Hotfixes for Windows Server 2003 OS ----------------------------------- April 16, 2013 This CD is for use installing Avaya (Nortel) CallPilot Servers and CallPilot web servers. It allows updating the Windows Server 2003 OS from CD without connecting to the Internet. It is updated every month to incorporate newly released security patches. Note that there is no problem re-installing the same hotfixes that have already been previously installed. CallPilot Server ---------------- First install the latest available CallPilot security PEP. Reboot. SP2 is now required. If SP2 is not already on the CallPilot server, install it using PEP CPSECPEPSP2S. (NOTE: 202i, 1006r already have SP2) Then, depending on which security PEP you installed, run a batch file to install any more recent Microsoft hotfixes: If you installed CP404SEC004S, run "postSec004HotFixes.bat" If you installed CP404SEC005S, run "postSec005HotFixes.bat" If you installed CPSECPEP006S, run "postSec006HotFixes.bat" If you installed CPSECPEP007S, run "postSec007HotFixes.bat" If you installed CPSECPEP008S, run "postSec008HotFixes.bat" If you installed CPSECPEP009S, run "postSec009HotFixes.bat" If you installed CPSECPEP010S, run "postSec010HotFixes.bat" If you installed CPSECPEP011S, run "postSec011HotFixes.bat" If you installed CPSECPEP012S, run "postSec012HotFixes.bat" If you installed CPSECPEP013S, run "postSec013HotFixes.bat" If you installed CPSECPEP014S, run "postSec014HotFixes.bat" If you installed CPSECPEP015S, run "postSec015HotFixes.bat" NOTE: Also, the Daylight Savings Time patches are not installed by these batch files. Particular CallPilot PEPs are required to address DST changes. NOTE: As of June 2009, SP2 is required. Microsoft no longer issues patches for systems that have only SP1. NOTE: this version of the CD also installs KB967715 to fix an issue where autorun may not be disabled fully CallPilot Web Server -------------------- (Use Control Panel - System (General tab) to see the Service Pack level) If the web server does not have SP2 (or later), you need to install it and reboot. After installing SP2, or if the web server already has SP2, you can add more recent Microsoft hotfixes by running "WebServerPostSP2HotFixes.bat" to install more recent Microsoft hotfixes. Then reboot. These batch files, which are intended for CallPilot Web Servers, will also install the Microsoft Time Zone and Daylight Savings Time hotfix (KB2443685) Dec 2010. NOTE: the MS08-037 hotfix causes issues with the ZoneAlarm software firewall Checking Hotfixes ----------------- A tool is provided that checks to ensure that all needed hotfixes (up to the date of the CD) are properly installed. This tool can be used on either the CallPilot server or the CallPilot Web Server. Note that the Checker tool may show some updates missing that are not "security updates". This is normal. Do not install any such updates unless they have been specifically authorized in bulletin "CallPilot Server Security Update" (included on the Hotfix CD). To run the Checker, first copy the "Checker" folder from the CD to the hard drive under "D:\TEMP". Then run the batch file "CheckHotFixes.bat". Wait a few minutes until the file "CheckResult.txt" is displayed in Notepad. The file will show all the hotfixes that are installed, then, towards the bottom of the file, it will show any missing updates. Each listed update has a "Severity" shown. If the severity is "(no rating)", then the it is not a needed security update. If an error occurs saying that the Windows Update Agent is missing, you can install the Windows Update Agent from the CD under the Checker folder. The Checker makes use of a list of hotfixes that was up-to-date as of the date of the HotfixCD. It is intended to check for correct installation of the included hotfixes. If Internet access is available, it is also possible to check the system against the latest set of Microsoft hotfixes. Use a command prompt to execute "CheckHotFixes current". This will download the lastest hotfix list and will check the system against it. If Internet access is not available, you can use a separate Internet connected PC to obtain the latest version of the file wsusscn2.cab. Be sure to download it from Microsoft, (e.g from http://go.microsoft.com/fwlink/?LinkId=76054 or simply Google wsusscn2.cab). Copy the file to the Checker folder on the hard drive of the CallPilot server (using a network share, USB drive or burned CD). (Replace the existing copy of wsusscn2.cab). Then run CheckHotFixes.bat. Consult bulletin "CallPilot Server Security Update" to determine which security patches have been authorized. You can then run Windows Update to ensure that all authorized patches have been installed. NOTE: when the Checker has finished, it will disable the Automatic Updates service. If you need to run Windows Update later, you may have to use the Administrative Tools - Services applet to set the Automatic Updates service to "Automatic" and to start it. References ---------- P-2006-0227 Global CallPilot 4 JITC Hardened Configuration (see Appendix E) CallPilot Server Security Update (reissued every month) P-2009-0039 Global CallPilot Support for Anti-virus Applications (reissued periodically) Copyright 2005-2013 Microsoft, Avaya