Release Notes for the Microsoft Security Tool Kit

The MultiLanguage versions of the products listed above are also supported in the English version of the Microsoft Security Tool Kit.

Internet Information Server

Because Microsoft no longer supports Microsoft Internet Information Server 3.0, installing the Microsoft Security Tool Kit does not provide any additional protection for it. Microsoft recommends that you obtain and install a currently supported version of Microsoft Internet Information Services (IIS) before you install the Microsoft Security Tool Kit.

Microsoft Windows XP

Windows XP is not supported by the Security Tool Kit installer, primarily because there are no updates yet released for this version of Windows. Windows XP users should continue to visit the Microsoft Windows Update Web site (http://windowsupdate.microsoft.com/) , and can use the IIS Lockdown Wizard (http://technet.microsoft.com/en-us/library/dd450372.aspx) to further protect their systems. Critical Update Notification is already included in the Windows XP release.

Microsoft Windows 2000 Datacenter Server

Windows NT Server 4.0, Terminal Server Edition

After you apply the Terminal Server Edition update that is available in the following Microsoft Knowledge Base article, the operating system version changes from Build 1381: Service Pack 6 to Build 1381: Service Pack 6, RC1.6: This change in the displayed version number does not cause any errors or issues. For additional information about this security update, see the following Microsoft Web site:

These release notes provide additional information that you should know and understand before you install the Microsoft Security Tool Kit.

Important Installation Requirements

Disk space requirements vary greatly according to your version of Windows and the recommended updates. Windows NT 4.0 requires less than 200 megabytes (MB). Windows 2000 space requirements might be as much as 1 gigabyte (GB). Space requirements are necessary to support the automated installer. The automated installer assumes that you want to make a backup of the system with each installation (so that you can remove the updates). These backups can take a lot of space. Also, the individual service pack installers require a lot of working space that will not ultimately be used, but is required during the installation process. If disk space requirements are a concern, follow the manual instructions for installing each recommended component.

Microsoft does not recommend that you uninstall any of the updates that are installed by the Security Took Kit. Removing any of the updates leaves your system vulnerable to security threats. No uninstallation mechanism is provided by the Security Took Kit, but each component that is installed by the Security Tool Kit can be uninstalled individually with the exception of Critical Update Notification. The mechanisms to uninstall the updates are documented in the deployment guides that are included in this kit. When you uninstall updates, it is important to remove the updates in the reverse order from which they were installed.

To use the automated installer (Setup.exe) on the Security Tool Kit CD-ROM to install Windows 2000 Service Pack 2 (SP2), you must use the version of SP2 that is on this CD-ROM. The SP2 installer has been modified from the previously released version. None of the updates that are contained in the service pack were changed, only Update.exe was replaced to allow the service pack to work well with the Security Tool Kit installation program.

If you install the Security Tool Kit from a Terminal Services session over the network by using a mapped network drive, you may receive the following error message during the installation of the Critical Update Notification utility: This error message does not occur if you install the Security Tool Kit from the Security Tool Kit CDROM or if you use the \\server_name\share syntax, where server_name is the name of the server and share is the name of the share. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

Windows NT 4.0 Compaq Array Controller Users

If you have installed the Compaq Array Controller Driver (Cpqarray.sys) from the Compaq Web site, Compaq FTP site, or Compaq SmartStart, please see the following article in the Microsoft Knowledge Base regarding Compaq Array controllers and the Windows NT 4.0 Security Rollup Package (SRP):

Systems Management Server (SMS)

For this version of the Security Tool Kit, you cannot use the Software Distribution Wizard to distribute software to MST collections. Microsoft Systems Management Server (SMS) limits the length of the advertisement name to 100 characters. However, the current naming convention that is used with MST collections and packages often results in the advertisement name (which is the combination of the collection name, the package name, and three additional characters) exceeding this limit. To work around this issue, you can either create the advertisement from the SMS Administrator tool, or modify the collection and package names so that the combined total characters do not exceed 96, which enables the use of the Software Distribution Wizard. For additional information about creating advertisements, click the article number below to view the article in the Microsoft Knowledge Base:

Running the Security Tool Kit Installer

NOTE: You must be logged on to the computer as an administrator to run the installer.

1. Insert the Microsoft Security Tool Kit CD-ROM in your CD-ROM or DVD-ROM drive.
2. If a Web page opens in your browser automatically, follow the instructions. If a Web page does not open automatically when you insert the CD-ROM, click Start, click Run, type the following line (where drive is the drive letter that is associated with your CD-ROM drive), and then click OK:
   drive:\setup.exe
   If you want to run the tool without actually running the recommended installations, use the following command line:
   setup -noexecute
3. The Setup Wizard guides you through each step of installing the Security Tool Kit. The Setup Wizard analyzes your computer and determines the minimum set of updates that must be applied to achieve a baseline level of security. These service packs and updates, along with other security tools, are listed for your review. The tool identifies when a reboot is required in the process. The number of reboots that is required varies according to the version of Windows and the required updates.
4. If you choose to allow Setup to proceed with the updates, the installer for each update starts in order. Each one is automated.
   
   NOTE: If one of the individual installations does not succeed, the Setup Wizard does not attempt further updates. If this happens, try to complete the installation independent of the Setup Wizard. For example, if during the installation of Windows 2000 SP2 the SP2 installer does not succeed for any reason, the Security Tool Kit installation also stops. In this case, run the Windows 2000 SP2 installer independently to determine the cause of the problem. For example, the installation may not succeed because it ran out of disk space. After this is resolved, you can run the Security Tool Kit installer again.
5. During the course of the installation, you may be prompted to restart your computer. After the restart, to continue the installation process, you must log on by using the same user account.
6. After the updates are installed, the Setup tool installs some additional tools, such as the IIS Lockdown Wizard (http://www.microsoft.com/technet/security/tools/locktool.mspx) . The additional tools prompt you for input when required.
7. When the installation process is complete, the screen displays a summary of each action the installer took and whether it was successful.

Notes

If you install the Security Tool Kit on the same computer multiple times, the Security Tool Kit might indicate that you need to install the same updates again. On Windows NT 4.0 the installer always recommends installing Service Pack 6a (SP6a) (http://support.microsoft.com/kb/241211) , even if it is already installed. This occurs because the installer cannot determine if any additional components have been installed since SP6a was originally applied. On Windows NT 4.0, the service pack must be reinstalled after any change in the components of the operating system. This problem was addressed in Windows 2000; therefore you do not see Windows 2000 service packs recommended by the tool for multiple installations. For updates on both versions of Windows, the default is to offer to install them again.

The installer makes the most conservative recommendations. For example, if Microsoft Internet Explorer 5.01 is installed, the Setup Wizard recommends Internet Explorer 5.01 Service Pack 2 rather than Internet Explorer 5.5 Service Pack 2. This occurs because Internet Explorer 5.01 SP2 is the minimum requirement to achieve baseline security; the installer has no need to force the upgrade to Internet Explorer 5.5. However, if you are running a version of Internet Explorer earlier than 5.01, the Setup Wizard recommends Internet Explorer 5.5 SP2. Internet Explorer 6 (http://www.microsoft.com/windows/products/winfamily/ie/default.mspx) also raises your security to a baseline level, although it is not included in this tool kit.

Advanced Options

After the installation is complete, view the Mstsetup.log file to see which updates were identified for installation and whether these installations were successful. This file is usually located in your Windows folder (for example, C:\Winnt\Mstsetup.log).