Archived from groups: microsoft.public.windowsxp.setup_deployment,microsoft.public.windowsxp.work_remotely (More info?)
XP Service Pack 2 is a major update. While it seems to work as advertised,
it does have some new behaviors which can surprise you if you are not aware
of them.
1. XP SP2 turns on the Windows Firewall. This has the effect of turning the
PC into a black hole from the viewpoint of the network. Pings dont respond.
You can't access file shares. PCAnywhere stops working. All ports are
closed and computer refuses all incoming network connections. If your
computer is already behind a separate hardware or software firewall this can
be annoying for remote administration.
2. The Windows Firewall is one-way, i.e., it does not stop spyware or
Trojans from sending information out of the computer. If for example the
computer is already infected with the Blaster virus it will continue to
attempt to spread it to other computers.
3. Automatic Updates is turned on. Annoying if you like to do manual
updates yourself.
4. If you attempt to turn off Windows Firewall or Automatic Updates, the PC
will bitch loudly and often. Lots of scary messages, "Danger: Your computer
could be infected with a virus", etc. If your computer does not have
anti-virus software installed, it will also bitch a lot.
If you don't want the annoying warning messages, or if you don't want to get
locked out of the PC for remote adminstration, I did some investigation and
came up with the following solutions.
The following .REG file will turn off the annoying warning messages:
---------Start cut here-------
REGEDIT4
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
; Dont bitch about the firewall being off.
;
; Also turns off anti-virus and Automatic Update warnings.
; Comment out the lines below as desired.
;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
---------End cut here---------
To execute, save as xp_fw.reg and click on it. Or type:
REGEDIT xp_fw.reg
For remote execution you can use the /S (silent) switch:
REGEDIT /S xp_fw.reg
The following script will configure XP SP2 for remote administration and
file access. It assumes that your PC is behind a separate hardware or
software firewall.
(If lines wrap you will need to splice them back together.)
---------Start cut here-------
@echo off
REM
REM Arrange to run this script via NT Scheduler
REM to prevent the XP firewall from locking out remote administration
REM
REM Install as C:\DL\xp_fw.cmd, along with C:\DL\xp_fw.reg
REM
REM Run with
REM schtasks /Create /RU SYSTEM /SC DAILY /TN Firewall /TR C:\dl\xp_fw.cmd
/ST 08:00:00
REM
REM ------------------------------------------------------------------
REM Tell the Security Center not to bitch about the firewall being off
REGEDIT /S "C:\DL\xp_fw.reg"
REM
REM This resets the firewall to the out-of-box config. Comment out if
desired
REM NETSH firewall reset
REM
REM This displays a warning if the firewall blocks a program (default
enabled)
rem NETSH firewall set notifications mode=disable profile=all
NETSH firewall set service type=fileandprint mode=enable scope=all
profile=all
NETSH firewall set service type=remoteadmin mode=enable scope=all
profile=all
NETSH firewall set service type=remotedesktop mode=enable scope=all
profile=all
NETSH firewall set portopening protocol=TCP port=5631 name=PCAnywhere
mode=enable scope=all profile=all
NETSH firewall set portopening protocol=UDP port=5632 name=PCAnywhere
mode=enable scope=all profile=all
NETSH firewall set icmpsetting type=all mode=enable profile=all
NETSH firewall set icmpsetting type=5 mode=disable profile=all
NETSH firewall set logging maxfilesize=128
rem
rem This disables the firewall - comment out if desired
rem
NETSH firewall set opmode mode=disable profile=all
---------End cut here---------
The above script will enable file shares, remote admin, remote desktop, and
PCAnywhere. It also enables ICMP messages (ping, echo timestamp, etc),
including all ICMP messages except for ICMP redirect (type=5). The firewall
log size is reduced to 128K max.
If you run SCHTASKS.EXE you can schedule this script to be run periodically.
That way you can install it ahead of time on XP machines not yet running
SP2. Microsoft will start distribution of SP2 via Automatic Update starting
on August 16 2004. When SP2 is auto-downloaded, at 8am the next day the
script will run and open up the machine so you can access it again. This is
how I configured the XP machines that I remotely administer so that I am not
locked out on August 16.
Re: XP rollout
If you are rolling out auto-installs of new copies of XP, you can slipstream
XP SP2 into the install folder (CD-ROM or file share) with the update.exe /s
option. After doing this you can auto-disable the firewall by modifying the
file netfw.ini, located in the i386 subfolder. Here is a copy of the
modified netfw.ini.
(If lines wrap you will need to splice them back together.)
---------Start cut here-------
[version]
Signature = "$Windows NT$"
DriverVer =07/01/2001,5.1.2600.2180
;
; Replacement version of i386\NETFW.INI that disables the Windows Firewall.
; Alan Klietz, Aug 04
;
; Installed by SETUP into \WINDOWS\INF\NETFW.INI
;
; The command "netsh firewall reset" will execute the file in \WINDOWS\INF,
; resetting all parameters to their original defaults.
;
; This file defines what the 'original defaults' are.
;
[DefaultInstall]
AddReg=ICF.AddReg.DomainProfile
AddReg=ICF.AddReg.StandardProfile
[ICF.AddReg.DomainProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\DomainProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe
",0x00000000,"%windir%\system32\sessmgr.exe:*:enabled
xpsp2res.dll,-22019"
;
; Added by AEK to disable the firewall - domain profile
;
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\DomainProfile","DoNotAllowExceptions",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\DomainProfile","EnableFirewall",0x00010001,0
[ICF.AddReg.StandardProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\StandardProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.e
xe",0x00000000,"%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
"
;
; Added by AEK to disable the firewall - standard profile
;
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\StandardProfile","DoNotAllowExceptions",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\StandardProfile","EnableFirewall",0x00010001,0
---------End cut here---------
Regards,
Alan Klietz
Algin Technology LLC
Email: alank at algintech dot com
XP Service Pack 2 is a major update. While it seems to work as advertised,
it does have some new behaviors which can surprise you if you are not aware
of them.
1. XP SP2 turns on the Windows Firewall. This has the effect of turning the
PC into a black hole from the viewpoint of the network. Pings dont respond.
You can't access file shares. PCAnywhere stops working. All ports are
closed and computer refuses all incoming network connections. If your
computer is already behind a separate hardware or software firewall this can
be annoying for remote administration.
2. The Windows Firewall is one-way, i.e., it does not stop spyware or
Trojans from sending information out of the computer. If for example the
computer is already infected with the Blaster virus it will continue to
attempt to spread it to other computers.
3. Automatic Updates is turned on. Annoying if you like to do manual
updates yourself.
4. If you attempt to turn off Windows Firewall or Automatic Updates, the PC
will bitch loudly and often. Lots of scary messages, "Danger: Your computer
could be infected with a virus", etc. If your computer does not have
anti-virus software installed, it will also bitch a lot.
If you don't want the annoying warning messages, or if you don't want to get
locked out of the PC for remote adminstration, I did some investigation and
came up with the following solutions.
The following .REG file will turn off the annoying warning messages:
---------Start cut here-------
REGEDIT4
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
; Dont bitch about the firewall being off.
;
; Also turns off anti-virus and Automatic Update warnings.
; Comment out the lines below as desired.
;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
---------End cut here---------
To execute, save as xp_fw.reg and click on it. Or type:
REGEDIT xp_fw.reg
For remote execution you can use the /S (silent) switch:
REGEDIT /S xp_fw.reg
The following script will configure XP SP2 for remote administration and
file access. It assumes that your PC is behind a separate hardware or
software firewall.
(If lines wrap you will need to splice them back together.)
---------Start cut here-------
@echo off
REM
REM Arrange to run this script via NT Scheduler
REM to prevent the XP firewall from locking out remote administration
REM
REM Install as C:\DL\xp_fw.cmd, along with C:\DL\xp_fw.reg
REM
REM Run with
REM schtasks /Create /RU SYSTEM /SC DAILY /TN Firewall /TR C:\dl\xp_fw.cmd
/ST 08:00:00
REM
REM ------------------------------------------------------------------
REM Tell the Security Center not to bitch about the firewall being off
REGEDIT /S "C:\DL\xp_fw.reg"
REM
REM This resets the firewall to the out-of-box config. Comment out if
desired
REM NETSH firewall reset
REM
REM This displays a warning if the firewall blocks a program (default
enabled)
rem NETSH firewall set notifications mode=disable profile=all
NETSH firewall set service type=fileandprint mode=enable scope=all
profile=all
NETSH firewall set service type=remoteadmin mode=enable scope=all
profile=all
NETSH firewall set service type=remotedesktop mode=enable scope=all
profile=all
NETSH firewall set portopening protocol=TCP port=5631 name=PCAnywhere
mode=enable scope=all profile=all
NETSH firewall set portopening protocol=UDP port=5632 name=PCAnywhere
mode=enable scope=all profile=all
NETSH firewall set icmpsetting type=all mode=enable profile=all
NETSH firewall set icmpsetting type=5 mode=disable profile=all
NETSH firewall set logging maxfilesize=128
rem
rem This disables the firewall - comment out if desired
rem
NETSH firewall set opmode mode=disable profile=all
---------End cut here---------
The above script will enable file shares, remote admin, remote desktop, and
PCAnywhere. It also enables ICMP messages (ping, echo timestamp, etc),
including all ICMP messages except for ICMP redirect (type=5). The firewall
log size is reduced to 128K max.
If you run SCHTASKS.EXE you can schedule this script to be run periodically.
That way you can install it ahead of time on XP machines not yet running
SP2. Microsoft will start distribution of SP2 via Automatic Update starting
on August 16 2004. When SP2 is auto-downloaded, at 8am the next day the
script will run and open up the machine so you can access it again. This is
how I configured the XP machines that I remotely administer so that I am not
locked out on August 16.
Re: XP rollout
If you are rolling out auto-installs of new copies of XP, you can slipstream
XP SP2 into the install folder (CD-ROM or file share) with the update.exe /s
option. After doing this you can auto-disable the firewall by modifying the
file netfw.ini, located in the i386 subfolder. Here is a copy of the
modified netfw.ini.
(If lines wrap you will need to splice them back together.)
---------Start cut here-------
[version]
Signature = "$Windows NT$"
DriverVer =07/01/2001,5.1.2600.2180
;
; Replacement version of i386\NETFW.INI that disables the Windows Firewall.
; Alan Klietz, Aug 04
;
; Installed by SETUP into \WINDOWS\INF\NETFW.INI
;
; The command "netsh firewall reset" will execute the file in \WINDOWS\INF,
; resetting all parameters to their original defaults.
;
; This file defines what the 'original defaults' are.
;
[DefaultInstall]
AddReg=ICF.AddReg.DomainProfile
AddReg=ICF.AddReg.StandardProfile
[ICF.AddReg.DomainProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\DomainProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe
",0x00000000,"%windir%\system32\sessmgr.exe:*:enabled
xpsp2res.dll,-22019";
; Added by AEK to disable the firewall - domain profile
;
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\DomainProfile","DoNotAllowExceptions",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\DomainProfile","EnableFirewall",0x00010001,0
[ICF.AddReg.StandardProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\StandardProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.e
xe",0x00000000,"%windir%\system32\sessmgr.exe:*:enabled
xpsp2res.dll,-22019"
;
; Added by AEK to disable the firewall - standard profile
;
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\StandardProfile","DoNotAllowExceptions",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli
cy\StandardProfile","EnableFirewall",0x00010001,0
---------End cut here---------
Regards,
Alan Klietz
Algin Technology LLC
Email: alank at algintech dot com
Facebook
Twitter
Instagram