simply purchasing the retail, boxed version of the software. So far, I have been able to register the software to obtain updates for a year without giving away a credit-card number. When the year is up, I simply purchase a new retail version of security software — either the same product, or I can switch to a different product. Also, with sales and rebates, the cost of a new retail package is often less than the subscription-renewal price."

Good points, Steve. As other readers noted, this strategy also gives you a physical disk that acts as a backup if you need to reinstall the product. Moreover, in most cases, subscriptions only update your virus and spyware definitions, but don’t upgrade the product to the newest version. Buying a new box each year ensures you have the latest version.

Use virtual credit-card numbers

An enormous number of readers suggested single-use credit-card numbers, a feature offered by some credit-card companies. For example, Matthew Persico explains his strategy:

• "When I use a vendor site, I give them a VAN — a Virtual Account Number. Citibank provides this service for all Citibank credit card holders. Each time you want to put a credit card number in a form, you can generate a temporary number, good for only one use. When they try to charge the card the following year, they discover ‘Oops, it expired!’ "

But one reader, Raymond Clouser, wasn’t so sure this would work. As he explains:

• "A few years ago, I thought I found the answer through the single-use credit-card numbers offered by American Express and Discover cards. However, that was not the answer, according to what I was told by credit-card company representatives. I was told that the single-transaction numbers were not really single-transaction. Instead, the single numbers were between the user and the company you used it with, and they could later bill you for additional charges, unless you challenged it with the credit card company."

I called Citibank to check its policy with virtual account numbers. A representative told me that the numbers were, indeed, solely event-based and that a subscription company could not use the same number a year later to charge your card. This service is free to Citibank customers; all it requires is an Internet connection. See the company’s Web site for more information.

Naturally, readers will want to check out the policies of their individual credit-card companies to see if this service is available, and whether it would solve this particular problem.

In the paid version of today’s newsletter, you’ll find more ways to defeat subscription subterfuge, as well as a tip on Data Execution Prevention relating to my May 3 article on the subject.

Make your own church marquee

Perhaps you’ve seen them while driving down the road — those backlit, block-letter signs in front of a church announcing the upcoming sermon or maybe just providing a thought for the day. But why should religion get all the roadside fun? Now you can, too, with the online Church Sign Generator. Choose from five different designs, enter your text, and presto! — a photo of your custom sign appears. You can save the photo to your computer, or, for a few bucks, order magnets, stickers, and coffee mugs printed with your message. More info

More ways to avoid automatic credit-card charges

Stop unwanted charges, pay by check

Reader David Gilman explains his strategy for avoiding automatic renewal charges:

• "I never had this problem with Norton AntiVirus. I purchased the product through my retailer. When NAV indicated it was time to renew my subscription, I filled out their online form and selected ‘Check’ as payment option. I then mailed them a check. They say you should allow 2-3 weeks for it to take effect, but the renewal was ready in three days. Granted, this is not as convenient as a credit-card purchase, but it keeps my credit card number out of Symantec’s greedy paws."

This just goes to show that good, old-fashioned methods sometimes work better than new ones.

Option 2: Don’t pay at all

Still another option that many readers recommended is to use a free product. As Joe Ausfal writes:

• "This was a great article. I would like to add that AVG Anti-Virus is free for personal use, has excellent automatic updates, and has provided my home computer flawless protection. There are alternatives to the subscription choices that Symantec, McAfee, et. al., keep you over the barrel with."

AVG Anti-Virus Free, AVG Anti-Spyware Free, and AVG Anti-Rootkit Free are available at no charge for private, noncommercial, single home-computer use from the Grisoft Web site.

Enabling Data Execution Prevention may be required

Virgil Koning writes to tell us his own learning experience with Data Execution Prevention (DEP) discussed in my May 3 article:

• "I have a new system and was dismayed to find out that my system does not support DEP. After contacting the vendor, I learned that the default setting in my BIOS had DEP disabled. I had to enable the ‘Execute Disable Function’ to get the message showing that my hardware does support DEP. Other readers may have encountered the same disappointment that I did. They may not know about the BIOS setting that will make them happy again. The vendor said I was the first person to ask about this function!"

Thanks, Virgil! The names of settings can vary from one BIOS to the next, so check with your system manufacturer if you have questions about enabling this important feature.

Make Vista load files 10 times faster!

By Mark Joseph Edwards Vista has a lot of new features you can take advantage of to improve its overall performance. This week, I’ll tell you how to make Vista load files as much as 10 times faster, which in turn will make your entire system run faster.

Use Vista ReadyBoost for a big performance increase

If you’re using Vista, then you know that it’s a pretty good improvement over Windows XP. It’s full of new features, has improved security, and it’s fast. But I can help you make it run even faster.

There are five basic ways to make Windows Vista run really fast. The first four of these can actually be used to make any operating system run faster:

• A fast CPU (1GHz or faster);
• Plenty of RAM (at least 1GB);
• Fast disk drives (7200 RPM); and
• A graphics card with at least 128MB of RAM

The fifth way to increase speed only applies to Vista, and it’s one that you might not know about. The trick is to use Vista’s ReadyBoost feature.

For all intents and purposes, ReadyBoost is a file-caching system that works by using a Flash drive as the cache storage medium. Reading from disk is one of the biggest bottlenecks in OS operation, and using a cache can minimize that bottleneck. Also, using a Flash drive for caching can be faster than using disk drives, especially when huge sequential files aren’t involved. Thus, the use of a Flash-based caching system is what makes ReadyBoost a great performance-enhancing feature of Vista.

The way it works is simple: When Vista needs to read a file, it first checks the ReadyBoost cache. If any necessary piece of data isn’t available in that cache, Vista will read that data from disk and then insert it into the ReadyBoost cache. This way, the next time it’s needed, it can be retrieved much faster. Likewise, when you write data files to disk, they’re also stored in the ReadyBoost cache for future access.

Enabling ReadyBoost is well worth the effort, because reading from a Flash drive can be as much as 10 times faster than reading from a typical disk drive.

Of course, Flash drives are portable, so you might wonder whether your files are secure when using ReadyBoost. To enhance overall security, all data written to the ReadyBoost cache is encrypted using 128-bit AES encrytion (which is reasonbly strong protection), so it’s secure in the event that you need to remove the Flash device for any reason.

Another important thing you need to know about ReadyBoost is that you cannot use any Flash drive you want. The Flash device needs to meet certain performance requirements. According to Microsoft, the device must be able to sustain 2.5MB per second of throughput for 4KB random reads, and 1.75MB per second throughput for 512KB random writes.

Some device specifications might seem to indicate that the particular drive can be used as a ReadyBoost device, but for various reasons that isn’t always true. To ensure a Flash device can be used as a ReadyBoost cache, you must either connect the device and let Vista test it, or you must buy a device that is labeled as “ReadyBoost compatible.” Even then, some USB ports have been reported to be incapable of handling ReadyBoost.

Another thing to keep in mind is that Vista can only use a 4GB or smaller Flash drive for ReadyBoost. This is because ReadyBoost formats the Flash device with a FAT32 file system, and FAT32 has a 4GB limit. Fortunately, ReadyBoost uses compression to reduce its storage requirements by half. Thus, a 4GB Flash drive lets Vista store about 8GB of data.

To learn a lot more about ReadyBoost, head over to Tom Archer’s blog at the Microsoft Developer’s Network (MSDN). There you’ll find a really good FAQ that will answer most of the questions you’re likely to have.

To use a Flash device for ReadyBoost, just plug it into your system and Vista will recognize it. Select Speed up my system in the dialog box that appears. Vista will then test the speed of the Flash device to make sure it’s compatible with ReadyBoost. If the device is fast enough, you’ll see a properties page with the ReadyBoost tab selected. Select Use this device. That’s all there is to it!

If you want to buy a Flash device that you can use with ReadyBoost, I recommend EdgeTech products. I have two portable USB disk drives and two USB Flash drives made by EdgeTech, and I haven’t had a single problem with any of them. They’re top quality.

EdgeTech’s brand new DiskGO Secure Flash Drive Enhanced for ReadyBoost was announced in mid-April. I have one, and I can tell you that it’s a great device at a great price. The list price is US$129.95, but U.S. buyers can get it from PC Connection for $86, or from Computer Brain for $80. These prices include basic parcel-shipping charges within the 48 states.

An added bonus of this particular device is that it also comes with CryptArchiver software, which can encrypt any files you want to store on the device, using either 448-bit Blowfish or 256-bit AES encryption.

If you’re planning to buy some Flash devices, and you’re wondering whether they’ll work with ReadyBoost, a shortcut for finding out is to visit Grant Gibson’s site. He has a list of dozens and dozens of brands and models. There’s also a quick link to show all incompatable models. Keep in mind that while the site lists a huge number of devices, it is not all-inclusive. So, if your device isn’t listed, just plug it into Vista and give it a try!

Safer Web surfing using virtual machines

You well know that surfing the Web can be dangerous. Granted, adequate security tools (such as firewalls, Web-content scanners, browser toolbars, antimalware protection, and antivirus software) go a long way towards keeping you protected. But there’s another way to defend your systems that you might not be aware of.

By using a virtual machine (VM), you can further minimize potential security problems. In short, VM technology lets you run a second copy of XP or Vista at the same time on your system, thereby helping to protect your main OS. The primary OS is called the host, and the secondary OS is called the guest.

Virtual machines require that you use a VM image specially made to run inside a VM platform. Microsoft offers its Virtual PC software free to anyone. The company also offers VM images that you use as a guest OS so that you don’t have to build an image yourself.

After you download and install Virtual PC, you can download a VM image of XP with SP2 and IE 6 and another image that has XP with SP2 and IE7. You can use either of these to surf the Web more safely. The reason you can surf more safely is because Virtual PC builds a barrier between your host OS and the guest OS. So, any changes made to the guest OS don’t affect the host OS.

Furthermore, when you shutdown and restart the guest OS, it always starts up in its original, clean state. So, for example, if malware did somehow make it into your guest OS, it won’t be there after your restart the guest OS.

Virtual PC runs on Vista Business, Enterprise, and Ultimate editions, plus XP Professional and XP Tablet PC Edition. The minimum disk space requirement is 20MB for Virtual PC itself. You’ll need about 2GB more for the guest OS. You’ll also need at least a 400MHz Pentium-compatible CPU. And, as always, a faster CPU is better. As for RAM, you’ll need at least 128MB to run XP as a guest OS. Further requirement details, showing what you need to run other guest operating systems are available at Microsoft’s site.

In an upcoming issue, I’ll tell you about a great alternative to Microsoft’s Virtual PC, which lets you run a much wider range of ready-made guest operating systems, including tools such as Firefox. So stay tuned!

Help your friends and family understand security

Have you ever tried to stress to your friends and family the importance of using certain security tools, only to be met with blank stares? I sure have. Recently, I came across some useful videos that help people understand the importance of protecting both their systems and themselves when using the Internet.

Some time ago, the EDUCAUSE/Internet2 Computer and Network Security Task Force, the National Cyber Security Alliance, and ResearchChannel got together and held a contest in which universities and nonprofit research institutions submitted videos to help raise awareness about computer security. The winners of the contest were recently announced, and the winning videos released, so you can now share them with your friends and family.

The topics include viruses, botnets, identity theft and phishing, data protection, and more. The videos are short (all under 2 minutes), so even people who are very busy, or those with short attention spans, can quickly glean some valuable information.

Visit the ResearchChannel Web site to view all the winning entries available in Windows Media Player and QuickTime formats. You can also download the videos in MPEG-4 format.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and writes the weekly Security Update e-mail newsletter. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

What to do when Windows turns against you

By Chris Mosby The complexity of the Windows operating system makes it easier for bugs and flaws to creep in during its development. If you’re not careful to protect yourself against this, your computer could be turned against you.

Windows weakness allows Internet traffic hijack

There’s a design flaw in the Web Proxy Autodiscovery Protocol (WPAD) in Windows that could allow a hacker who has access to your local network to redirect Internet traffic to a Web proxy that he or she controls. This would allow the hacker to gain full read rights to all information passed back and forth between the Internet and the local network.

This is possible because Windows, by default, uses WPAD without static server entries. If a hacker can register a WPAD entry in DNS (Domain Name Service) and/or WINS (Windows Internet Name Service), he or she could then force all Internet traffic through a Web proxy. Also, Internet Explorer is set by default to automatically detect Web proxy settings, which allows this type of exploit to work even more easily.

This flaw has been confirmed on all supported versions of Windows Server. Older versions of Windows may also be vulnerable to this flaw.

What to do: There’s some debate about the severity of this weakness. If you have a hacker on your local network who has enough access to modify DNS and WINS in such a way as to make this exploit work, you have a lot bigger problem than hijacked Internet traffic. Still, there is always the case of a disgruntled administrator who decides to go to the Dark Side.

Microsoft thought this issue was severe enough to release a Knowledge Base article, 934864, that details how to reserve WPAD entries in DNS and WINS. Unless you’re an administrator on your corporate network, I wouldn’t try these steps. Let the professionals handle it.

More information: CVE-2007-1692, ISS, FrSIRT, SANS ISC

Vista’s Windows Mail allows code execution

The Windows Mail client in Windows Vista has a design flaw that allows local programs to run if a hacker tricks a user into clicking on an infected link. This link would either point to a local file on the user’s system or a UNC (Universal Naming Convention) path, where there is a directory with the same name of an executable file on the local machine.

This exploit cannot be executed automatically and needs user interaction to work. Curiously, Symantec researchers report being unable to reproduce this flaw on a default install of Vista. So far, however, there have been no other sources that have come forward to question the existence of this vulnerability.

What to do: I wouldn’t expect any fix for this flaw anytime soon. Microsoft recently announced that it will be replacing Windows Mail on Vista — and Outlook Express on Windows XP — with a redesigned version of Windows Live Hotmail. The beta for this has already become available, as described by Microsoft’s announcement at Live.com.

More Information: CVE-2007-1658, ISS, SecurityFocus

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby recently received an MVP (Most Valuable Professional) award from Microsoft for his knowledge of Systems Management Server. He also writes the comic-book blog Tales from the Longbox and is a contributor to Configuring Symantec Antivirus Corporate Edition.

Internet Explorer patch is now a must-install

By Susan Bradley Even though Patch Tuesday has come and gone, we’re finally getting the solutions for several issues that cropped up after the latest patch for Internet Explorer was released. The patch, MS07-027, is high-priority to install now, but you first need to know about two major problems.

MS07-027 (931768)
IE patch has problems but is important

Last issue, I had hoped to strongly recommend that folks install the latest IE security patch, MS07-027 (KB 931768), as it included numerous fixes to annoying print-margin errors. But late-breaking issues made me tell everyone to hold off. Now I’m ready to recommend installing, but with the warning that the patch has some issues of its own.

KB 937409 documents the first issue, which is commonly referred to as the "navcancl" issue. Primarily in Vista machines, as the MSRC blog explains, the issue is caused by temporary Internet files being in a location that doesn’t have the proper permissions set. The recommended workaround is to move the location back, as described in the KB article. While you could change the permissions on the folder or turn off IE’s phishing filter, it’s not recommended that you do so.

The next issue, which is still being tracked, involves an antispyware program that places too many hyperlinks in the Restricted Sites zone in Internet Explorer. This causes Outlook to react with a delay upon each keystroke. Sandi Hardimeier details the issues in a Spyware blog post. The workaround is to remove the site restrictions — or pick another antispyware program that doesn’t do this.

MS07-023 (934233) and MS07-025 (934873)
Office patches for Vista being offered again

If you’re running Vista and noticed that MS07-023 (KB 934233) and MS07-025 (KB 934873) were reoffered to patch your Office 2007 suite after Patch Tuesday, you’re not alone. The MSRC blog explains that there was a detection logic and, as a result, the patches may not have been properly installed on Vista.

(937871)
Svchost.exe issue revisited with new info

I told you in the last Patch Watch on May 10 that a fix for the so-called Svchost issue had arrived. With Microsoft Update installed, svchost.exe sometimes goes wild and consumes all available CPU time.

For those interested, the WSUS blog now has a description of what you should expect to happen with the fix installed. With both KB 927891 and the new Automatic Updates Client installed, you’ll see that the CPU use may rise to 100%, but the machine will still be responsive.

For those who are looking to deploy this fix to many clients, Michael Espinola posted information about how to do this on his Wiki site. However, if you don’t wish to use Michael’s script, be aware that both the patch and the new AU client should be automatically offered up to your systems via Microsoft Update and WSUS (Windows Server Update Services) this week. This is described in MS security advisory 927891.

WSUS gets an update to version 3.0

On May 22, those running WSUS (Windows Server Update Services) servers received a notice to upgrade to WSUS 3.0. As first announced on the WSUS blog, this upgrade will install over top of WSUS 2.0 and upgrade it to 3.0. When this occurs, if your WSUS server is running WMSDE as the database for WSUS 2.0, the upgrade will convert it to SQL 2005 embedded.

When upgrading SBS 2003 boxes to WSUS 3.0, many of us found that we needed to tweak the use of the RAM that the SQL database uses. To do this, we installed the free SQL management tool that you can download from Microsoft. (This link downloads the .msi installer file.) Once you’ve installed the tool, follow these steps:

Step 1. Click servernameMICROSOFT##SSEE;

Step 2. Select Properties.

Step 3. Click the memory box and adjust the memory use to whatever value you wish. On an SBS 2003 box, many are recommending a value of 200 to 256MB.

Step 4. Click OK.

Step 5. Click on the top line, where the SQL server instance is installed, and click Restart.

SQL 2005 SP2 gets a needed VSS fix

Soon after SQL 2005 Service Pack 2 (SP2) was released, a post-SP2 rollup was released to fix the issues with the service pack. The final outstanding issue, which caused errors in the event log, has finally been fixed with KB 934396. During the backup of the server where SQL Server 2005 was located, error messages would be logged into the event viewer. While the backup would function properly, the errors nonetheless were somewhat alarming, given that they only occurred post-SP2 install.

Currently, you have to call Microsoft support and request the serivce pack fix. Hotfixes are always a free call. When I called in, the 32-bit patch was obtained very easily, but the 64-bit version required a transfer to the SQL department to obtain the fix. In both cases, the hotfixes were obtained free of charge. The trick is always to call the support number, tell the operator the exact article number that you need, and the hotfix will always be free. Microsoft will always warn you that the hotfix is not regression-tested and not to place it on a production server until after you test it.

I normally call 1-800-936-4900 in the United States. The Microsoft phone-support numbers for other countries are listed on Microsoft’s international support page.

How to debug patch issues

Some folks are fine with leaving Automatic Updates on to patch their systems. Others want to take the chance and wait before patching. In general, for most businesses, I would argue that you can hold back just a little while before installing patches. There are also a few tricks you can use to better debug the system.

One of the tricks I use is to reboot any system before installing patches. This ensures that everything is acting as it should in preparation for the install. Then, if you have any issues after installing patches, try removing them one at a time and then reinstalling them one at a time to see which one caused the issue.

Sometimes, however, it’s just a matter of chance that an issue started right after you installed a patch. Recently, Microsoft has been offering up nonsecurity patches on the same day that security patches come out. To help isolate any problems, you may wish to install just the security patches and hold off on the nonsecurity patches.

Just say nyet to .NET nonsense

For those who installed .NET 3.0 on their systems and speak fluent English, KB 934238 doesn’t make any sense. The patch is billed as a “non-English” .NET install, but it’s being offered up to English systems. Folks in the newsgroups indicate that it’s not only being offered to their systems, but also that it is "phoning home" to some Web address, according to some reports in the newsgroups and Cringely’s blog site.

While the patch is deemed "critical," it’s not a security patch. It’s suspect enough that I’d advise you to decline installing it until we get more information about exactly why it’s being offered to English boxes and, once it’s on there, what it’s doing.

Reader, please rate the above article:

1: Poor  2: Fair  3: Good  4: Great  5: Superb

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.