Tips for Securing Your Windows Operating System

Maintaining a secure Windows environment in the enterprise may seem a daunting task. Though there are many elements to consider -- antivirus protection, intrusion detection and personal firewalls -- perhaps the most important job is keeping up to date with operating system patches.

However, due to the risk of improper interaction with other operating system components and applications, there is a danger in applying every patch that's released. Blindly installing every fix on your systems can render them every bit as inoperable as never patching them in the first place. Thus, IT administrators must devise a sound philosophy for when and how to apply Windows patches, while ensuring that the philosophy can be reliably deployed.

To start, not all patches require the same approach. Windows patches can generally be classified as follows:

  1. Service pack/maintenance release/service release

  2. Hot fixes

  3. Quick fix enhancements (QFE)

  4. Security hot fixes

Service pack/maintenance release/service release

What it is: Although vendors may use different names for this group, they all refer to cumulative maintenance patches that have been regression-tested, so previously tested functions have been rechecked to make sure new features haven't created new problems. Both operating system and application vendors provide service packs that can include not only security patches and bug fixes, but also enhancements and new features.

How to handle: Service packs require the largest time investment because they need to be evaluated in terms of relevance. When a service pack for an operating system, application or system utility becomes available, systems administrators should review the release notes and plan to install the service pack on a test system. Because service packs typically contain a number of maintenance patches, they can cover a broad range of functionality. Testing is important to make sure that a system functions as it did before. Once a service pack has been tested, it can be deployed to appropriate systems during the specified maintenance window.

Hot fixes

What they are: Code that corrects broken functionality or missing features. Hot fixes typically address serious flaws and bugs in an operating system.

How to handle: Hot fixes should be treated differently from service packs. Hot fixes are developed to resolve a specific bug and typically aren't tested as rigorously as service packs by the software vendor. Thus, it's generally not a good practice to install a hot fix as soon as it becomes available. Instead, a hot fix should be applied only if your organization is experiencing the specific problem it addresses. It's a better practice to diligently apply service packs, since they include all relevant hot fixes and are regression tested by the vendor.

Quick fix enhancements

What they are: Unlike hot fixes, QFEs provide code for badly needed enhancements that can't wait until a general update or point release. QFEs get new functionality into customers' hands without requiring the testing rigor that an IT administrator typically applies to a full release.

How to handle: Like hot fixes, QFEs should be applied only if there is real business need for the enhanced functionality. QFEs are usually rolled into service packs. QFEs differ from hot fixes in that they are more rigorously tested by the vendor, so there is typically less risk when installing a QFE than there is with a hot fix.

Security hot fixes

What they are: Security hot fixes are different from regular hot fixes because they address a specific security vulnerability. Security hot fixes are closely monitored by organizations such as the CERT Coordination Center and the SANS Institute.

How to handle: The fact that organizations such as SANS and CERT assess and publish reports, including perceived threat levels, on known security vulnerabilities is part of the reason why it's important to treat Windows security hot fixes differently from other hot fixes. The published vulnerability can act as a cookbook for hackers looking to attack organizations that haven't deployed the appropriate fix.

IT administrators should sign up for notifications and alerts from SANS, CERT and their operating system vendors and plan to quickly assess security vulnerabilities. If the threat is determined to be serious, the security hot fix should be deployed immediately after testing on a pilot system.

An all-or-none approach to patch management likely won't be the best approach for your organization's systems. Instead, a philosophy and process that combine quick application of patches for severe vulnerabilities with regularly scheduled application of service packs and maintenance releases will keep your organization's operating system both operational and secure.

Joseph Sturonas is chief technology officer at Chicago-based Spirian Technologies Inc. He can be reached at

Special Report

Tips From Security Experts

Stories in this report:


Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon