This package contains:

1. PEP Number: CP20126G091S


2. Problem Description:
-----------------------
This package contains Microsoft hotfixes be installed on a server that has been
installed with, or upgraded to CallPilot 2.01 (02.01.26). 


3. List of PRs that are fixed by this PEP: 
-------------------------------------------
  This PEP includes all applicable hotfixes issued between Aug 22/2002 and Oct 15/2003.
  This PEP supercedes previous OS Security PEPs CP20126G082S and CP20126G090S.  This PEP
  may be installed whether or not these previous PEPs have been installed.  It will bring
  any 2.02 system up to date with respect to OS hotfixes up to Oct 15/2003.

  Security Improvements: hotfixes to patch the following Microsoft Bulletins:

    MDAC 2.5 SP2 which is needed in order to be able to install hotfix MS03-033

    MS02-045 Aug 22/2002 Unchecked Buffer in Network Share Provider Can Lead to Denial of Service
    MS02-048 Aug 28/2002 Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates
    MS02-050 (updated) Nov 20/2002 Certificate Validation Flaw Could Enable Identity Spoofing (Q329115) (includes Q328145)
    MS02-052 Sep 18/2002 Flaw in Microsoft VM JDBC Classes Could Allow Code Execution
    MS02-065 Nov 20/2002 Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414)
    MS03-001 Jan 22/2003 Unchecked Buffer in Locator Service Could Lead to Code Execution (810833)
    KB811630 HTML Help Update to Limit Functionality When It Is Invoked with the windows.showHelp() Method
    MS03-007 Mar 17/2003 Unchecked buffer in Windows component could cause webserver compromise (815021) (revised Apr 23/2003)
    MS03-008 Mar 19/2003 Flaw in Windows Script Engine Could Allow Code Execution (814078)
    MS03-011 Apr 09/2003 Flaw in Microsoft VM Could Enable System Compromise (816093) (includes MS02-069)
    MS03-013 Apr 16/2003 Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493)
    MS03-023 Jul 9/2003  Buffer Overrun In HTML Converter Could Allow Code Execution (823559)
    MS03-024 Jul 9/2003  Buffer Overrun in Windows Could Lead to Data Corruption (817606)
    MS03-026 Jul 16/2003 Buffer Overrun in RPC Interface Could Allow Code Execution (823980)
    (issue)  Oct 9/2002  GetEffectiveRightsFromAcl Fails in Service Pack 6
    MS03-018 May 28/2003 Cumulative Patch for Internet Information Service (811114) (Supercedes MS02-062, MS02-028 and MS02-018) 
    KB305929 issue This Certificate Has an Invalid Digital Signature
    KB823492 issue Enabling the PIPE_CREATE_INSTANCE flag for non-admin users (823492)
    MS01-056 Windows Media Player .ASF Processor Contains Unchecked Buffer
    MS03-029 Flaw in Windows Function Could Allow Denial of Service (823803)
    MS03-030 Unchecked Buffer in DirectX Could Enable System Compromise (819696)
    MS03-033 Unchecked Buffer in MDAC Function Could Enable System Compromise (Q823718)
    MS03-034 Flaw in NetBIOS Could Lead to Information Disclosure (824105)
    MS03-039 Buffer Overrun in RPCSS Service Could Allow Code Execution (824146)
    MS03-040 Cumulative Patch for Internet Explorer (828750)
    MS03-040 Windows Media Player 6.4 patch (828026) (additional patch recommended by MS03-040)
    MS03-041 Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182)
    MS03-043 Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
    MS03-044 Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119)


    NOTE: Hotfix MS02-071 is not installed on CallPilot since it impacts CallPilot functionality.
          Hotfix MS03-045 is also not installed since it has the same impact.
          Nortel Networks considers the security risk due to these unpatched vulnerabilities
          to be very low on a CallPilot server.

    In addition, this PEP disables the Windows NT Messenger Service so that it no longer starts.
    This service is not needed on CallPilot.  Not running the service means it cannot be attacked.
    The PEP also disables the automatic creation of administrative shares to reduce the ability
    of a virus to be able to access drives by guessing the administrator password.
  


4. Pre-installation notes:
--------------------------
1. Make sure you are installing this PEP on a server that has been installed
   with, or upgraded to CallPilot 2.01 (2.01.26).

2. Disable any active anti-virus software active on the server prior to installing
   this PEP.  (This makes the PEP install faster.)  As a precaution, it's recommended 
   the CLAN connection be disconnected prior to disabling the anti-virus software.  

3. Ensure the system has sufficient disk-space available to install this PEP.  If
   needed, remove any unnecessary files and folders in the c:\temp or d:\temp folders.
   If an error occurs while attempting to remove a particular file, ignore the error, but
   try to remove as many files and folders as possible in the temp folder.  It is possible
   that the file is being used by Windows NT.  Note: do not remove the c:\temp and
   d:\temp, and d:\temp\CP20126G091S folders. Once you have finished cleaning up empty 
   the recycle bin.

4. Ensure there is a recent backup available prior to installing this PEP.  It's always
   recommended that a backup be performed (or split RAID) just prior to performing any
   server maintenance activity to ensure the most recent customer data is available
   should a restore be needed.

5. The PEP installation is automatic, however it requires 2 reboots.  The PEP install
   will automatically reboot the server after installing MDAC2.5 SP2.  The PEP install
   will login automatically and will continue automatically to install the remaining
   hotfixes.  

   NOTE: After the reboot, there may be a delay of up to 10 minutes with a message saying
         "Setting up Control Panel"  Please be patient.

   When this is complete, a dialog box is displayed with the title
   "CallPilot OS Security PEP Installation Completed".  The system will reboot into
   service when the OK button is clicked on this dialog.

   Note: Do not reboot the system until the PEP installation is finished, otherwise the PEP
         may not be properly registered on the server.


5. Installing the PEP:
----------------------
1. Begin installation by executing CP20126G091S.exe to extract the files to 
   the D:\TEMP\CP20126G091S folder.

2. Navigate to the D:\TEMP\CP20126G091S folder and run "RUNME.BAT" to launch the installer.
   Note that RUNME.BAT MUST be executed from this exact folder or the PEP install will fail.

3. Click on OK to start the installation of the PEP.  Total time required will be 20 to 40
   minutes, plus the time to reboot into service.

   After installing MDAC 2.5 SP2, the system will be rebooted.  PEP installation will 
   continue automatically after the reboot.

   Note: This PEP automatically installs a large number of Microsoft hot fixes. Do not
         close any windows or click on any buttons while the PEP is being installed or
         the PEP will not install successfully.

4. When the PEP installation is complete, a window will be displayed with the title 
   "CallPilot OS Security PEP Installation Completed". Click on the OK button to reboot
   the server.

5. If anti-virus software was disabled, check to ensure it is now enabled.  Note that it
   must be properly configured to scan "incoming" files only.  See the bulletin on 
   configuring anti-virus software for CallPilot.


6. Impact on Future Upgrade
---------------------------
This PEP installs a set of hotfixes that are more recent than those installed by the CallPilot
2.02D OS Recovery CD.  Upgrading the OS to 2.02D after installing PEP CP20126G091S will 
overwrite some of the recent hotfixes.  After upgrading to 2.02, be sure to apply the 
appropriate CallPilot PEPs in the 2.02 (2.01.27) stream to ensure that the system has the
most recent hotfixes properly installed.



7. Uninstall:
-------------
Due to the nature of the Microsoft hotfixes contained within this PEP, it cannot be
uninstalled. Once applied, if removed from DMIViewer, only the reference to PEP CP20126G091S
will actually be removed.

If the PEP needs to be reapplied, first remove the PEP in the DMI Viewer (CallPilot PEP Maintenance
Utility).  Then use regedit to remove the registry key HKLM\SOFTWARE\Nortel\OSSetup\91



8. Supplemental Information:
----------------------------

Microsoft has released a tool called "hfnetchk" to check a system to 
ensure that all relevant security hotfixes are present. A version of 
this tool is provided in the PEP (in the 
D:\TEMP\CP20126G091S\HotFixes\Checker folder).  The tool makes use
of an XML file from Microsoft called "mssecure.xml" telling it which
hotfixes are available, when they are needed and how to check for them.

To run the hot fix checker:

1. Launch a command prompt.
2. Navigate to the D:\TEMP\CP20126G091S\HotFixes\Checker folder.
3. Run CheckHotFixes.bat.

Watch for "Patch Not Found" errors which indicate hotfixes that are 
needed but are not installed.  

Note: For this PEP, it is normal for a warning to be shown related to
      MS02-055 and for MS03-045 to show Patch Not Found.
      (Patches MS02-071 & MS03-045 cause a problem on CallPilot)


Note: The tool may give an error if the CallPilot server is still 
      booting up. If this happens try running the tool again later.

To display a list of hotfixes that have been explicitly installed on 
this server, do the following:

1. Launch a command prompt.
2. Navigate to the D:\TEMP\CP20126G091S\HotFixes\Checker folder.
3. Run ListHotFixes.bat.