The ssl-fix hotfix corrects several problems in the Secure Sockets Layer (SSL) implementation. This hotfix corrects a security problem in which a malicious user can decode a transaction encryption with SSL by using mathematical analysis and trial and error. The ssl-fix hotfix eliminates the need for separate Server Gated Cryptography (SGC) and non-SGC versions of schannel.dll, corrects a "bad password" error message, and provides a new version of sgcinst.exe. Users of NT 4.0, IIS 3.0 and 4.0, Site Server 3.0 Commerce Edition, Site Server 3.0 Enterprise Edition, and Exchange Server 5.0 and 5.5 need to carefully review the Microsoft article "Generic SSL (PCT/TLS) Updates for IIS and MS Internet Products" at http://support.microsoft.com/support/kb/articles/q148/4/27.asp for information pertaining to those software packages.
The iis4-datafix hotfix corrects a problem with IIS that displays ASP code instead of the processed results of the file. If you append ::$DATA to the end of a URL, IIS displays ASP code. This problem is similar to a previous problem in which an appended period at the end of the URL displayed code instead of processing it. The hotfix places ASP files in an execute-only directory so IIS displays the processed file. The Microsoft article " '::$DATA' Data Stream Name of a File May Return Source" at http://support.microsoft.com/support/kb/articles/q188/8/06.asp provides details. The hotfix is available at ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security.
The sfn-fix hotfix corrects a problem with both IIS 4.0 and Microsoft Personal Web Server (PWS) 4.0, in which the software doesn't apply certain configuration settings when a user requests a URL with short filename equivalents. Short filenames are truncated long filenames converted to eight characters with a three-character extension. For example, the long filename this web document.htm would abbreviate to thiswe~1.htm. The software does not apply the following configuration settings when a user requests a URL with a truncated name: restricted access by IP address, Platform for Internet Content Selection (PICS) ratings, and the SSL encryption requirement. Refer to the Microsoft article "Settings May Not Be Applied with URL with Short Filename" at http://support.microsoft.com/support/kb/articles/q179/1/48.asp for complete details. You can find the sfn-fix hotfix at ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security.
Additional Hotfixes
The rras30-fix hotfix supersedes the rras20-fix hotfix (the Microsoft article refers to this hotfix as the pptp-fix hotfix), and corrects problems in Microsoft's Point-to-Point Tunneling Protocol (PPTP) implementation in conjunction with both Routing and Remote Access Service (RRAS) and Remote Access Service (RAS) protocols. The problems let intruders remove data from the network link and thus jeopardize the entire network. Intruders can download programs such as L0phtCrack to compromise PPTP connections by gathering certain information off the network. Microsoft produced four articles on the matter. Refer to the Microsoft article "PPTP Performance & Security Upgrade for WinNT 4.0 Release Notes" at http://support.microsoft.com/support/kb/articles/q189/5/95.asp.
The dns-fix hotfix corrects several problems with the Domain Name System (DNS) service that can lead to a compromised system. Among the concerns are failed DNS lookup attempts, a zone change from secondary to primary, DNS cache corruption and spoofing attacks, and a DoS attack caused by flooding DNS port 53 with meaningless data. The Microsoft article "Predictable Query IDs Pose Security Risks for DNS Servers" at http://support.microsoft.com/support/kb/articles/q167/6/29.asp discusses aspects of the DNS problem. The dna-fix hotfix makes the DNS server use random query IDs. This patch minimizes the effect of the cache pollution attack.
The winsupd-fix hotfix corrects a problem in the Windows Internet Naming Service (WINS), in which invalid UDP frames directed to any computer running that service cause a WINS exception error resulting in service termination. After WINS crashes, several problems can occur if systems depend on WINS for location information. These problems affect domain synchronization, browsing, or connectivity, as discussed in the Microsoft article "Invalid UDP Frames May Cause WINS to Terminate" at http://support.microsoft.com/support/kb/articles/q155/7/01.asp. The hotfix makes WINS log problematic events and keeps the service from terminating unexpectedly.
The simptcp-fix hotfix corrects problems involving the chargen service. The Simple TCP/IP Service includes the chargen, time of day, echo, and quote of the day services. Attacks against these services send a flood of UDP datagrams to the subnet broadcast address with destination port set at 19 and a spoofed source IP address. The Microsoft article "Denial of Service Attack Against WinNT Simple TCP/IP Services" at http://support.microsoft.com/support/kb/articles/q154/4/60.asp provides further information.
Band-Aid, Anyone?
As you see, you need to consider several hotfixes to further secure your NT systems. Service Pack 4 (SP4) includes many of these hotfixes, but you'll need to download post-SP4 hotfixes to maintain system security.