Actually, that won't fix the problem either. The encryption pack does not
properly encrypt private keys using the strongest available encryption
(which is 128 bit). Service pack 1 fixes this problem for any future
private keys to be encrypted, but it does not go back and re-encrypt keys
that were already stored. Either way the old keys aren't going to be
re-encrypted no matter which order those two things are installed.

Installing the patch in MS00-0032 (Q260219) also does not go back and
re-encrypt existing keys but the patch itself does contain a file that will
do so, although that file is not installed when you install the patch. But
that doesn't matter anyway because you can't install the hotfix once SP1 is
installed anyway. What you must do is extract the files using the -x switch
(or opening the hotfix with winzip) and run keymigrt.exe (which I mentioned
in step 7 but did not clarify well).

Hope that helps.

.sozni

> -----Original Message-----
> From: Focus on Microsoft Mailing List
> [mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Bruce K. Marshall
> Sent: Friday, March 30, 2001 1:44 PM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Re: XATO hotfixes installation
>
>
> I would swap your order of steps #1 and #3. See Microsoft KB Q260219.
>
> ----
> Bruce K. Marshall - brucemlucent.com - 913-338-5090 x114
> Lucent Technologies Worldwide Services - Overland Park, KS
>
>
> > -----Original Message-----
> > From: Focus on Microsoft Mailing List
> > [mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of .sozni
> > Sent: Thursday, March 29, 2001 5:00 PM
> > To: FOCUS-MSSECURITYFOCUS.COM
> > Subject: XATO hotfixes installation
> >
> >
> > We thought we would share our instructions for getting a
> > Windows 2000 server
> > up-to-date. The download URLs we have included are only for English
> > hotfixes and does not cover client software like Internet Explorer.
> >
> >
> > 1. Download and install the high encryption pack
> > (http://www.microsoft.com/windows2000/downloads/recommended/en
> > cryption/defau
> > lt.asp)
> >
> > 2. Reboot (this is essential at this point or the next step will have
> > problems).
> >
> > 3. Download and install Service Pack 1
> > (http://www.microsoft.com/windows2000/downloads/recommended/sp
> > 1/default.asp)
> >
> > 4. Reboot again.
> >
> > 5. Download WGET for Windows
> > (http://www.interlog.com/~tcharron/wgetwin.html)
> >
> > 6. Run the attached hotfixes.cmd file.
> >
> > 7. Check the folder for any hotfixes that have been renamed
> > with the .bad
> > extension and download and reapply those.
> >
> > 7. Run keymigrt.exe and follow instructions if there are any.
> >
> > 8. Reboot.
> >
> > 9. Run qfecheck.exe /v to verify that everything installed correctly
> >
> > 9. As new hotfixes are released, add the download URLs to
> > hotfixes.txt.
> >
> > The attached batch file will download all the service packs
> > into the current
> > directory. It will then go through and verify the signatures
> > on each one,
> > renaming any files that do not pass the check. It will then silently
> > install each hotfix. After downloading the first time you can
> > remove the
> > line in the batch file that does the downloading and it will
> > use all the
> > hotfixes in the current directory. Note that although
> > install order does
> > not matter in Win2k, the batch file will install the hotfixes
> > in the order
> > in which they were downloaded which is the proper install order.
> >
> > If you have any comments or questions, we would be glad to
> > hear them. But
> > before you ask, no, we do not plan on making one of these for
> > NT4 at this time.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]