Readme-Operating System Upgrade 2000.4.6

Operating System Upgrade 2000.4.6 (win-OS-Upgrade-K9.2000-4-6.exe)

Release date: 08-SEP-2008

Readme last updated: 08-SEP-2008

Information about This Service Release

The upgrade supports the following Cisco IP Telephony Applications that run on Windows 2000 Server or Advanced Server:

Cisco CallManager and all compatible versions of Cisco IP Interactive Voice Response (IP IVR), Cisco IP Call Center Express (IPCC Express), Cisco IP Queue Manager (IP QM), Cisco Personal Assistant (PA), Cisco Emergency Responder (CER), Cisco Conference Connection (CCC), Cisco MeetingPlace, and Cisco Customer Voice Portal (CVP).

Minimum OS Requirements: (Fresh Install or Upgrade Versions of) - 2000.2.7, 2000.2.7a, 2000.4.1, 2000.4.1b, 2000.4.1c, 2000.4.2, 2000.4.3, 2000.4.3a, 2000.4.4, 2000.4.4a, 2000.4.5a, 2000.4.5b

Supported Servers: All of the following Cisco Media Convergence Servers (MCS) and Cisco-approved, customer-provided Compaq/HP and IBM servers:

· Cisco MCS 7815-1000

· Cisco MCS 7815I-2000

· Cisco MCS 7815I-3000

· Cisco MCS 7815-I1

· Cisco MCS 7825I-3000

· Cisco MCS 7825H-3000

· Cisco MCS 7825-H1

· Cisco MCS 7825-I1

· Cisco MCS 7825-I2 (2.8GHz CPU and 3.4 GHz CPU)

· Cisco MCS 7825-I3

· Cisco MCS 7825-H2 (2.8GHz CPU and 3.4 GHz CPU)

· Cisco MCS 7825-H3

· Cisco MCS 7835H-3000 (2.4GHz CPU and 3.0 GHz CPU)

· Cisco MCS 7835I-3000 (2.4GHz CPU and 3.0 GHz CPU)

· Cisco MCS 7845H-3000 (2.4GHz CPU and 3.0 GHz CPU)

· Cisco MCS 7845I-3000 (2.4GHz CPU and 3.0 GHz CPU)

Servers without Software maintenance support: You can install the OS Upgrade on the following Cisco Media Convergence Servers (MCS) and Cisco-approved, customer-provided Compaq/HP and IBM servers; however, Cisco has not performed extensive testing on these servers:

· Cisco 7835 Media Convergence Server

· Cisco 7835-1266 Media Convergence Server

· Cisco 7835I-2400 Media Convergence Server

· Cisco 7820 Media Convergence Server

· Cisco 7830 Media Convergence Server

· Cisco 7825 Media Convergence Server

· Cisco 7825-1133 Media Convergence Server

See the End-of-Life Policy for more details.

Contents

This document contains the following sections. Click the hyperlink to go directly to the section.

· Locating Related Documentation

· Cisco Notification Tools

· Upgrading the Operating System via CD-ROM or the Web

· Pre-Upgrade Considerations

· Upgrade Procedures

· Resolved Caveats

· Known Caveats

· Post-Upgrade Considerations

· Troubleshooting Tips

· Details of the OS Upgrade

· Security Settings

Locating Related Documentation

Cisco strongly recommends that you review the following documents before you perform the installation:

· Cisco IP Telephony Operating System, SQL Server, Security Updates

This document provides information for tracking operating system (OS) and BIOS upgrades and patches. To obtain this document, click the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/osbios.htm

· Installing the Operating System on the Cisco IP Telephony Applications Server

This document provides descriptive information and procedures for the operating system. To obtain this document, click the following URL: http://www.cisco.com/univercd/cc/td/doc/product/voice/iptel_os/index.htm

· Cisco IP telephony application documentation

Click the following URL to obtain documentation for your application:

http://www.cisco.com/univercd/cc/td/doc/product/voice/index.htm

Cisco Notification Tools

Cisco CallManager Notification Tool: Cisco has replaced the current Cisco CallManager notification tool with a new, more robust notification tool that is based on your Cisco.com profiles. This new tool delivers e-mail notifications for individual Cisco voice products that you select . Use the following steps to sign up for the Cisco Voice Technology Group Subscription Tool:

· Log in with your Cisco.com account information at this link: http://www.cisco.com/cgi-bin/Software/Newsbuilder/Builder/VOICE.cgi

· Select "CallManager Cryptographic Software including OS updates" to receive notification when new operating system updates are posted.

· Select any other products updates that you want to receive.

· Click update at the bottom of the page.

· Confirm your selections.

You may see this message at the bottom of the page: "Your Profile Currently Indicates that you do not wish to receive e-mail from Cisco."

To be able to receive information updates, you must update your e-mail preferences. Click the link to update your e-mail preferences (located in the Other Information section). Click submit when you are done.

If you have enabled e-mail notification, you may exit now. If you have not enabled e-mail notification, you will need to repeat the preceding steps.

This new software notification tool requires a valid Cisco.com log in. If you do not currently have a Cisco.com password, register with Cisco.com at: http://tools.cisco.com/RPF/register/register.do

Cisco PSIRT Advisory Notification Tool: This e-mail service provides automatic notification of all Cisco Security Advisories that the Cisco Product Security Incident Response Team (PSIRT) releases. Security Advisories, which describe security issues that directly impact Cisco products, provide a set of required actions to repair these products. To subscribe, click the following URL and perform the tasks as directed on the web page: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html - SecurityInfo

Upgrading the Operating System via CD-ROM or the Web

Cisco manufactures a CD-ROM for operating system upgrades. Use this CD-ROM only for upgrading your operating system. The upgrade CD-ROM contains the same executable that is posted to http://www.cisco.com/, so you will perform the same procedure.

If you are installing the operating system for the first time, you must use the Cisco IP Telephony Operating System disks that ship with your Cisco IP telephony application and the corresponding documentation.

Pre-Upgrade Considerations

Before performing an upgrade, be aware of the following considerations:

· The minimum supported Cisco MCS OS version(Fresh Install or Upgrade) to install this upgrade is 2000.2.7, 2000.2.7a, 2000.4.1, 2000.4.1b, 2000.4.1c, 2000.4.2, 2000.4.3, 2000.4.3a, 2000.4.4, 2000.4.4a, 2000.4.5a or 2000.4.5b. Any server that has another Cisco MCS OS version will not be supported in this upgrade.

· Depending on the current operating system version that runs on the server, the operating system upgrade performs either an Express (2 phases) or a Regular (3 phases) Installation. If the server is running OS version 2000.4.2, 2000.4.3, 2000.4.3a, 2000.4.4, 2000.4.4a, 2000.4.5a or 2000.4.5b including with if any Service Releases that goes with those releases an Express Installation is performed. This includes two phases and two reboots. The Express Installation skips the installation of Windows 2000 Service Pack 4 Rollup Update 1 because it is already installed. If the server is running an OS version 2000.2.7, 2000.4.1, 2000.4.1b or 2000.4.1c, a Regular Installation is performed. This includes three phases and three reboots.

· This version of MCS OS Upgrade, 2000.4.6, does not support an upgrade from a Fresh Install version of MCS operating system version 2000.4.6

· Before you upgrade, run Start > Cisco OS Version, C:\Utils\MCSver.exe to identify the OS Image and OS upgrade version on your server.

· You must log in as same User with Administrative Privileges after each reboot.

· Before starting this upgrade, you must disable (from Windows Service Control Manager) all Cisco-approved antivirus/intrusion detection services (HIDS); for example, Entercept, McAfee, Norton, Cisco Security Agent, Prognosis, and so on. You must enable all services after you complete the upgrade.

· Apply this upgrade to all supported servers in your IP telephony solution.

· Cisco recommends that you upgrade the Cisco CallManager publisher database server first and then the subscriber servers. Installing the operating system upgrade on all subscriber servers at the same time is supported only if call processing is not required while you are performing the upgrade task.

· This installation causes Cisco IP telephony application interruptions.

· Due to “CSCsi31474 – Missing IBM Director 5.10.3PF1 fix on Windows 2000” we uninstall the IBM Director 5.10.3 and its related components completely before we reinstall the IBM Director with the same versions…the aforementioned procedure could clear out the settings that were preconfigured with IBM Director installs prior to upgrade…hence, please make sure the settings are redone (If any) for IBM Director after the upgrades…

· Close all programs before proceeding.

· Cisco installs Terminal Services for Cisco Technical Assistance Center (TAC) remote administration and troubleshooting. Cisco does not support upgrades through Terminal Services. This upgrade stops if it detects that you are using Terminal Services. The OS Upgrade disables Terminal Services at the beginning of the upgrade and resets it to the configured setting at the end of the upgrade.

· Cisco supports remote upgrades with Virtual Network Computing (VNC). Although VNC is optional and is not installed by this upgrade, the installation files are copied to the c:\utils\VNC folder. For more information on using VNC, click the following URL: http://www.cisco.com/univercd/cc/td/doc/product/voice/iptel_os/index.htm.

· Perform a backup of your data before starting your upgrade. Refer to the backup documentation for your Cisco IP telephony application. Make sure that you back up the data to a network directory or tape device, so that the upgrade does not erase the data.

· Make sure that you have about 1.5 GB of free disk space before you copy the upgrade executable to the server. Delete any unnecessary files; for example, remove old log files, CDP records, old installation files, and so on.

· Before you run this upgrade, review the “Known Caveats” section below.

Upgrade Procedures

Note: When you log in after each reboot, make sure that you see the next phase of the OS upgrade start. After the final phase of the upgrade, a batch file runs to clean up the folders. If you do not see the final phase start (Phase 2 of 2 or Phase 3 of 3), see the “Troubleshooting Tips” section.

Perform the following steps to upgrade OS:

1. Download the executable to a location that you will remember or insert the CD-ROM into the CD-ROM drive.

2. If you are upgrading via the web, double-click the executable.

3. Files extract to your server, and the process guides you through the upgrade.

4. Log in to the server by using your Administrator account and password.

5. Click Yes to acknowledge that you disabled antivirus and intrusion detection services.

6. Click OK.

7. Click OK.

8. Phase 1 runs, and the server automatically reboots. Log in to the server by using the Administrator account and password.

9. Phase 2 runs, and the server automatically reboots. After the system reboots, log in to the server using the administrator account and password. If this is an Express Installation, phase 2 is the final phase and the next login will display a DOS dialog box running a batch file to clean the working directory.

10. For a Regular Installation, Phase 3 runs, and the server automatically reboots. On the next log in, a DOS dialog box displays briefly as the working directory of the OS Upgrade is deleted.

11. The first time that you log in after the upgrade is complete, you may see a message that new hardware was detected and a reboot is needed. Firmware upgrades to the RAID controller can cause problem. If you see such a message, click No to reboot the server.

12. Customers who are using Cisco CallManager can install the Cisco CallManager OS Optional Security settings. Find installation instructions in the C:\Utils\SecurityTemplates\CCM-OS-OptionalSecurity-Readme.htm document.

13. An optional IP Security filter can be installed to block fixed Windows 2000 and SQL ports. Find installation instructions in the C:\Utils\IPSec-W2KSQL-Readme.htm document.

Notes:

· If you see any New Hardware found messages, click Finish.

· If you see any messages to restart the server, click No.

· IBM x346 series servers may have an extra reboot into DOS to upgrade the ISMP Processor firmware. After this update is finished, the server will boot back into Windows 2000.

· If you see either of the following messages near the start of the OS Upgrade, click OK to terminate the program. A couple of services have a known problem when stopping.

1. The Instruction at "0X0xxxxxxxx" referenced memory at "0X0xxxxxxxx ". The memory could not be read. Click OK to terminate the program (CSCeb31088). Where 0x0xxxxxxxx can be any memory address.

2. The Instruction at "0X000000000" referenced memory at "0X000000000". The memory could not be read. Click OK to terminate the program (CSCed45218)

Resolved Caveats

Identifier	Headline
CSCsa77851	X206 Server had problem booting from a DVD ROM drive
CSCeg37797	Dual CPU X346/MCS7845I1 is not responding to a few MIB variables.
CSCeh02306	MCS OS upgrade 2000.2.7 has a misspelled message box.
CSCsa84437	Opt OS Security for CM – Reword initial text and add completion alert.
CSCsa82505	The Performance objects disappear after upgrade or Channel 17 Status appear
CSCsb11911	Include KB834938 in OS 2000.4.2 Upgrade/Install
CSCee78501	Performance Monitoring tools may experience a memory leak if terminal services is disabled.
CSCsa67078	Multiple Terminal Server sessions remain in the connect query state.
CSCec21319	Updating HP Management Agents to 7.2 in order to resolve cqmghost.exe crash issue.
CSCsa77836	Updating the Network Configuration Utility to version 7.86
CSCeg30562	Set EnablePMTUDDiscovery to 1 or 0 conditionally
CSCeg28648	High Disk activity can cause application/server pause
CSCsb09459	Upgrade BIOS versions
CSCsa94142	Blue Screen may occur
CSCeg45728	cpqHoPagingMemorySize doesn’t support > 4Gig
CSCeg62469	OS upgrade should keep TCP keepalive registry setting
CSCsb25843	OS 2000.4.2 should install MSXML 2.6 SP4 and MSXML3.0 SP6
CSCsb29885	HP ProLiant Smart Array 5x and 6x Controller Driver Update
CSCsb29899	HP NC31xx Fast Ethernet NIC Driver for Windows 2000
CSCsb29905	HP Insight Management Agents for Windows 2000/Windows Server 2003
CSCsb29924	HP Smart Array 5i and SA-532 ROM Update
CSCsb29957	HP ProLiant Array Configuration Utility for Windows
CSCsb50748	Upgrade firmware on 7K ServeRAID Controllers.
CSCsb36545	Add SetMTU utility to OS and include it in the documentation
CSCsb33101	W2K security settings that need to be added for DoD STIG compliance.
CSCeg88885	Send mail for RTMT fails to send mail.
CSCsb69822	2000.4.1does not have RAID Manager as part of IBM Director Installs
CSCsb69861	2000.4.1 needs IBM RAID Manager Console started in Local mode
CSCsb38873	Cpqasm2 causing stop error 0xA
CSCsb68658	Mark Session ID cookies as secure when using HTTPS
CSCsb76475	IBM BIOS package in OS upgrade and fresh install should not downgrade
CSCsb80089	2000.4.1 does not have windows media player shortcut under the accessory tab.
CSCsb95064	2000 Server Rollup Update Version 2 needs to be in 2000.4.2
CSCsb88052	Cisco CCM service failed to start after latest OS upgrade
CSCsb96039	Video driver updates on IBM and HP servers changes the default settings
CSCsb94066	Update rename "Administrator" caveat in CCM-OS-OptionalSecurity
CSCsb29940	HP ProLiant Smart Array Device Manager Extension for Windows 2000/Server
CSCsc04340	HP Insight Diagnostics online Edition and Homepage spike CPU and memory
New Defects fixed in 2000.4.3a OS Upgrade
CSCeg11906	IBM x206 Fan Sensor errors with Director agent 4.20.2
CSCeg25696	False positive warning message regarding intrusion detection on x205
CSCsa71323	X206/X306 BIOS 1.31 Upgrade causes Hyper Threading to be Enabled
CSCsc61906	Include Network Configuration Utility 8.15 in next OS
CSCsc77272	High CPU on MCS-7835I1 / IBM X345
CSCsc79308	OS 2000.4.2 Install error on MCS-7815-I1
CSCsd62765	IBM RAID Manager Software is uninstalled on certain servers
CSCsd81242	OS 2000.2.7 and 2000.4.2 Blue Screen in NDIS.sys 0x000000D1 (0xD1)
CSCsd81429	IBM Director Software not reporting All Environment variables
CSCse02731	AARICH errors found in event logs regarding SCSI device not responding
CSCsc56152	CCM 4.2 install fails on New MCS 7825 HP servers
CSCsd28210	USB Audio support updated to prevent blue screen
CSCsd14924	MPWeb IIS Stop responding due to ASP buffering leading to out of memory
CSCsd18255	SQL remains in starting state or CCM fails to start after 2000.4.2 upgrade
CSCsd81242	The computer stops responding (hangs) on boot into windows 2000
CSCsd48709	HP windows diagnostics (cpqdiag.exe) 4.16A ; 2000.4.2 MCS freezes server
CSCsc78649	Include MS Hotfix KB831577 in MCS OS image
CSCsc76627	Need Microsoft Hotfix to be included in OS image
New Defects fixed in 2000.4.4 OS Upgrade
CSCse04719	With 2 g RAM or more installed Memory.dmp file will be incomplete
CSCsd53918	MCS Server rebooted with bugcheck
CSCsd95726	CD ROM Icon missing after SR upgrade
CSCse32811	RealVNC allows remote access to Win2k server console without password
CSCse54942	Undefined device on 7815I2 with OS 2000.4.3
CSCse61586	OS 2000.4.2 and 2000.4.3 missing drivers for USB DAT72 drive
CSCse79354	Remove fix for CSCsd62235 in 2000.4.3aSR2
CSCsf09572	OS upgrade 2000-4-2 changes the Event Log size to 10240KB
CSCsf18043	High CPU due to SNMP service on IBM x345 servers running 2000.4.3a
CSCsg22151	winmgmt.exe logging causes higher CPU
CSCsb95019	Documentation should clarify renaming of administrator
CSCsg61723	2000.4.3 and 2000.4.3a does not install latest Adaptec HostRAID Driver in Windows
CSCsg52530	HP Version Control Agent should be included in MCS OS
CSCsg60435	2000.4.4 includes HP Proliant Support Pack 7.60 Drivers
CSCsg67796	HP WinOS Install "Error #1810" and Fails Write of Memory Dump
CSCsg42697	MCS Version Utility window shows same value for OS Image and OS Upgrade
New Defects fixed in 2000.4.4a OS Upgrade
CSCsh47276	2000.4.4 Upgrade may cause motherboard failures on 7845-I1 and 7835-I1
New Defects fixed in 2000.4.5a OS Upgrade
CSCsg89492	HP DL320 G4 NIC driver doesn't have the Speed Duplex Option in 2000.4.4
CSCsd81429	Third party Director software is not reporting all environment variables.
CSCse81234	Verify NIC duplex/speed settings during MCS OS install or upgrade
CSCsh42797	CM 4.3: better video driver in OS 2003 install
CSCsh53477	Change deployment sequence for BMC/BIOS/DIAG on IBM servers
CSCsh67054	Mysql 4.1 does not run on 7825I, possibly related to RAID driver
CSCsh70353	Reinstall Hotfix- KB831877 and KB835732 error with 2000.4.4a OS Upgrade
CSCsh71340	Update BIOS for x3650
CSCsh90410	iBMPSGFanStatus does not respond on OS version 2000.4.4
CSCsh91439	MCS-OS - MBSA Upgrade to 2.0.1 required
CSCsh91735	MCS-OS Pick up KB931836: February 2007 cumulative TZ Update
CSCsh93237	Default Microsoft Video Driver Selected for MCS-7825-I2-IPC2
CSCsi19073	MBSA 2.0.1 indicates missing packages (2000.4.4.0001)
CSCsi31474	Missing IBM Director 5.10.3 PF1 fix on Windows 2000
CSCsi31628	PegasusProvider.exe part of IBM Director 5.10.3 crashes on x3250 server
CSCsi31698	IBM ASR for IPMI application fails to start error
CSCsi79685	A memory leak may occur in the Winmgmt process in Windows 2000
CSCsg04801	IBM X346 Server MCS-7835-I1 upgrade to 2000.4.3a causes bad_pool_caller
CSCsh38281	HP Storage Manager freezes (high CPU) server
CSCsg72390	ntoskrnl.exe crash - Code 1E, {80000004, dd46c61f, fc046328, e4f56510}
CSCsi23088	PegasusProvider.exe crashes during installing 2000.4.4sr5
CSCsh90410	iBMPSGFanStatus does not respond on OS version 2000.4.4
CSCse52820	Act As part of OS right removed - SQL requires - MCS Team investigating
CSCsg26832	IBM Director Agent SLP Attributes Server Crash on IBM 7825 Server
New Defects fixed in 2000.4.6 OS Upgrade
CSCsk634114	Taskmgr.exe hanging, KB837060
CSCsk38770	Updated System BIOS to accomodate G0 step of CPU
CSCsk30092	win-OS-Upgrade-K9.2000-4-5a-sr2 prompts 'Digital Signature Not Found'
CSCsj44286	Choosing random port between devices and CUOM cause issue on firewall
CSCsk35981	MCS server failed to handle L3 handover DHCP request
CSCsk03227	IBM x3250-Yellow Bang on driver -Intel E7230 Processor to I/O controller
CSCsg89492	HP DL320 G4 & G5 NIC driver doesn't have the Speed Duplex Option in 2000
CSCsi72934	HP Version Control Agent 2.1.7.770 times out trying to start
CSCsj51249	MDAC patch installation for KB92779 can abend when checking MDAC Version
CSCsj82824	On IBM x206 or MCS-7815-I1 see atleast one service or driver failed.
CSCsk01358	IBM SAS hard drive update - Critical update
CSCsk01295	IBM Hard Drive Firmware Update - Critical release
CSCsj56317	Cisco MCS OS Update needed for New Zealand DST changes in 2007
CSCsj36444	Cannot login to CER GUI after enabling OSS on WinOS 2000.4.5 box
CSCsj44286	Choosing random port between devices and CUOM cause issue on firewall
CSCsk38770	Updated System BIOS to accomodate G0 step of CPU
CSCsk85477	AutoPower On 'Disabled' does not work on 7825-H2/H3
CSCsl06227	Security update for MS XML 4.0 version component
CSCsl12482	2000.4.5a upgrade does not apply MS KB931836 for DST updates
CSCsl18866	DST: MCS-OS update needed for 2008 Brazil Summertime change
CSCsl41538	DHCP Service Get Disabled When Upgrade to OS 2000.4.5a, 2003.1.2a
CSCsl66750	FIRMWARE UPGRADE REQUIRED for HP SAS hard disks
CSCsm36140	Add ServeRAID Firmware version 7.12.13 to OS for Callmanager
CSCsm15884	Update HP SAS HDD firmware HP Critical Advisory, c01296286
CSCsk75089	Installing CCM 4.2(3) breaks IBM Director functionality
CSCsm88262	DST: MCS-OS IBM Director upd needed for 2008a Olson TZTable update
CSCsl90908	DST: MCS-OS update needed for 2007-2008 Argentina Summertime change
CSCsl16516	DST: MCS-OS update needed for 2008 Australia Summertime change
CSCso56152	raiddp.log file keeps growing on the server
CSCso13134	DST: MCS OS update needed for 2008 Iraq Daylight Time removal
CSCso13145	DST: MCS IBM Director update needed for 2008 Iraq Daylight Time removal
CSCsm88262	DST: MCS-OS IBM Director upd needed for 2008a Olson TZTable update
CSCsc08094	Server hangs at "Attempting boot from Hard Drive (C:)"
CSCsq15563	TCP/IP Interface Parameters are incorrect in Windows 2000 and 2003

Known Caveats

Identifier	Headline
CSCsa91562	Service failed to start error message for CDP.sys driver after installing MS05-019 that is part of this service release. CDP is the Cisco Discovery Protocol driver used for integration with Cisco serviceability products like CiscoWorks IP Telephony Monitor. When the CDP.sys driver fails to start CiscoWorks will put this server in the unknown server category. Installing MS05-019 will not affect call processing or telephony features. CallManager versions 3.3(4), 3.3(5), 4.0(2), and all versions of 4.1 have a newer version of CDP.sys (4.0.0.0) that works with MS05-019.
CSCsa86087	Cisco Personal Assistant (PA) Service failed to start error message for CDP.sys driver after installing MS05-019 that is part of this service release.
CSCsa91654	Service failed to start error message for CDP.sys driver after installing MS05-019 that is part of this service release.
CSCsa90032	MS05019 in 2000.2.7sr3 and 2000.4.1 breaks some versions of CDP.sys.
CSCse04763	Storage Agent errors found on Emergency Responder server
CSCsh90411	iBMPSGTemperatureSensorStatus returns zero-length data for status.
CSCsf17895	winmgmt.exe consumes a large amount of CPU over time until 100%
CSCsk89498	MBSA Scan returns 1 service pack or update missing from Windows 2000

Note: During the final phase of the OS upgrade, the status bar may indicate that the OS upgrade is either complete or is close to completion. In some cases, it may take an additional 5-10 minutes for the final phase of OS upgrade to complete

Note: During the OS upgrade process, you must log in after each reboot to continue the upgrade process. Log in as same user with Administrative Privileges each time.

Note: In some instances, the second or the final phase of the OS upgrade may not run automatically. If this occurs, follow the Troubleshooting Tips to manually run Phase 2 or 3.

Post-Upgrade Considerations

Perform the following tasks:

· Enable Cisco-approved antivirus and intrusion detection services.

· Run Start > Cisco OS Version (c:\utils\MCSver.exe) and verify that the OS Upgrade = 2000.4.6

Note: If you do not see the correct OS Upgrade version, Phase 2 of 2 or Phase 3 of 3 did not finish as expected. See the Troubleshooting Tips section for corrective action.

· The OS Upgrade extracts to C:\Mcsosupg and starts Mcsosupg.exe to run the upgrade. The reboot after the final phase should run C:\utils\clean.cmd to remove this directory and old directories from OS Service Releases. If this directory still exists, the OS Upgrade may not have finished. If the OS Upgrade version is 2000.4.6, you can manually delete this directory or run C:\Utils\clean.cmd. If the OS Upgrade version is not 2000.4.6, see the Troubleshooting Tips section for corrective action.

· If you think that the services should have started but did not, you can check the OS Upgrade log file for the original setting. See Troubleshooting Tips for the details.

· Run the latest OS Service Release that is available on the web. This service release provides security hotfixes.

· If you want to do so, you can install or upgrade Virtual Network Computing (VNC) to version 4.1.2. Find the installation files in c:\Utils\VNC. Documentation is posted on CCO at http://www.cisco.com/univercd/cc/td/doc/product/voice/iptel_os/index.htm. Cisco recommends that you open the Windows Task Manager open while using VNC to monitor CPU utilization.

· If your server runs Cisco CallManager, verify that you have the latest SQL service pack installed on the server; if necessary, apply the latest pack from the web. Verify that you have the latest SQL hotfixes on the server. If necessary, apply the latest hotfixes from the web.

· If your server runs Cisco CallManager and is a MCS-7845 class server (4 hard drives), you can use C:\Utils\FormatTracePart.exe to reformat the F: Trace partition and improve performance. New OS installations of version 2000.2.7, 2000.4.1 …, and beyond have the Trace partition formatted with an NTFS cluster size of 4KB. Older OS versions have a Trace partition with a NTFS cluster size of 1 KB. A small performance improvement occurs when the NTFS cluster size is 4 KB. FormatTracePart.exe is only designed to be used on MCS-7845 servers that are running Cisco CallManager. Use FormatTracePart.exe only during a maintenance cycle. It will interrupt call processing by stopping Cisco CallManager services and rebooting the server.

1. Copy any files that you do not want to lose to the C: drive or a file server. All files on the Trace partition will be permanently deleted when the partition is formatted. The folder structure on the Trace partition will be re-created to match the existing folders.

2. Double click C:\utils\FormatTracePart.exe.

3. Read the warning message and click Yes if you are ready to proceed.

4. Click Next.

5. The server will automatically reboot when the FormatTracePart.exe is finished.

6. Log on to the server.

7. Return the files to the Trace partition that you saved in step 1.

· To run QFEcheck, which identifies the hotfixes that are installed on the server, open a command window and enter qfecheck. You should see the following information display in the window:

Windows 2000 Hotfix Validation Report for \\SE002B-CM4

Report Date: 9/4/2008 4:44pm

Current Service Pack Level: Service Pack 4

Hotfixes Identified:

KB904706: Current on system.

KB923689: Current on system.

Q282784: Current on system.

KB941569: Current on system.

Q327194: Current on system.

KB324446: Current on system.

KB329115: Current on system.

KB820361: Current on system.

KB820888: Current on system.

KB822720: Current on system.

KB822831: Current on system.

KB823182: Current on system.

KB823559: Current on system.

KB823818: Current on system.

KB824105: Current on system.

KB824151: Current on system.

KB825119: Current on system.

KB826232: Current on system.

KB828035: Current on system.

KB828741: Current on system.

KB828749: Current on system.

KB829246: Current on system.

KB831576: Current on system.

KB831577: Current on system.

KB831877: Current on system.

KB833227: Current on system.

KB834010: Current on system.

KB834938: Current on system.

KB835732: Current on system.

KB837001: Current on system.

KB837060: Current on system.

KB839161: Current on system.

KB839264: Current on system.

KB839645: Current on system.

KB840110: Current on system.

KB840315: Current on system.

KB840987: Current on system.

KB841356: Current on system.

KB841533: Current on system.

KB841873: Current on system.

KB842526: Current on system.

KB872765: Current on system.

KB890046: Current on system.

KB891069: Current on system.

KB891071: Current on system.

KB892393: Current on system.

KB892929: Current on system.

KB893756: Current on system.

KB893803v2: Current on system.

KB896358: Current on system.

KB896422: Current on system.

KB896423: Current on system.

KB899587: Current on system.

KB899589: Current on system.

KB899591: Current on system.

KB900725: Current on system.

KB901017: Current on system.

KB901214: Current on system.

KB902400: Current on system.

KB905414: Current on system.

KB905749: Current on system.

KB908519: Current on system.

KB908523: Current on system.

KB908531: Current on system.

KB911280: Current on system.

KB913580: Current on system.

KB914388: Current on system.

KB914389: Current on system.

KB917008: Current on system.

KB917422: Current on system.

KB917537: Current on system.

KB917736: Current on system.

KB917953: Current on system.

KB918118: Current on system.

KB920213: Current on system.

KB920670: Current on system.

KB920683: Current on system.

KB920685: Current on system.

KB921398: Current on system.

KB921883: Current on system.

KB922616: Current on system.

KB923191: Current on system.

KB923414: Current on system.

KB923810: Current on system.

KB923980: Current on system.

KB924191: Current on system.

KB924270: Current on system.

KB924667: Current on system.

KB925902: Current on system.

KB926122: Current on system.

KB926247: Current on system.

KB926436: Current on system.

KB928843: Current on system.

KB930178: Current on system.

KB931784: Current on system.

KB932168: Current on system.

KB933729: Current on system.

KB935839: Current on system.

KB935840: Current on system.

KB935843: Current on system.

KB935966: Current on system.

KB936021: Current on system.

KB937894: Current on system.

KB938827: Current on system.

KB941644: Current on system.

KB941672: Current on system.

KB941693: Current on system.

KB942831: Current on system.

KB943055: Current on system.

KB943485: Current on system.

KB944338: Current on system.

KB945553: Current on system.

KB948590: Current on system.

KB950749: Current on system.

KB950760: Current on system.

KB950974: Current on system.

KB951746: Current on system.

KB951748: Current on system.

KB952954: Current on system.

Update Rollup 1: Current on system.

Note: Depending on the operating system upgrades that you have applied in the past, you may see additional hotfixes display in the window.

Note: If you do not see Update Rollup 1, Phase 2 of 3 did not finish.

· To review the log file for a Regular Installation, browse to C:\Program Files\Common Files\Cisco\Logs\mscosupg.log on the server where the upgrade occurred. The last lines of the log file should read:

01:35:34-MCSOSUP| Phase 3 of 3 upgrade complete. Attempting shutdown

01:35:34-MCSOSUP| Upgrade complete. Shutting down..

01:35:34-MCSOSUP| Closing MCSOsUpg.log on 08/21/2008

01:35:34-MCSOSUP| __________________________________________

................................................................................................

Starting the clean.cmd file on Thu 08/21/2008 1:38:10.04

1:38:10.04 - Clean up for old hotfix and Support Patch working folders log for OS Upgrade

1:38:10.04 - Delete Startup shortcut for clean.cmd

1:38:10.07 - Delete MCSOSUpg folder

1:38:14.59 - Run Qfecheck.exe to find the latest Service Pack and the Hotfixes

Windows 2000 Hotfix Validation Report for \\ServerName

Report Date: 08/21/2008 1:38pm

Current Service Pack Level: Service Pack 4

A list of hotfixes followed by……………

1:38:34.70 - Finished running Qfecheck.exe on Thu 08/21/2008

1:38:34.71 - Finished running checkNICDuplex.exe on Thu 08/21/2008

1:38:34.71 - Finished running clean.cmd on Thu 05/21/2007

=======================================================

END OF OS UPGRADE

=======================================================

· To review the log file for an Express Installation, browse to C:\Program Files\Common Files\Cisco\Logs\mcsosupg.log on the server where the upgrade occurred. The last lines of the log file should read:

01:35:34-MCSOSUP| Express Installation : Phase 2 of 2 upgrade complete. Attempting shutdown

01:35:34-MCSOSUP| Upgrade complete. Shutting down..

01:35:34-MCSOSUP| Closing MCSOsUpg.log on 08/21/2008

01:35:34-MCSOSUP| __________________________________________

................................................................................................

Starting the clean.cmd file on Mon 08/21/2008 1:38:10.04

1:38:10.04 - Clean up for old hotfix and Support Patch working folders log for OS Upgrade

1:38:10.04 - Delete Startup shortcut for clean.cmd

1:38:10.07 - Delete MCSOSUpg folder

1:38:14.59 - Run Qfecheck.exe to find the latest Service Pack and the Hotfixes

Windows 2000 Hotfix Validation Report for \\ServerName

Report Date: 08/21/2008 1:38pm

Current Service Pack Level: Service Pack 4

A list of hotfixes followed by……………

1:38:34.70 - Finished running Qfecheck.exe on Thu 08/21/2008

1:38:34.71 - Finished running checkNICDuplex.exe on Thu 08/21/2008

1:38:34.71 - Finished running clean.cmd on Thu 08/21/2008

=======================================================

END OF OS UPGRADE

=======================================================

Note: If the last lines of the log file are substantially different, the final phase, did not complete as expected. Look for Troubleshooting Tips section for more information.

· To verify the Hotfix installed on the server besides C:\Qfecheck.exe you can also use Microsoft Baseline Security Analyzer Utility (run c:\utils\mbsa_scan.cmd) from Microsoft.

Microsoft Baseline Security Analyzer (MBSA)

Make sure that you review the Reason column of the MBSA report to identify whether the hotfix should be installed. The following table shows expected results from MBSA on a fully patched system.

Scanned with MBSA version: 2.0.6706.0

Security update catalog: Microsoft Update (offline)

Catalog synchronization date: 2008-07-08T11:53:18Z

Security assessment: Potential Risk

Security Updates Scan Results

Issue: SDK Components Security Updates

Score: Check passed

Result: No security updates are missing.

Current Update Compliance

Issue: Windows Security Updates

Score: Check failed (non-critical)

Result: 1 service packs or update rollups are missing.

Update Rollups and Service Packs

Current Update Compliance

| MS07-058 | Installed | Security Update for Windows 2000 (KB933729) | Low |

2008-09-04 16:46:38 : MBSA_Scan successfully executed

2008-09-04 16:46:38 : Successfully stopped wuauserv

[SC] ChangeServiceConfig SUCCESS

2008-09-04 16:46:39 : Success detected disabling wuauserv

2008-09-04 16:46:39 :

2008-09-04 16:46:39 : End MBSA Scan

Troubleshooting Tips

If you had a problem during the upgrade, consider the following information:

· Disable Cisco-approved Antivirus, HIDS/HIPS software; for example, Entercept, MacAfee, Cisco Security Agent, Prognosis, and so on. Make sure that all antivirus, HIDS/HIPS software are disabled in the Microsoft Services window, so that they do not start after each reboot. Running antivirus software slows the upgrade down so much that it may not be able to successfully install. HIDS/HIPS software can lock security services and dll’s and not allow service packs and hotfixes to install correctly.

· Disable all Cisco-approved, third-party applications.

· If you had a problem with the upgrade and have any third-party software installed, disable the software and run the upgrade again.

· Verify that you have Administrative privileges on the server.

· Make sure that you logged in to the server each time by using the same administrator account and password.

· Verify that the server has enough disk space. Cisco recommends that you have 1.5 GB free disk space before you copy the upgrade file to the server.

o win-OS-Upgrade.2000-4-6.exe is about 1.02 GB.

o The working directory c:\mcsosupg is about 1.10 GB.

o SP4 Rollup Update can take up to 33 MB of space.

· If the Local Security Policy MMC that is located in the Administrative Tools folder does not show the new settings applied by the OS Upgrade, change a setting, change it back, and close and open the Local Security Policy (CSCeb80799).

· If you see the Found New Hardware Wizard dialog box, just click Finish.

· You can safely ignore the following Could not delete and Failed to delete messages if the starting OS version is 2000.2.3 or greater.

o MCSOSUP| Could not delete C:\inetpub\wwwroot\_private

o MCSOSUP| Error code was: 2

o MCSOSUP| Could not delete: C:\inetpub\wwwroot\_vti_cnf

o MCSOSUP| Error code was: 2

o MCSOSUP| Could not delete: C:\inetpub\wwwroot\_vti_log

o MCSOSUP| Error code was: 2

o MCSOSUP| Could not delete: C:\inetpub\wwwroot\_vti_pvt

o MCSOSUP| Error code was: 2

o MCSOSUP| Could not delete: C:\inetpub\wwwroot\_vti_script

o MCSOSUP| Error code was: 2

o MCSOSUP| Could not delete: C:\inetpub\wwwroot\_vti_txt

o MCSOSUP| Error code was: 2

o MCSOSUP| Could not delete: C:\inetpub\wwwroot\images

o MCSOSUP| Error code was: 2

o MCSOSUP| Could not delete: C:\WINNT\web\printers

o MCSOSUP| Error code was: 2

o MCSOSUP| Deleting virtual directories from metabase

o MCSOSUP| Failed to delete IIS://LocalHost/w3svc/1/Root/iissamples

o MCSOSUP| Failed to delete IIS://LocalHost/w3svc/1/Root/iishelp

o MCSOSUP| Failed to delete IIS://LocalHost/w3svc/1/Root/samples

o MCSOSUP| Failed to delete IIS://LocalHost/w3svc/1/Root/iisadmpwd

o MCSOSUP| Failed to delete IIS://LocalHost/w3svc/1/Root/msadc

o MCSOSUP| Failed to delete IIS://LocalHost/w3svc/1/Root/Printers

o MCSOSUP| Failed to delete IIS://LM/w3svc/1/Root/Printers

· The OS Upgrade automatically disables a list of services at the start and then returns them to the original Startup Type during the final Phase. If a problem occurs during the upgrade that prevents these services Startup Type from being returned to the original settings, you can manually change them with the follow steps.

o Open the OS Upgrade log file by choosing Start > Cisco Install Logs > MCSOsUpg.log (or browse to C:\Program Files\Common Files\Cisco\Logs\MCSOsUpg.log)

o Locate Startup Type.

o The list of services displays below Startup Type in the log file.

o Open the Services MMC by choosing Start > Programs > Administrative Tools > Services.

o Confirm that Automatic displays as the Startup Type for all “SERVICE_AUTO_START” services that are listed in MCSOsUpg.log. Change the Startup Type to Automatic for any services that do not match.

· Manually run the second phase, Phase 2, in a Regular Installation

If the second phase did not automatically start or did not successfully complete as expected, review the following information.

1. Review the items listed in “Troubleshooting Tips” to see if one of them might have caused the problem with Phase 2 or Phase 3.

2. Start the OS upgrade again by executing the following file:

C:\Mcsosupg\Mcsosupg.exe. This action restarts the OS Upgrade from Phase 1. It should proceed as described under the Upgrade Procedures.

3. If the second phase, Phase 2, did not run after running the OS Upgrade twice, look at the log file that is listed above under Post-Upgrade Considerations. Review the log file for the following information:

11:48:00-MCSOSUP|Adding new registry entries

11:48:00-MCSOSUP|Finished adding new registry entries

11:48:00-MCSOSUP|Phase 1 of 3 upgrade complete. Attempting shutdown

If you see the preceding information, you may manually start Phase 2 by executing the following command: C:\Mcsosupg\Mcsosupg.exe /SPBoot

· Manually run the final phase

Regular Installation

If the final phase did not automatically start or did not successfully complete as expected, review the following information:

1. Review the items listed in “Troubleshooting Tips” to see if one of them might have caused the problem with Phase 2 or Phase 3.

2. Start the OS Upgrade again by executing the following file: C:\Mcsosupg\Mcsosupg.exe. This action restarts the OS Upgrade from Phase 1. It should proceed as described under the Upgrade Procedures.

3. If the final phase, phase 3, did not run after running the OS Upgrade twice, look at the log file that is listed above under Post-Upgrade Considerations. Review the log file for the following information:

11:48:00-MCSOSUP|End modSP4

11:48:00-MCSOSUP|Phase 2 of 3 upgrade complete. Attempting shutdown

If you see the preceding information, you may manually start Phase 3 by executing the following command: C:\Mcsosupg\Mcsosupg.exe /Postboot

Express Installation

If the final phase did not automatically start or did not successfully complete as expected, review the following information:

1. Review the items listed in “Troubleshooting Tips” to see if one of them might have caused the problem with Phase 2.

11:48:00-MCSOSUP|Finished adding new registry entries

11:48:00-MCSOSUP|Express Installation : Phase 1 of 2 upgrade complete. Attempting shutdown

If you see the preceding information, you may manually start Phase 2 by executing the following command: C:\Mcsosupg\Mcsosupg.exe /Postboot

Details of the OS Upgrade

The following information pertains to this upgrade:

Highlights - [New in 2000.4.6]

· Roll up of post-Windows 2000 Service Pack 4 Rollup Update 1 security updates. The security hotfixes in 2000.4.6 are current through July 2008, http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx . When available, also install OS Service Release 2000-4-6 SR1 or later to get the latest security updates.

· HP Drivers upgrades based on SmartStart 7.60A and higher Windows 2000 supported individual driver versions.

· HP BIOS/Firmware upgrades based on SmartStart 7.91A versions.

· HP Insight Management Agents based on version 7.60.

· HP Insight Management MIB’s upgraded to version SmartStart 7.91A.

· IBM Driver/BIOS/Firmware upgrades based on UpdateXpress 4.07 and higher versions.

Microsoft Service Packs

· Microsoft Windows 2000 Service Pack 4 Rollup Update 1

· Microsoft Windows Internet Explorer 6.0 Service Pack 1

· Microsoft XML 3.0 Service Pack 5 (Reference 8.1.11)

Windows Components

This upgrade adjusts the Windows Components and Subcomponents to match the following list.

Components	Subcomponents
Accessories and Utilities	Paint WordPad HyperTerminal CD Player Media Player (Doesn’t show in list after SP3) Volume Control Sound Recorder
Internet Information Services (IIS)	Common Files Internet Information Services Snap-In World Wide Web Server
Management and Monitoring Tools	Network Monitor Tools Simple Network Management Protocol
Networking Services	Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP)
Terminal Services	Client Creator Files Enable Terminal Services

Services

Microsoft recommends disabling any services that the server does not use. The following list provides the service “Startup Type” after this upgrade. Cisco changed the security on the services to Administrators and System Full Control.

Service Name		Startup Type
Alerter		Disabled
Application Management		Disabled
Application Quiesce Agent [IBM based servers only]		Automatic
ASF Agent [IBM based servers only]		Automatic
Automatic Updates		Disabled
Background Intelligent Transfer Service		Disabled
ClipBook		Disabled
COM+ Event System		Automatic
Computer Browser		Automatic
DHCP Client		Automatic in new install. Unchanged by Upgrade.
DHCP Server		Disabled in new install. Unchanged by Upgrade.
Distributed File System		Disabled
Distributed Link Tracking Client		Disabled
Distributed Link Tracking Server		Disabled
Distributed Transaction Coordinator		Automatic
DNS Client		Automatic
DNS Server		Disabled in new install. Unchanged by Upgrade.
Event Log		Automatic
Fax Service		Disabled
File Replication		Disabled
HP Insight Event Notifier [HP-based servers only]		Disabled
HP Insight Foundation Agent [HP-based servers only]		Automatic
HP Insight NIC Agent [HP-based servers only]		Automatic
HP Insight Server Agents [HP-based servers only]		Automatic
HP Insight Storage Agents [HP-based servers only]		Automatic
HP Proliant System Shutdown Service [HP-based servers only]		Automatic
HP Storage Manager [HP based SATA raid servers only]		Disabled
HP Storage Manager Alerts [HP based SATA servers only]		Automatic
HP System Management Homepage [HP based servers only]		Manual
HP Version Control Agent [HP based servers only]		Automatic
IBM Automatic Server Restart Service for IPMI [IBM-based server only]		Automatic
IBM Automatic Server Restart Executable [IBM-based servers only]		Automatic
IBM Director Agent WMI CIM Server [IBM-based servers only]		Disabled
IBM Director Support Program [IBM-based servers only]		Automatic
IBM Director Agent SLP Attributes [IBM-based servers only]		Automatic
IBM Director CIM Listener [IBM-based servers only]		Disabled
IBM Remote Supervisor Adapter II [IBM-based servers only]		Automatic
IBM ServeRAID Manager Agent [IBM-based servers only]		Automatic
IBM SLP SA		Automatic
IIS Admin Service		Automatic in new install. Unchanged by Upgrade.
Indexing Service		Disabled
Internet Connection Sharing		Disabled
Intersite Messaging		Disabled
IPSEC Policy Agent		Automatic
Kerberos Key Distribution Center		Disabled
License Logging Service		Disabled in new installs. Disabled in Upgrade.
Logical Disk Manager		Automatic
Logical Disk Manager Administrative Service		Manual
Message Queuing [ICS-7750 only]		Disabled
Messenger		Disabled
MyStorage Remote HBA		Automatic
Net Logon		Manual in Workgroup Automatic in Domain
Network Connections		Manual
Network DDE		Disabled
Network DDE DSDM		Disabled
NT LM Security Support Provider		Disabled in new install. Unchanged by Upgrade.
Performance Logs and Alerts		Manual
Plug and Play		Automatic
Portable Media Serial Number Service		Disabled
PowerQuest Virtual Disk Installer Service [IBM-based servers only]		Manual
Print Spooler		Manual
Protected Storage		Automatic
QoS RSVP		Disabled in new install. Unchanged by Upgrade.
Remote Access Auto Connection Manager		Disabled
Remote Access Connection Manager		Manual
Remote Procedure Call (RPC)		Automatic
Remote Procedure Call (RPC) Locator		Disabled
Remote Registry Service		Automatic
Removable Storage		Disabled
Routing and Remote Access		Disabled
RunAs Service		Disabled
Security Accounts Manager		Automatic
Server		Automatic
Smart Card		Disabled in new install. Unchanged by Upgrade.
Smart Card Helper		Disabled in new install. Unchanged by Upgrade.
SMBus Upgrade Service for Windows 2000 and above [IBM based server only]		Disabled
SNMP Service		Automatic
SNMP Trap Service		Manual
System Event Notification		Automatic
Task Scheduler		Disabled in new install. Unchanged by Upgrade.
TCP/IP NetBIOS Helper Service		Automatic
Telephony		Manual
	Terminal Services	Disabled in new install. Unchanged by Upgrade.
Uninterruptible Power Supply		Disabled in new install. Unchanged by Upgrade.
Utility Manager		Disabled
Windows Installer		Manual
Windows Internet Name Service (WINS) [ICS-7750 only]		Disabled
Windows Management Instrumentation		Automatic
Windows Management Instrumentation Driver Extensions		Manual
Windows Time		Disabled in new install. Unchanged by Upgrade.
Wireless Configuration		Disabled in new install. Unchanged by Upgrade.
Workstation		Automatic
World Wide Web Publishing Service		Automatic in new install. Unchanged by Upgrade.

Microsoft Windows 2000 Hotfixes

This OS upgrade includes the following hotfixes. Download and install win-OS-Upgrade.2000-4-3sr1.exe or later to obtain the latest Security hotfixes.

Bulletin	Knowledge Base Article or Cisco Defect	Description
	Q282784	QFEcheck
	KB831877 CSCeb59434	Multiple Memory Leaks in Remote Registry Service
MS03-011	KB816093	Flaw in the Microsoft VM Could Enable System Compromise
	KB831576 CSCec11376	The PdhEnumObjects function with bRefresh=TRUE fails repeatedly
	KB829246 CSCed55178	Event Logs Are Corrupted
	KB325666 CSCed53024	Access Violation Error Message in Mmc.exe After You Apply Internet Explorer Privacy Update from Q316116 or After You Apply Internet Explorer 6 SP1
	Q828026	Update for Windows Media Player URL Script Command Behavior
	KB820888	Computer Stops Responding (Hangs) When It Tries to Mount an NTFS Volume After You Restart the Computer
	KB822831	BUG: Driver Installation Program Does Not Install Device Drivers
	Q831167	Wininet retries POST requests with a blank header
MS04-003	Q832483	Buffer Overrun in MDAC Function Could Allow Code Execution
	KB870669	Disable ADODB.Stream object from Internet Explorer
MS04-028	KB833989	Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution
	CSCeg00585	Registry value being replaced by a blank for first char
	KB833227 CSCee78501	Performance monitoring tools may experience a memory leak if Terminal Services is disabled
MS05-009	KB885492	Vulnerability in PNG Processing Could Allow Remote Code Execution
	CSCeh03711	Un-install JRE 1.4.2_04 in OS Upgrade 2000.2.7 Enables JRE Auto Update
	KB839161 CSCsa67078	Multiple Terminal Server sessions remain in the connectQuery state
	CSCec21319	Updating HP Management Agents to 7.2 in order to resolve cqmghost.exe crash issue.
	CSCsa77836	Updating the Network configuration utility to 7.86
MS05-024	KB894320	Vulnerability in web view could allow remote code execution Note: This is replace with MS05-049
	CSCsa99879	Shutdown.exe does not work in 2000.2.7sr4
MS05-026	KB896358	Vulnerability in HTML Help Could allow Remote Code Execution
MS05-027	KB896422	Vulnerability in Server Message Block Could Allow Remote Code Execution
MS05-030	KB897715	Cumulative Security Update in Outlook Express
MS05-032	KB890046	Vulnerability in Microsoft Agent Could Allow Spoofing
MS05-036	KB901214	Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution
MS05-038	KB896727	Cumulative Security Update for Internet Explorer Note: This is replace with MS05-052
MS05-039	KB899588	Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege Note: This is replace with MS05-047
MS05-040	KB893756	Vulnerability in Telephony Service Could Allow Remote Code Execution
MS05-041	KB899591	Vulnerability in Remote Desktop Protocol Could Allow Denial of Service
MS05-042	KB899587	Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing
MS05-043	KB896423	Vulnerability in Print Spooler Could Allow Remote Code Execution
MS05-044	KB905495	Vulnerability in Windows FTP Client Could Allow File Transfer Location Tampering
MS05-045	KB905414	Vulnerability in Network Connection Manager Could Allow Denial Of Service
MS05-046	KB899589	Vulnerability in Client Services for Netware Could Allow Remote Code Execution
MS05-047	KB905749	Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege
MS05-048	KB901017	Vulnerability in Microsoft Collaboration Objects Could Allow Remote Code Execution
MS05-049	KB900725	Vulnerability in Windows Shell Could Allow Remote Control Execution
MS05-050	KB904706	Vulnerability in DirectShow Could Allow Remote Code Execution
MS05-051	KB902400	Vulnerability in MSDTC and COM+ Could Allow Remote Code Execution
MS05-052	KB896688	Cumulative Security Update for Internet Explorer
MS05-053	KB896424	Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution
MS05-055	KB908523	Vulnerability in Windows Kernel Could Allow Elevation of Privilege
	KB831577 CSCsc78649	IIS Memory Leak when HTTP Compression Used
	KB834010 CSCsc76627	DeadLock Occurs when Program Uses Certain WMI Calls
MS06-001	KB912919	Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution
MS06-002	KB908519	Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution
	CSCsc56152	CCM 4.2(0.795) Install Fails on New MCS 7825 HP Servers
	KB891069 CSCsc28210	USBAudio support updated to prevent bluescreen
	KB823818 CSCsd14924	MPWeb IIS stop responding due to ASP buffering leading to out of memory
MS06-005	KB911565	Vulnerability in Windows Media Player Could Allow Remote Code Execution
MS06-006	KB911564	Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution
	CSCsd18255	SQL remains in Starting State or CCM fails to start after OS2000.4.2 upgrade
MS06-013	KB912812	Cumulative Security Update for Internet Explorer (912812) (Replaces MS05-054)
MS06-014	KB911562	Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)
MS06-015	KB908531	Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)
MS06-016	KB911567	Cumulative Security Update for Outlook Express (911567) (Replaces MS05-030)
	CSCsd81242 KB822720	The computer stops responding (hangs) when boot into Windows 2000
	KB893803	Windows Installer update to 3.1 version 2
MS06-018	KB913580	Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (replaces MS05-051 KB902400)
	CSCse04719	With 2 g RAM or more installed Memory.dmp file will be incomplete
	CSCsd53918	MCS server rebooted with bugcheck
	CSCsd95726	CD ROM icon missing after SR upgrade
MS06-021	KB916281	Cumulative Security Update for Internet Explorer (replaces MS06-013)
MS06-023	KB917344	Vulnerability in Microsoft JScript Could Allow Remote Code Execution
MS06-024	KB917344	Vulnerability in Windows Media Player Could Allow Remote Code Execution
MS06-025	KB911280	Vulnerability in Routing and Remote Access Could Allow Remote Code Execution
	CSCse32811	RealVNC allows remote access to Win2k server console without password
MS06-030	KB914389	Vulnerability in Server Message Block Could Allow Elevation of Privilege
MS06-031	KB917736	Vulnerability in RPC Mutual Authentication Could Allow Spoofing
MS06-032	KB917953	Vulnerability in TCP/IP Could Allow Remote Code Execution
	CSCse54942	Undefined device on 7815I2 with OS 2000.4.3
MS06-025	KB911280 v2	Vulnerability in Routing and Remote Access Could Allow Remote Code Execution
	CSCse61586	OS 2000.4.2 and 2000.4.3 missing drivers for USB DAT72 drive
MS06-034	KB917537	Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537)
MS06-035	KB917159	Vulnerability in Server Service Could Allow Remote Code Execution (917159) Note: This is replaced by MS06-063 - KB923414
MS06-036	KB914388	Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)
	CSCse79354	Remove fix for CSCsd62235 in 2000.4.3aSR2
MS06-040	KB921883	Vulnerability in server service could allow remote code execution(921883)
MS06-041	KB920683	Vulnerability in DNS resolution could allow remote code execution.(920683)
MS06-042	KB918899	Cumulative Security Update for Internet Explorer (918899)
MS06-044	KB917008	Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)
MS06-046	KB922616	Vulnerability in HTML Help Could Allow Remote Code Execution (922616)
MS06-051	KB917422	Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)
MS06-045	KB921398	Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)
MS06-049	KB920958-v2	Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)
MS06-050	KB920670	Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)
MS06-053	KB920685	Vulnerability in Indexing Service Could Allow Cross-Site Scripting
	CSCse76137	Upgrade version registry key is missing on Fresh Installs
MS06-055	KB925486	Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
MS06-057	KB923191	Vulnerability in Windows Explorer Could Allow Remote Execution (923191)
MS06-061	KB924191	Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191)
MS06-063	KB923414	Vulnerability in Server Service Could Allow Denial of Service (923414)
MS06-061	KB922819v2	Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191)
MS06-067	KB922760	Cumulative Security Update for Internet Explorer (922760)
MS06-068	KB920213	Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213)
MS06-070	KB924270	Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)
	CSCsg81424	Fail to uninstall 3.3.7
	CSCsf07541	MCS-OS Update needed N America DST changes in 2007
	CSCsd57985	DayLight savings working wrongly for 26-03-2006 without DayLight Patch.
	CSCse15694	Daylight savings incorrect for GMT+2 Cairo Time Zone
MS06-072	KB925454	Cumulative Security Update for Internet Explorer (925454)
MS06-076	KB923694	Cumulative Security Update for Outlook Express (923694)
MS06-074	KB926247	Vulnerability in SNMP Could Allow Remote Code Execution (926247)
MS06-078	KB923689	Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)
MS07-004	KB929969	Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969)
MS07-008	KB928843	Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843)
MS07-009	KB927779	Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (927779)
MS07-016	KB928090	Cumulative Security Update for Internet Explorer (928090) Replaces: the above KB922760 and KB925454
MS07-011	KB926436	Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436)
MS07-012	KB924667	Vulnerability in Microsoft MFC Could Allow Remote Code Execution (924667)
MS07-013	KB918118	Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution (918118)
	CSCsh20360 KB928388	Looping in System Date & Time due to Daylight saving correction.
	CSCsh79447	MS07-009 hotfix does not install on CCM 4.2.3
	CSCsh91439	MBSA Upgrade to 2.0.1 required
	CSCsh91735 KB931836	February 2007 cumulative time zone update for Microsoft Windows operating sytems (this is the replacement for CSCsh20360, CSCse15694, CSCsd57985, CSCsf07541)
MS06-066	KB923980	Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution
MS06-078	KB925398	Security Update for Windows Media Player 6.4 for Windows (KB925398)
MS07-017	KB925902	Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
MS07-020	KB932168	Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168)
MS07-021	KB930178	Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)
MS07-022	KB931784	Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784)
MS07-027	KB931768	Cumulative Security Update for Internet Explorer (931768)
MS07-029	KB935966	Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)
	KB935845	Stop 0x0000007F error when you print from Windows XP or Windows 2000 with GDI security update 925902 installed
	CSCsi79685 KB891071	A memory leak may occur in the Winmgmt process in Windows 2000
	CSCsj00318 KB898708	FIX: IIS 6.0 may send an "HTTP 100 Continue" response in the middle of the response stream when you send a POST request
MS07-031	KB935840	Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution
MS07-033	KB933566	Cumulative Security Update for Internet Explorer
MS07-034	KB929123	Cumulative Security Update for Outlook Express and Windows Mail
MS07-035	KB935839	Vulnerability in Win 32 API Could Allow Remote Code Execution
MS07-039	KB926122	Vulnerability in Windows Active Directory Could Allow Remote Code Execution
MS07-040	KB933854	Vulnerabilities in .NET Framework Could Allow Remote Code Execution
MS07-042	KB936021	Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
MS07-043	KB921503	Vulnerability in OLE Automation Could Allow Remote Code Execution
MS07-045	KB937143	Cumulative Security Update for Internet Explorer Note: This replaces KB933566
MS07-046	KB938829	Vulnerability in GDI Could Allow Remote Code Execution
MS07-047	KB936782	Vulnerabilities in Windows Media Player Could Allow Remote Code Execution
MS07-050	KB938127	Vulnerability in Vector Markup Language Could Allow Remote Code Execution
	CSCsj56317 (KB933360)	August 2007 cumulative time zone update for Microsoft Windows operating systems MCS-OS Update needed for New Zealand DST changes in 2007 Note: This replaces KB931836
	CSCsk67094 (KB931633)	Error message when Reg.exe tool is used to query a registry subkey
	CSCsk63114 (KB837060)	The Taskmgr.exe or the Tsadmin.exe program may stop responding when you open Task Manager on a computer that is running Terminal Services in remote administration mode
	CSCsl17246 (KB925336)	FIX: Error message when you try to install a large Windows Installer package or a large Windows Installer patch package in Windows Server 2003
MS07-057	KB939653	Cumulative Security Update for Internet Explorer 6
MS07-056	KB941202	Security Update for Outlook Express
	KB938977	Venezuela (GMT-4:30) Time Zone Update
MS07-058	KB933729	Vulnerability in RPC Could Allow Denial of Service
	CSCsl18866 (KB943000)	MCS-OS update needed for 2008 Brazil Summertime change
MS07-061	KB943460	Vulnerability in Windows URI Handling Could Allow Remote Code Execution
MS07-062	KB941672	Vulnerability in DNS Could Allow Spoofing
MS07-051	KB938827	Vulnerability in Microsoft Agent Could Allow Remote Code Execution
MS07-055	KB923810	Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution
MS07-028	KB931906	Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)
	KB942763	December 2007 cumulative time zone update for Microsoft Windows operating systems
MS07-064	KB941568	Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)
MS07-067	KB944653	Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653)
MS07-068	KB941569	Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)
MS07-069	KB942615	Cumulative Security Update for Internet Explorer (942615)
MS07-065	KB937894	Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)
	CSCsl17246 KB925336	Error 1718: <file> was rejected by digital signature policy
MS08-002	943485	Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485)
MS08-007	946026	Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (946026)
MS08-008	947890	Vulnerability in OLE Automation Could Allow Remote Code Execution (947890)
MS08-010	944533	Cumulative Security Update for Internet Explorer (944533)
MS08-003	946538	Vulnerability in Active Directory Could Allow Denial of Service (946538)
MS08-005	942831	Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)
MS08-006	942830	Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830)
	CSCsm74155	MCS-OS: c:\utils\kill.exe out of date on 2003.1.2a
MS08-020	945553	Vulnerability in DNS Client Could Allow Spoofing (945553)
MS08-021	948590	Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
MS08-022	944338	Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)
MS08-023	948881	Security Update of ActiveX Kill Bits (948881)
MS08-024	947864	Cumulative Security Update for Internet Explorer (947864)
MS08-025	941693	Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)
	CSCso26082	Add tzupdate.exe to OS fresh installs and upgrades
	CSCso13134	DST: MCS OS update needed for 2008 Iraq Daylight Time removal (replaces CSCsl16516/KB942673)
	CSCso63866	MCS OS2000 for Australian DST does not update timezone information
	CSCso13145	DST: MCS IBM Director update needed for 2008 Iraq Daylight Time removal
MS08-031	950759	Cumulative Security Update for Internet Explorer (950759)
MS08-033	951698	Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
MS08-034	948745	Vulnerability in WINS Could Allow Elevation of Privilege (948745)
MS08-035	953235	Vulnerability in Active Directory Could Allow Denial of Service (953235)
MS08-036	950762	Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)
MS08-032	950760	Cumulative Security Update of ActiveX Kill Bits (950760)
MS08-037	951746,951748	Vulnerabilities in DNS Could Allow Spoofing (953230)
MS08-040	948110	Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (948110)

Other Windows software upgrades

· Microsoft Windows Installer 3.1 version 2

· Virtual Network Computing (VNC) 4.1.2 (just copies install files, doesn’t install but upgrades if already installed)

· HP SmartStart 7.60 and higher individual Windows 2000 supported driver updates

· HP SmartStart 7.91A BIOS/Firmware Updates

· IBM UpdateXpress 4.07 and higher Updates

Compaq/HP Drivers

During the upgrade, the following Compaq/HP drivers automatically install on the appropriate servers.

Version	Description
5.41.0.0	HP ProLiant iLO Advanced and Enhanced System Management Controller Driver for Windows 2000
1.1.0.0	HP ProLiant iLO 2 Management Controller Driver for Windows 2000/Windows Server 2003
5.37.0.0C	HP ProLiant Advanced System Management Controller Driver for Windows 2000
5.24.0.0B	HP ProLiant 32-Bit SCSI Controller Driver for Windows 2000
5.20.0.32C	HP ProLiant Drive Array Driver for Windows 2000
5.14.0.0E	HP ProLiant Smart Array-2 Controllers Driver for Windows 2000
5.74.0.32	HP ProLiant Smart Array 5x and 6x Controller Driver for Windows 2000
5.2.3790.1433	HP Embedded SATA RAID Controller Driver for Windows 2000 for DL320 G3 servers
1.2.5567	HP Embedded SATA RAID Controller Driver for Windows 2000 for DL320 G4, G5 servers.
2.0.6.0J	HP ProLiant CMD 0649 IDE Ultra DMA Controller Driver for Windows 2000
2.5.2003.613 B	HP ProLiant Integrated Ultra ATA-100 Dual Channel Driver For Windows 2000
5.28.0.32 B	HP ProLiant Drive Array Notification for Windows 2000
6.3.2.1 C	HP ProLiant PCI Hot Plug Controller Driver for Windows 2000
1.9.2195.0	HP ProLiant Integrated Lights-Out Management Interface Driver for Windows 2000
1.5.1.0 C	HP Lights-Out Online Configuration Utility for Windows 2000/Windows Server 2003
5.0.2195.3249E	HP ProLiant ATI RAGE IIC Video Controller Driver for Windows 2000
5.0.2195.5024	HP ProLiant ATI RAGE XL Video Controller Driver for Windows 2000
1.8.2195.0 C	HP ProLiant Legacy Port Configuration Component for Windows 2000
7.61.2.0	HP ProLiant Array Configuration Utility for Windows 2000
5.10.0.32 B	HP ProLiant Smart Array Device Manager Extension for Windows 2000
4.10-4590	HP Embedded SATA RAID Controller Manager for Windows
5.0.1.18F	HP ProLiant NetFlex/Netelligent Adapter Driver for Windows 2000
8.0.27.0	HP ProLiant NC31xx Fast Ethernet NIC Driver for Windows
10.31.0.0	HP NC10xx/67xx/77xx/150x/320x/325x/326x Gigabit Ethernet NIC Driver for Windows 2000
2.8.15.0 B	HP NC-Series Multifunction Driver for Windows 2000 (contains the driver for the HP NC370x/371x/373x/374x/380x)
7.60.0.0	HP ProLiant Insight Management Agents for Windows 2000/2003
2.56.8.0	HP survey utility for Windows 2000
8.40.0.0	HP ProLiant Network Configuration Utility for Windows 2000
2.1.10.186 C	HP System Management Homepage for Windows
7.6.0.1984	HP Insight Diagnostics Online Edition for Windows
2.1.10.800	HP version control agent for Windows
1.5.3.1	HP StorageWorks DAT 72 USB TapeDrive

HP Network Configuration Utility (Teaming driver) is installed by default on applicable servers. Use this utility to provide fault-tolerant network connectivity only. Starting with OS 2000.2.7, you can set the speed and duplex to 1000/Full through the standard Windows 2000 Network Properties or with the HP Network Configuration Utility.

· Find instructions to configure fault-tolerant network connectivity on CCO at this location: http://www.cisco.com/univercd/cc/td/doc/product/voice/iptel_os/driver/index.htm

· If the HP Network Configuration Utility is uninstalled, you can reinstall it by using the installation file are located in this folder: C:\Utils\DualNIC\.

Compaq/HP Software

The HP Diagnostics for Windows software provides a detailed list of all hardware installed on the server. It can also run diagnostic tests on the hardware. This processor-intensive intensive software should be used during a maintenance cycle.

Version	Description
7.6.0.1984	HP Insight Online Diagnostics for Windows
4.13B	HP Diagnostics for Windows (Only for servers not supported by Online Diag, Prosigna 720, Proliant 1600, DL320-800/1133)

Compaq/HP BIOS, Array Firmware and NIC firmware

This upgrade updates the following BIOS and Array Firmware. These upgrades occur within Windows and do not require booting from a CD-ROM or Diskette. If you recently purchased a new server, the BIOS on the server may be newer than the version that is listed in the table. The upgrade will not change (downgrade) newer versions.

Date/Version	Server
P08 – 2000.11.08B	MCS-7830 BIOS
D05 - 2002.11.15	MCS-7825H-800/1133 BIOS
D13 – 2004.09.15	MCS-7825H-2.2/3.0 BIOS
D18 – 2007.07.16	MCS-7825H1 BIOS
D20 – 2007.07.18	MCS-7825H2 BIOS
W04 – 2008.04.10	MCS-7825H3 BIOS
P17 – 2002.12.18B	MCS-7835H-733/1000 BIOS
P24 – 2004.05.01	MCS-7835-1266 or MCS7845-1400 BIOS
P29 – 2004.09.15	MCS-7835H-2.4/3.0 or MCS-7845-2.4/3.0 BIOS
P51 – 2007.07.19	MCS-7835H1 or MCS-7845H1 BIOS
P56 – 2008.01.24	MCS-7835H2 or MCS-7845H2 BIOS
1.91B	MCS-7835H-2.4/3.0, MCS-7845H-2.4/3.0, MCS-7835-H1 and MCS7845-H1 iLO firmware
1.91B	MCS-7825-H1 iLO firmware
1.43	MCS-7835H2, MCS-7845-H2, MCS-7825-H2, MCS-7825-H3 iLO 2 firmware
2.74A	MCS-7835(1266/2400/3000) and MCS-7845(1400/2400/3000) Array Controller firmware
2.80B	MCS-7835-H1 and MCS-7845-H1 Array Controller firmware
4.12B	MCS-7835-H2 and MCS-7845-H2 P400 Array Controller Firmware
1.0.0.13	NIC firmware for DL320-G2, DL320-G3, DL380-G2, DL380-G3, DL380-G4

IBM Drivers

During the upgrade, the following IBM drivers automatically install on the appropriate servers.

Version	Description
5.0.2195	X200, MCS-7815-1000 and X205, MCS-7815I-2.0, x345 Video Driver Update
6.13.10.8013-13.95.13	X330-800/866/933/1000/1266, X340, X342 Video Driver
6.14.10.6422	X206/x306 Video driver
8.24.3.0	X206m/X306m/x346/x3650/x3250 Video driver
7.12.11	X340/X342/X345/X346 and MCS-7835I-2.4/3.0 and MCS- 7835-H1 and MCS-7845-H1 ServeRAID driver
5.2.0.12913	X3650 ServeRAID Driver
1.27.03.00	X3250 ServeRAID driver
1.2.0.5561	X306m ServeRAID driver
12.3	X200/x330-800/866/933/1000/1266/x342 NIC driver
10.62	X205, x206m, x306m, x346, x3250 NIC driver
12.3	X206/x306/x306-3.4/x345-2.4/x345-3.0 NIC driver
3.7.19.0	X3650 NIC Driver
10.7b.3	X346, x3250 Teaming Driver
T3.4.6b	X3650 Teaming Driver
5.4	X3650 RSA Driver
9.00	ServeRAID manager
1.07	ASR for IPMI Application
Package: 1.15 File: 2.2.1.2	OSA IPMI Device Driver for Microsoft Windows
1.15	IBM Mapping Layer Software for OSA IPMI on Microsoft Windows

IBM BIOS and Array Firmware

This upgrade updates the following BIOS and Firmware. These upgrades occur at the end of the OS Upgrade process and require an additional reboot into DOS. When the BIOS and firmware upgrades are finished, the server reboots back into Windows 2000. If you recently purchased a new server, the BIOS on the server may be newer than the version that is listed in the table. The upgrade will not change (downgrade) newer BIOS versions.

Version	Server
1.53A	MCS-7815I-2.0 BIOS
1.40	X206/x306-3.0/x306-3.4 BIOS
1.21	X345 and MCS-7845I 2.4/3.0 BIOS
1.43A	X206m, x306m BIOS
1.17	X346, MCS-7835-I1 and MCS-7845-I1 BIOS
1.09	X3650 BIOS
1.39A	X3250 BIOS
7.12.13	X340, X342, X345, MCS7835I-2.4/3.0, X346, MCS-7835-I1 and MCS7845-I1 ServeRAID Firmware Update
5.2-0-15418	X3650 RAID
1.09	X342 ASM Firmware Update
1.20	X346, MCS-7835-I1 and MCS-7845-I1 BMC Firmware Update
2.16	X306m BMC Firmware update
1.16	X206m BMC Firmware Update
1.42	X3650 BMC firmware update
1.07	X3250 BMC firmware update
1.09	X345, MCS7835I-2.4/3.0 and MCS7845I-2.4/3.0 ASM Firmware Update
1.08	X346, MCS-7835-I1 and MCS-7845-I1 Diagnostic Flash Update
1.06	X345, MCS-7835I-2.4/3.0 and MCS-7845I-2.4/3.0 Diagnostic Flash Update
1.05	X3650 Diagnostic Firmware
1.07	X3650 RSA II firmware
2.0.6	X205, x206m, x306m, x346, x3250 NIC firmware

Security Settings

This fairly complete list gives the security settings in OS version 2000.4.6. The list of file/folder permissions that are included from the ocfiless.inf are not included. The list includes settings that have been in place for several OS versions as well as the new settings in 2000.4.6. This list does not include the changes as part of the Optional Security Settings. Refer Optional Security settings readme in C:\Utils Folder for the list of changes in Optional Security Settings Script.

Description	Setting
User / Group Changes
Delete – TSInternetUser
Remove all users from Guest group.
Guest user renamed to DisabledGuest and deselect Password never expires
Create WebUsers group and add IUSR_Guest and IWAM_Guest users
Run this command "Net user <account_name> /passwordreq:yes" for these user accounts: DisabledGuest IWAN_Guest IUSR_Guest

Password Policy
Enforce password history	0 passwords remembered
Maximum password age	42 days
Minimum password age	0 days
Minimum password length	0 characters
Passwords must meet complexity requirements	Disabled
Store password using reversible encryption for all users in the domain	Disabled

Account Lockout Policy
Account lockout duration	Not defined
Account lockout threshold	0 invalid logon attempts
Reset account lockout counter after	Not defined

Audit Policy
Audit account logon events	Success, Failure
Audit account management	Success, Failure
Audit directory service access	Success, Failure
Audit logon events	Success, Failure
Audit object access	Failure
Audit policy change	Success, Failure
Audit privilege use	Failure
Audit process tracking	No auditing
Audit system events	Success, Failure

User Rights Assignment
Access this computer from the network	IWAM_Guest, Users, Administrators, IUSR_Guest
Act as part of the operating system	Administrators
Add workstations to domain
Back up files and directories	Backup Operators,Administrators
Bypass traverse checking	Users
Change the system time	Administrators
Create a pagefile	Administrators
Create a token object
Create global objects	Administrators,SERVICE
Create permanent shared objects
Debug programs	Administrators
Deny access to this computer from the network	Guests Note: This setting is removed on ICS-7750 server to prevent CSCee44774
Deny logon as a batch job
Deny logon as a service
Deny logon locally	Guests, SQLDebugger Note: This setting is removed on ICS-7750 server to prevent CSCee44774
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system	Administrators
Generate security audits
Impersonate a client after authentication	Administrators,SERVICE
Increase quotas	Administrators
Increase scheduling priority	Administrators
Load and unload device drivers	Administrators
Lock pages in memory
Log on as a batch job	SQLDebugger, IWAM_Guest, IUSR_Guest, SQLSvc
Log on as a service	CCMUser, CCMServiceRW, Administrator, SQLSvc, CCMCDR, CCMService
Log on locally	Administrators, Users, Backup Operators, IUSR_Guest
Manage auditing and security log	Administrators
Modify firmware environment values	Administrators
Profile single process	Administrators
Profile system performance	Administrators
Remove computer from docking station
Replace a process level token
Restore files and directories	Backup Operators,Administrators
Shut down the system	Administrators
Synchronize directory service data
Take ownership of files or other objects	Administrators

Security Options
Additional restrictions for anonymous connections	Do not allow enumeration of SAM accounts and shares
Allow server operators to schedule tasks (domain controllers only)	Not defined
Allow system to be shut down without having to log on	Disabled
Allowed to eject removable NTFS media	Administrators
Amount of idle time required before disconnecting session	15 minutes
Audit the access of global system objects	Disabled
Audit use of Backup and Restore privilege	Disabled
Automatically log off users when logon time expires (local)	Enabled
Clear virtual memory pagefile when system shuts down	Disabled
Digitally sign client communication (always)	Disabled
Digitally sign client communication (when possible)	Enabled
Digitally sign server communication (always)	Disabled
Digitally sign server communication (when possible)	Enabled
Disable CTRL+ALT+DEL requirement for logon	Disabled
Do not display last user name in logon screen	Enabled
LAN Manager Authentication Level	Send LM & NTLM - use NTLMv2 session security if negotiated
Message text for users attempting to log on
Message title for users attempting to log on
Number of previous logons to cache (in case domain controller is not available)	10 logons
Prevent system maintenance of computer account password	Disabled
Prevent users from installing printer drivers	Enabled
Prompt user to change password before expiration	14 days
Recovery Console: Allow automatic administrative logon	Disabled
Recovery Console: Allow floppy copy and access to all drives and all folders	Enabled
Rename administrator account	Not defined
Rename guest account	Not defined
Restrict CD-ROM access to locally logged-on user only	Disabled
Restrict floppy access to locally logged-on user only	Enabled
Secure channel: Digitally encrypt or sign secure channel data (always)	Disabled
Secure channel: Digitally encrypt secure channel data (when possible)	Enabled
Secure channel: Digitally sign secure channel data (when possible)	Enabled
Secure channel: Require strong (Windows 2000 or later) session key	Disabled
Send unencrypted password to connect to third-party SMB servers	Disabled
Shut down system immediately if unable to log security audits	Disabled
Smart card removal behavior	Lock Workstation
Strengthen default permissions of global system objects (e.g. Symbolic Links)	Enabled
Unsigned driver installation behavior	Warn but allow installation
Unsigned non-driver installation behavior	Silently succeed

Event Log Settings
Maximum application log size	81920 KB
Maximum security log size	81920 KB
Maximum system log size	81920 KB
Restrict quest access to application log	Enabled
Restrict guest access to security log	Enabled
Restrict guest access to system log	Enabled
Retention method for application log	Overwrite Events As Needed
Retention method for security log	Overwrite Events As Needed
Retention method for system log	Overwrite Events As Needed
Shutdown the computer when the security audit log is full	Disabled

IIS Security Changes
Enables W3C Extended Logging Format
Added Extended Logging Properties	WIN32 Status, Referer
Turns off Indexing
IIS Connections Limited to	50,000
Removes Unused Script Mappings
Removes Unused IIS Virtual Directories
Removes All Sample directories
Removes unused IIS folders
WebDAV	Disabled
URLScan version 2.5, a security tool, restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the URLScan security tool helps prevent potentially harmful requests from reaching the server. · Logs: URLScan logs to this folder: c:\winnt\system32\inetsrv\urlscan\logs. When URLScan blocks a request, error 404 file not found displays in the browser. URLScan will log the reason it blocked a request and the IP address of the remote system. · Filter settings: The URLScan filters settings are in this text file: c:\winnt\system32\inetsrv\urlscan\urlscan.ini. Cisco has customized this filter to work correctly with the Cisco applications that this OS supports. Cisco does not recommend changing the settings in the file. If changes are made to this file, they do not take effect until the IISAdmin service is re-started. · Uninstall: You can uninstall URLScan from the Add/Remove Programs applet in the Windows Control Panel (Choose Start > Settings > Control Panel > Add/Remove Programs). · Additional Information about URLScan: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp

Registry Settings
HKLM\Software\Microsoft\Driver Signing\Policy	1
HKLM\Software\Microsoft\Non-Driver Signing\Policy	0
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel	0
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand	0
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms	0
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD	0
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount	10
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning	14
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD	0
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon	4
HKLM\System\CurrentControlSet\Control\Lsa\AuditBaseObjects	0
HKLM\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail	0
HKLM\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing	0
HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel	1
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous	1
HKLM\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers	1
HKLM\System\CurrentControlSet\Control\Session Manager\ProtectionMode	1
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect	15
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff	1
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature	1
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature	0
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword	0
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature	1
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature	0
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange	0
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal	0
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey	0
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel	1
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel	1
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\DisableSavePassword	1

The following registry values help to increase the resistance of the Windows 2000 TCP/IP stack against denial of service attacks.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting	2
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery	0
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect	0
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters	1
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect	0
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime	300000
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery	0
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect	2
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxPortsExhausted	5
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions	3
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions	2
MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBacklog	20000
MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBacklog	20
MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBacklog	1
MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrowthDelta	10

The following registry value configures servers to no longer comply with name release requests from computers other than the WINS servers that are configured in the network settings of the server: MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand	1

Sets the value of this key to 0 to make screensaver password protection effective immediately: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod	“0”

This registry value disables LMHash creation to ensure greater security: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash	1


Protect kernel object attributes: MACHINE\System\CurrentControlSet\Control\Session Manager\EnhancedSecurityLevel	1

This registry value was added in Service Pack 3 for Windows 2000. It will cause the system to generate an audit event when the audit log reaches a percent full threshold. In this policy, template is set to generate an audit event when the security event log is 90 percent full: MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel	90

Disable saved passwords in Remote Access Server: MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\DisableSavePassword	1

Terminal Services Security Settings HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\fEnablePrintRDR	0
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\MinEncryptionLevel	3
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel	3
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fAutoClientLpts	0
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fDisableCcm	1
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fDisableCpm	1
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fDisableLPT	1
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fInheritMaxDisconnectionTime	0
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fInheritMaxIdleTime	0
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fInheritMaxSessionTime	0
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fInheritResetBroken	0
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fResetBroken	0
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MaxConnectionTime	0
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MaxDisconnectionTime	86400000
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MaxIdleTime	900000
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop	1
HKLM\Software\Policies\Microsoft\Conferencing\NoRDS	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\NoNameReleaseOnDemand	1
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff	1
HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities\public	4

Registry Settings Removed
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment	Os2LibPath
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems	OS2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems	Optional
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems	POSIX
HKLM \SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages	FPNWCLNT
HKLM\software\microsoft\windows nt\currentversion\winlogon	autoadminlogon
HKLM\software\microsoft\windows nt\currentversion\winlogon	autologoncount
HKLM\software\microsoft\windows nt\currentversion\winlogon	defaultpassword
HKLM\System\CurrentControlSet\Services\TlntSvr
HKLM\SOFTWARE\Microsoft\TelnetServer

Registry ACLs
USERS\.DEFAULT\Software\Microsoft\NetDDE	Administrators: Full control; System: Full control
HKLM\SYSTEM\ControlSet001	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\ControlSet002	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\ControlSet003	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\ControlSet004	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\ControlSet005	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\ControlSet006	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\ControlSet007	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\ControlSet008	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\ControlSet009	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\ControlSet010	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\ControlSet001\Services\Evenlog\Application	Administrators: Full control; System: Full control; Users: Full control
HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities	Administrators: Full control; System: Full control
HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers	Administrators: Full control; System: Full control
HKLM\SYSTEM\CurrentControlSet\Hardware Profiles	Administrators: Full control; System: Full control
HKLM\SYSTEM\CurrentControlSet\Control\Securepipeservers\winreg	Administrators: Full control; System: Full control
HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security	Administrators: Full control; System: Full control
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies	Administrators: Full control; System: Full control
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib	Administrators: Full control; Power Users: Read System: Full control Users: Full Control
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer	Administrators: Full control; System: Full control
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	Administrators: Full control; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AsrCommands	Administrators: Full control; System: Full control
HKLM\SOFTWARE\Microsoft\NetDDE	Administrators: Full control; System: Full control
HKLM\SOFTWARE\Microsoft\OS/2 Subsystem for NT	Administrators: Full control; System: Full control
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug	Administrators: Full control; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers	Administrators: Full control; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper	Administrators: Full control; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList	Administrators: Full control; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\CurrentControlSet\Control\ContentIndex	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\CurrentControlSet\Services\EventLog	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\CurrentControlSet\Control\Computername	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout	Administrators: Full control; System: Full control; Users: Read
HKLM\Software\Classes	Administrators: Full control; System: Full control; Users: Read
USERS\.DEFAULT	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SYSTEM\CurrentControlSet\Hardware Profiles	Administrators: Full control; System: Full control;
HKLM\SYSTEM\CurrentControlSet\Enum,1,"D:AR"
HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers	Administrators: Full control; System: Full control; Users: Read
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg	Administrators: Full control; System: Full control; Users: Read
HKLM\System	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping	Administrators: Full control; Power Users: Read; System: Full control; Users: Full control
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AsrCommands	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	Administrators: Full control; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	Administrators: Full control; System: Full control;
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer	Administrators: Full control; System: Full control;
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy	Administrators: Full control; Authenticated Users: Read System: Full control;
HKLM\SOFTWARE\Microsoft\SystemCertificates	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Secure	Administrators: Full control; Power Users: Read; System: Full control; Users: Read
HKLM\SOFTWARE\Microsoft\Protected Storage System Provider
HKLM\SOFTWARE\Microsoft\NetDDE	Administrators: Full control; System: Full control;

File/Folder ACLs
C:\	Administrators, and System: Full control; Users: Read & Execute
C:\Compaq	Administrators and System: Full control
C:\CPQSYSTEM	Administrators and System: Full control
C:\CPQUTIL	Administrators and System: Full control
C:\Utils	Administrators and System: Full control
C:\IBM	Administrators and System: Full control
C:\HPDrv	Administrators and System: Full control
C:\uxlog	Administrators and System: Full control
%SystemDrive%\Documents and Settings\Administrator	Administrators and System: Full control
%SystemDrive%\Documents and settings\All Users\Application Data\	Administrators and System: Full control; Users: Read & Execute
%SystemDrive%\Documents and settings\All Users\Documents\	Administrators and System: Full control; Users: Read & Execute
%SystemDrive%\Documents and settings\All Users\DRM	Administrators and System: Full control; Users: Read & Execute
%SystemDrive%\Documents and Settings\All Users\Documents\DrWatson	Administrators and System: Full control; Users: Read & Write
%SystemDrive%\Temp	Administrators and System: Full control
%SystemRoot%\Temp	Administrators and System: Full control
%SystemRoot%\regedit.exe	Administrators: Full control
%SystemRoot%\debug	Administrators and System: Full control
%SystemRoot%\Registration	Administrators and System: Full control
%SystemRoot%\security	Administrators, System. And Creator Owner: Full control
%SystemRoot%\repair	Administrators and System: Full control
%SystemDirectory%	Administrators, System. And Creator Owner: Full control; Users: Read & Execute
%SystemDirectory%\spool\printers	Administrators and System: Full control
%Systemdirectory%\regedt32.exe	Administrators: Full control
%SystemRoot%	Administrators, System. And Creator Owner: Full control; Users: Read & Execute
%SystemDrive%\Boot.ini	Administrators: Full control System: Full control
%SystemDrive%\Ntdetect.com	Administrators: Full control System: Full control
%SystemDrive%\Ntldr	Administrators: Full control System: Full control
%SystemDrive%\Io.sys	Administrators: Full control System: Full control
%SystemDrive%\Autoexec.bat	Administrators: Full control System: Full control Users: Read and Execute, List Folder Contents, and Read
%SystemDrive%\Config.sys	Administrators: Full control System: Full control Users: Read and Execute, List Folder Contents, and Read
%SystemRoot%\system32\Append.exe	Administrators: Full control
%SystemRoot%\system32\Arp.exe	Administrators: Full control
%SystemRoot%\system32\At.exe	Administrators: Full control
%SystemRoot%\system32\Attrib.exe	Administrators: Full control
%SystemRoot%\system32\Cacls.exe	Administrators: Full control
%SystemRoot%\system32\Change.exe	Administrators: Full control
%SystemRoot%\system32\Chcp.com	Administrators: Full control
%SystemRoot%\system32\Chglogon.exe	Administrators: Full control
%SystemRoot%\system32\Chgport.exe	Administrators: Full control
%SystemRoot%\system32\Chguser.exe	Administrators: Full control
%SystemRoot%\system32\Chkdsk.exe	Administrators: Full control
%SystemRoot%\system32\Chkntfs.exe	Administrators: Full control
%SystemRoot%\system32\Cipher.exe	Administrators: Full control
%SystemRoot%\system32\Cluster.exe	Administrators: Full control
%SystemRoot%\system32\Cmd.exe	Administrators: Full control
%SystemRoot%\system32\Compact.exe	Administrators: Full control
%SystemRoot%\system32\Command.com	Administrators: Full control
%SystemRoot%\system32\Convert.exe	Administrators: Full control
%SystemRoot%\system32\Cscript.exe	Administrators: Full control
%SystemRoot%\system32\Debug.exe	Administrators: Full control
%SystemRoot%\system32\Dfscmd.exe	Administrators: Full control
%SystemRoot%\system32\Diskcomp.com	Administrators: Full control
%SystemRoot%\system32\Diskcopy.com	Administrators: Full control
%SystemRoot%\system32\Doskey.exe	Administrators: Full control
%SystemRoot%\system32\Edlin.exe	Administrators: Full control
%SystemRoot%\system32\Exe2bin.exe	Administrators: Full control
%SystemRoot%\system32\Expand.exe	Administrators: Full control
%SystemRoot%\system32\Fc.exe	Administrators: Full control
%SystemRoot%\system32\Find.exe	Administrators: Full control
%SystemRoot%\system32\Findstr.exe	Administrators: Full control
%SystemRoot%\system32\Finger.exe	Administrators: Full control
%SystemRoot%\system32\Forcedos.exe	Administrators: Full control
%SystemRoot%\system32\Format.com	Administrators: Full control
%SystemRoot%\system32\Ftp.exe	Administrators: Full control
%SystemRoot%\system32\Hostname.exe	Administrators: Full control
%SystemRoot%\system32\Iisreset.exe	Administrators: Full control
%SystemRoot%\system32\Ipconfig.exe	Administrators: Full control
%SystemRoot%\system32\Ipxroute.exe	Administrators: Full control
%SystemRoot%\system32\Label.exe	Administrators: Full control
%SystemRoot%\system32\Logoff.exe	Administrators: Full control
%SystemRoot%\system32\Lpq.exe	Administrators: Full control
%SystemRoot%\system32\Lpr.exe	Administrators: Full control
%SystemRoot%\system32\Makecab.exe	Administrators: Full control
%SystemRoot%\system32\Mem.exe	Administrators: Full control
%SystemRoot%\system32\Mmc.exe	Administrators: Full control
%SystemRoot%\system32\Mode.com	Administrators: Full control
%SystemRoot%\system32\More.com	Administrators: Full control
%SystemRoot%\system32\Mountvol.exe	Administrators: Full control
%SystemRoot%\system32\Msg.exe	Administrators: Full control
%SystemRoot%\system32\Nbtstat.exe	Administrators: Full control
%SystemRoot%\system32\Net.exe	Administrators: Full control
%SystemRoot%\system32\Net1.exe	Administrators: Full control
%SystemRoot%\system32\Netsh.exe	Administrators: Full control
%SystemRoot%\system32\Netstat.exe	Administrators: Full control
%SystemRoot%\system32\Nslookup.exe	Administrators: Full control
%SystemRoot%\system32\Ntbackup.exe	Administrators: Full control
%SystemRoot%\system32\Ntsd.exe	Administrators: Full control
%SystemRoot%\system32\Pathping.exe	Administrators: Full control
%SystemRoot%\system32\Ping.exe	Administrators: Full control
%SystemRoot%\system32\Print.exe	Administrators: Full control
%SystemRoot%\system32\Query.exe	Administrators: Full control
%SystemRoot%\system32\Rasdial.exe	Administrators: Full control
%SystemRoot%\system32\Rcp.exe	Administrators: Full control
%SystemRoot%\system32\Recover.exe	Administrators: Full control
%SystemRoot%\system32\Regedit.exe	Administrators: Full control
%SystemRoot%\system32\Regedt32.exe	Administrators: Full control
%SystemRoot%\system32\Regini.exe	Administrators: Full control
%SystemRoot%\system32\Register.exe	Administrators: Full control
%SystemRoot%\system32\Regsvr32.exe	Administrators: Full control
%SystemRoot%\system32\Replace.exe	Administrators: Full control
%SystemRoot%\system32\Reset.exe	Administrators: Full control
%SystemRoot%\system32\Rexec.exe	Administrators: Full control
%SystemRoot%\system32\Route.exe	Administrators: Full control
%SystemRoot%\system32\Routemon.exe	Administrators: Full control
%SystemRoot%\system32\Router.exe	Administrators: Full control
%SystemRoot%\system32\Rsh.exe	Administrators: Full control
%SystemRoot%\system32\Runas.exe	Administrators: Full control
%SystemRoot%\system32\Runonce.exe	Administrators: Full control
%SystemRoot%\system32\Secedit.exe	Administrators: Full control
%SystemRoot%\system32\Setpwd.exe	Administrators: Full control
%SystemRoot%\system32\Shadow.exe	Administrators: Full control
%SystemRoot%\system32\Share.exe	Administrators: Full control
%SystemRoot%\system32\Snmp.exe	Administrators: Full control
%SystemRoot%\system32\Snmptrap.exe	Administrators: Full control
%SystemRoot%\system32\Subst.exe	Administrators: Full control
%SystemRoot%\system32\Telnet.exe	Administrators: Full control
%SystemRoot%\system32\Termsrv.exe	Administrators: Full control
%SystemRoot%\system32\Tftp.exe	Administrators: Full control
%SystemRoot%\system32\Tlntadmin.exe	Administrators: Full control
%SystemRoot%\system32\Tlntsess.exe	Administrators: Full control
%SystemRoot%\system32\Tlntsvr.exe	Administrators: Full control
%SystemRoot%\system32\Tracert.exe	Administrators: Full control
%SystemRoot%\system32\Tree.com	Administrators: Full control
%SystemRoot%\system32\Tsadmin.exe	Administrators: Full control
%SystemRoot%\system32\Tscon.exe	Administrators: Full control
%SystemRoot%\system32\Tsdiscon.exe	Administrators: Full control
%SystemRoot%\system32\Tskill.exe	Administrators: Full control
%SystemRoot%\system32\Tsprof.exe	Administrators: Full control
%SystemRoot%\system32\Tsshutdn.exe	Administrators: Full control
%SystemRoot%\system32\Usrmgr.com	Administrators: Full control
%SystemRoot%\system32\Wscript.exe	Administrators: Full control
%SystemRoot%\system32\Xcopy.exe	Administrators: Full control
%SystemRoot%\$NT* All Windows Service Pack and Hotfix Uninstallation folders are set to Administrators only permissions.	Administrators: Full control

File and Folder Access Control Lists (ACL) are being applied based on these sources: · Microsoft High Security Workstation Security INF file (hisecws.inf) · Microsoft Optional Component File Security INF file (ocfiless.inf) – Not detailed in this document. · Microsoft “Security Operations Guide for Windows 2000 Server” Appendix A – File Permissions · MSS Baseline.inf · MSS Optional File System ACLs.inf · IISrole.inf

File/Folder Removed
c:\CiscoWebs\*.java
C:\program files\Cisco\TomCat\*.java
C:\program files\Cisco\Tomcat\webapps\examples
C:\program files\Cisco\Tomcat\webapps\ROOT
C:\program files\Cisco\Tomcat\webapps\webdev
C:\program files\Cisco\Tomcat\webapps\admin.xml
C:\program files\Cisco\Tomcat\webapps\admin
C:\program files\Cisco\Tomcat\server\webapps\admin
C:\program files\Cisco\Tomcat\webapps\admin.war
C:\program files\Cisco\Tomcat\webapps\examples.war
C:\program files\Cisco\Tomcat\webapps\root.war
C:\program files\Cisco\Tomcat\webapps\test.war
\winnt\system32\tlntadmn.exe
\winnt\system32\tlntsess.exe
\winnt\system32\tlntsvr.exe
\winnt\system32tlntsvrp.dll
\winnt\system32\dllcache\tlntadmn.exe
\winnt\system32\dllcache\tlntsess.exe
\winnt\system32\dllcache\tlntsvr.exe
\winnt\system32\dllcache\tlntsvrp.dll
\winnt\system32\posix.exe
\winnt\system32\psxss.exe
\winnt\system32\psxdll.dll
\winnt\system32\os2.exe
\winnt\system32\os2srv.exe
\winnt\system32\os2ss.exe
\winnt\system32\dllcache\posix.exe
\winnt\system32\dllcache\psxss.exe
\winnt\system32\dllcache\psxdll.dll
\winnt\system32\dllcache\os2.exe
\winnt\system32\dllcache\os2srv.exe
\winnt\system32\dllcache\os2ss.exe
C:\Program Files\NetMeeting\.
C:\Winnt\System32\dllcache\NNTP.

Service ACLs
Portable Media Serial number service	Administrators, and System: Full control
HP Insight Event Notifier	Administrators, and System: Full control
ASF Agent	Administrators, and System: Full control
SMBus Upgrade Service for Windows	Administrators, and System: Full control