For a more detailed summary of the terminology used by Microsoft to describe the types of patches and their ranking of importance see Knowledgebase article 824684 - Description of the Standard Terminology That is Used to Describe Microsoft Software Updates.
Service Packs are ALWAYS cumulative - that is, it is only necessary that you apply the most recently released one for your Operating System - all revisions which existed in previous Service Packs are included in the latest release. Hotfixes and Rollups are NOT cumulative and must be individually applied to a system - the order in which they are applied is also important.
A Service Pack, Hotfix or Rollup will automatically update all necessary files on the system - it is not necessary for you to manually copy, rename or delete any system files during their application. After the update completes, a shutdown and restart will occur to finalise the file replacements. This is required to allow NT to replace files that were in use or otherwise locked whilst the system is running.
| Title | Date Released | Support Ceased |
|---|---|---|
| Windows NT 4.0 OS (Build 1381) | 29 July 1996 | 31 December 2004 - See Note Below |
| Service Pack 1 | 16 October 1996 | 14 March 1997 |
| Service Pack 2 | 14 December 1996 | 15 August 1997 |
| Service Pack 3 | 15 May 1997 | 25 January 1999 |
| Service Pack 4 | 25 October 1998 | 4 August 1999 |
| Service Pack 5 | 4 May 1999 | 30 February 2000 |
| Service Pack 6a | 30 November 1999 | 30 June 2004 - See Note Below |
| Post SP6a Security Rollup (SRP) | 26 July 2001 | 30 June 2004 - See Note Below |
Note: SECURITY ONLY hotfix support extended to 31 December 2004 for all versions EXCEPT Workstation. All support for Workstation ended on 30 Jun 2004. For further information, see these notes.
The current revision level for Windows NT 4.0 Workstation and Server is Service Pack 6a. To see what problems have been addressed in this and previous service packs, look at the following Knowledgebase articles:
| Service Pack | Issues Addressed |
|---|---|
| Service Pack 1 | 9 |
| Service Pack 2 | 142 |
| Service Pack 3 | 181 |
| Service Pack 4 | 713 |
| Service Pack 5 | 239 |
| Service Pack 6/6a | 278 |
| Post SP6a SRP | 53 |
| Total: | 1615 |
To verify your current Service Pack level do the following:
After Service Pack 6a is applied, you can then make your way through the list of hotfixes presented in the table below. My suggestion is to stick to the order presented unless you have good reasons for changing it. Most of the hotfixes are SECURITY related. If you have doubts about a vulnerability consult the relevant Security Bulletin from Microsoft (also a "clickable" link in the table) for details.
WARNING: If you add software to your system:
Failure to follow correct procedure may result in STOP errors. To avoid this situation reapply the required Service Pack, Hotfixes and / or Rollups immediately after the original files have been copied from the NT 4.0 master CD and BEFORE the system is rebooted. If in doubt, ask for guidance.
A good file tracking application like FileImg from the Windows NT 4.0 Resource kit can simplify matters by making it clear whether anything on the base OS install has been modified or regressed.
If you want to check which hotfixes are installed on a system I recommend "PSInfo", part of the PSTools package from SysInternals.
Secunia run an excellent web site that tracks known vulnerbilities in computer software (including Operating Systems), their seriousness, and patches to correct the problems. Here are the links for Windows NT4.0:
Colour coding is used to signify the level of danger an unpatched system may encounter as follows:
| RED | DANGER | NO PATCH EXISTS FOR THIS ISSUE. Notes may detail means by which the vulnerability can be lessened or negated. |
| Pink | CRITICAL | It is VITAL that this patch be installed to ensure system safety. |
| Light Grey | Required | Patch is STRONGLY recommended. |
| Light Yellow | Optional | This patch may be important, but is only required in specific circumstances as detailed in the Notes. |
You can download the required patch from the Microsoft servers using the supplied link on the relevant Knowledgebase page. Hotfixes that have been obsoleted by more recent patches are NOT mentioned in this list, and do not have to be applied.
Please read the notes relating to the Service Pack or Hotfix before applying it to your system. In some cases, failure to follow the correct procedure when applying a patch may lead to an unbootable system.
| Article Number | Title | Security Bulletin | Notes |
|---|---|---|---|
| 242294 | MS99-041: Security Descriptor Allows Priviledge Elevation on Remote Computers | MS99-041 | None |
| 244599 | Fixes Required in TCSEC C2 Security Evaluation Configuration for Windows NT 4.0 Service Pack 6a | None | Apply Service Pack 6a First |
| 246009 | Windows NT 4.0 Service Pack 6a Available | None | None |
| 258437 | FIX: GetEffectiveRightsFromAcl() Fails in Service Pack 6 | None | Apply Service Pack 6a First |
| 272386 | Upgrade Prompt for Windows Media Player Appears Continually | None | Only Required if Media Player V6.4 Installed - Manual Registry Patch |
| 299444 | Post Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP) | Additional Information Below | Requires Service Pack 6a First - Caution: See KB Articles 305462, 305929, 307866, 318420 and 326248 Before Applying |
| 300987 | Windows NT 4.0 Winbond Super I/O Floppy Disk Controller May Not Report Data Underrun or Overrun Condition Correctly | None | Only Required for Hardware Specified |
| 304158 | Patch for "HyperTerminal Buffer Overflow" Vulnerability in Windows NT 4.0 | MS00-079 | Only Required if HyperTerminal Accessory is Installed |
| 307866 | You Cannot Log On to the Computer After You Run a Repair Process if SRP is Installed | None | Caution: Ensure This Hotfix Applied After Security Rollup 299444 |
| 314147 | MS02-006: An Unchecked Buffer in the SNMP Service May Allow Code to Run | MS02-006 | Only Required if SNMP Service is Installed |
| 318138 | MS02-029: Unchecked Buffer in Remote Access Service Phonebook Allows Code to Run | MS02-029 | None |
| 320206 | MS02-024: Authentication Flaw in Windows Debugger Can Cause Elevated Privileges | MS02-024 | None |
| 320920 | MS02-032: Windows Media Player Rollup Available | MS02-032 | Only Required if Media Player V6.4 Installed - This Patch Supersedes and Totally Replaces 308567, 320944, 321678 Manual Registry Patches Required - See KB Articles 272386 and 320944 for further details |
| 323172 | Flaw in Certificate Enrolment Control May Cause Digital Certificates to be Deleted | MS02-048 | None |
| 323255 | MS02-055: Unchecked Buffer in Windows Help Facility May Allow Attacker to Run Code | MS02-055 | Only Required if Hypertext Help Facility Installed |
| 326830 | MS02-045: Unchecked Buffer in Network Share Provider May Lead to Denial-of-Service | MS02-045 | None |
| 331953 | MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks | MS03-010 | Caution: No Available Patch for NT 4.0 - Ensure Port 135 is blocked by Firewall |
| 810833 | Unchecked Buffer in the Locator Service Might Permit Code to Run | MS03-001 | None |
| 814078 | MS03-008: Flaw in Windows Script Engine May Allow Code to Run | MS03-008 | Only Required if Microsoft Java Virtual Machine Installed |
| 815021 | MS03-007: Unchecked Buffer in Windows Component May Cause Web Server Compromise (ntdll.dll) | MS03-007 | None |
| 817606 | MS03-024: Buffer Overrun in Windows Could Lead to Data Corruption | MS03-024 | None |
| 819696 | MS03-030: Unchecked Buffer in DirectX Could Enable System Compromise | MS03-030 | Only Required if Media Player V6.4 or Internet Explorer V6.0 (SP1) Installed |
| 823559 | MS03-023: Buffer Overrun in the HTML Converter Could Allow Code Execution | MS03-023 | Only Required if HTML Authoring Software (eg: Office) Installed |
| 823803 | MS03-029: A Flaw in a Windows Function Might Allow Denial of Service | MS03-029 | Caution: See KB Article 825501 Before Applying - This Patch Refuses to Apply on a Workstation System (See Note 1) |
| 824105 | MS03-034: Flaw in NetBIOS Could Lead to Information Disclosure | MS03-034 | This Patch Refuses to Apply on a Workstation System (See Note 1) |
| 828035 | MS03-043: Buffer Overrun in Messenger Service Could Allow Code Execution | MS03-043 | Caution: See KB Article 831579 Before Applying |
| 828741 | MS04-012: Cumulative Update for Microsoft RPC/DCOM | MS04-012 | Danger: Known Security Exploit - Ensure this Hotfix is Applied. This Patch Supersedes and Totally Replaces 823980 (MS03-026) and 824146 (MS03-039) |
| 832353 | FIX: Some URL Script Commands Do Not Work After You Apply Windows Media Update From Knowledgebase Article 828026 | None | Only Required if Media Player V6.4 Installed. This Patch Supersedes and Totally Replaces 828026 See 828026 for Important Information on Setting Registry Controls |
| 835732 | MS04-011: Security Update for Microsoft Windows | MS04-011 | Danger: Critical Security Status - Ensure this Hotfix is Applied. This Patch Supersedes and Totally Replaces 329115 (MS02-050), 328310 (MS02-071), 811493 (MS03-013), 823182 (MS03-041), 824141 (MS03-045) and 828028 (MS04-007) Caution: See KB Article 841180 and 841384 Before Applying |
| 840987 | MS04-032: Security Update for Microsoft Windows | MS04-032 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
| 841356 | MS04-037: Vulnerability in Windows Shell Could Allow Remote Code Execution | MS04-037 | This Patch Supersedes and Totally Replaces 839645 (MS04-024) |
| 841533 | MS04-031: Vulnerability in NetDDE Could Allow Remote Code Execution | MS04-031 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
| 841872 | MS04-020: A Vulnerability in POSIX Could Allow Code Execution | MS04-020 | None |
| 870763 | MS04-045: Vulnerability in WINS Could Allow Remote Code Execution | MS04-045 | Only Required for Server System Providing WINS |
| 873339 | MS04-043: Vulnerability in HyperTerminal Could Allow Code Execution | MS04-043 | Only Required if HyperTerminal Accessory is Installed - This Patch Refuses to Apply on a Workstation System (See Note 2) |
| 873350 | MS04-029: Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service | MS04-029 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
| 883935 | MS04-036: Vulnerability in NNTP Could Allow Code Execution | MS04-036 | Only Required for Server System Providing NNTP Service |
| 885249 | MS04-042: A Vulnerability in DHCP Could Allow Remote Code Execution and Denial of Service | MS04-042 | Only Required for Server System Providing DHCP Service |
| 885250 | MS05-011: Vulnerability in Server Message Block Could Allow Remote Code Execution | MS05-011 | Caution: No Available Patch for NT 4.0 - Primary Threat would be from SMB traffic within the LAN |
| 885834 | MS05-010: Vulnerability in the License Logging Service Could Allow Code Execution | MS05-010 | Only Required on a Server System Running Licensing Service |
| 885835 | MS04-044: Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege | MS04-044 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
| 885836 | MS04-041: A Vulnerability in WordPad Could Allow Code Execution | MS04-041 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
| 890175 | MS05-001: Vulnerability in HTML Help Could Allow Code Execution | MS05-001 | Only Required if Internet Explorer V6.0 or above is Installed Caution: See KB Articles 892641 and 892675 Before Applying |
| 891711 | MS05-002: Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution | MS05-002 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
| 912919 | MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution | MS06-001 | Caution: No Available Patch for NT 4.0 - Files of Type .wmf should be handled with care |
| 921883 | MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution | MS06-040 | Caution: No Available Patch for NT 4.0 - Ensure TCP Ports 139 and 445 are blocked by Firewall |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To attempt to shorten it's life still further, by denying users access to essential security patches, is unconscionable. It could be argued that it is essential that these hotfixes be applied if at all possible, to lessen any security risks exposed by the "holes" in the OS. It could be further argued that Microsoft, in taking the deliberate step of refusing to offer these patches for Workstation, is attempting to convince customers that the OS is now "unsafe" and should be upgraded. I also believe the timing of these hotfixes is extremely questionable. How convenient it is that such a major raft of serious security flaws are found only 3 months after support has ended.
I consider this further compelling evidence of a deliberate campaign to end Windows NT 4.0 whilst it is still a useful and active participant in general computing.
<EOR>
The reality is that the security hotfixes released after 30 June 2004, and that are supposedly "NT4 Server only", are able to be used on Workstation equally as well. To adjust the patches for use, expand the contents of the downloaded .exe file (using a programme like WinZip) into a convenient folder. Make sure that all the content of the patch is grouped together in this one place. Manually edit the included hotfix.inf file in the package as described here:
ACKNOWLEDGMENT: This technique was first announced in October 2004 by Reed Darsey at www.networksecurityarchive.org. I have since independently verified it's accuracy, using Microsoft supplied "Workstation enabled" patches for the items referred to in Knowledgebase articles 823803 and 824105.
WARNING: Microsoft are inconsistent in their creation of "back out" folders. In some instances, uninstall information is placed in a folder in "\Program Files\Uninstall Information" instead.
If you are satisfied that the changes made to your system by Hotfixes and/or Service Packs are stable, and you no longer require the ability to be able to "back out" of the changes, you can remove this uninstall information. This will often free considerable amounts of space in the boot partition. You may simply delete the corresponding $NTUninstall --- $ folder and all it's contents.
The Hotfix / Service Pack also adds an entry in the "Add/Remove Programs" applet of Control Panel. In the interests of not causing future confusion, it is advisable that the uninstall entry be removed from the list, since deletion of the $NTUninstall --- $ folder has rendered the uninstall from Control Panel impossible.
To remove the redundant entries (they take the form of Qxxxxxx or KBxxxxxx) from the "Add/Remove Programs" section of Control Panel, manual editing of the Registry is required. If you unfamiliar with this process, or unsure of what you are doing, seek out experienced assistance. Incorrectly editing the Registry can irreparably damage an NT installation.
Procedure:
Open the registry with RegEdit.exe. Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Under this key you will find a subkey in the form Qxxxxxx or KBxxxxxx for each Hotfix / Service Pack applied. Delete the appropriate subkey for the hotfix that had it's "back out" folder deleted.
WARNING: Service Packs / Hotfixes / Rollups also add an entry to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix
DO NOT alter this entry in any fashion. These keys list what Hotfixes have been applied. (Programmes like Systems Internals "PSInfo" use this information)
For more information on how a patch is applied using Hotfix.exe and Update.exe see the following Microsoft Knowledgebase articles: