graphic Windows XP Service Pack 2
   

Changes in Windows XP Service Pack 2

Windows XP Service Pack 2 introduces several fundamental changes to the way Windows XP communicates on a network.  By default, a new Windows Firewall is installed and enabled.  The Firewall gives the workstation better security against malicious programs and network users.  It also disables some service, management and diagnostic functionality in Windows.  This is desirable on an Internet connection. However, much LAN remote management functionality is disabled by default.  


Reason for Windows Firewall Configuration

On a LAN connection the default setting for Windows firewall can disable network services, remote desktop, WMI, ICMP (ping) and many other applications that require network access to function.  MetaLAN will not be able to remote control or gather information from XP computers on your network with the default settings for Windows Firewall in XP Service Pack 2.  The need for configuring Windows firewall is not unusual as most suppliers of Network Management Software will have to release recommended configurations to Windows Firewall to allow their software to function as intended.  On most Windows 2000+ Domains the best way to configure Windows Firewall on multiple XP Clients is to use Group Policy.

graphicYou should see your Network Administrator about the required changes to the Windows Firewall.  Step by step instruction are provided below.



Windows XP Service Pack 2 Group Policy Settings for MetaLAN


Requirements for Creating Windows Firewall Group Policy

Account that has administrative rights to create group policies on the domain. usually a member of the built-in “domain admins” security group.
Windows Server 2003 Administration Tools Pack.  Downloadable from Microsoft.
Windows XP Service Pack 2 Downloadable from Microsoft.



Steps Involved
  1. Install XP Services Pack 2 on the XP Workstation you are going to create the new Group Policy from.
  2. Install the “Windows Server 2003 Administration Tools Pack” on the XP Workstation you are going to create the new Group Policy from.
  3. Create a Group Policy for XP Service Pack 2 Firewall.


Create a Group Policy for XP Service Pack 2 Firewall.

You will need an Windows XP computer with  Service Pack 2 and “Windows Server 2003 Administration Tools Pack” installed to complete the following steps.  They can be  downloaded from Microsoft’s website.


  1. On the XP computer Click [Start] [Run] and type “dsa.msc” and click [OK].

graphic


  1. Select the Domain you wish to add the Group Policy to.

graphic


  1. Right click the domain and click [Properties].


  1. On the [Group Policy] tab click [New].

graphic


  1. Give the Group Policy Object a descriptive name like “XP Service Pack 2 Firewall”.

graphic


  1. Now with the new Group Policy selected click [Edit]. The Group Policy Editor MMC will launch with your new Group Policy.
  1. Expand [Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile].

graphic


  1. Configure the following settings. Double click a setting to edit it. Click [OK] to accept a new setting.



Settings not specified here can be set to any setting your network requires.




Setting : Windows Firewall: Allow remote administration
 
State : Enabled
 

Select [Enabled] and enter the networks you will allow connections from in the dialog. Enter “*” for all networks or follow the instructions provided on the “Setting” and “Explain” tab to allow administration from the networks you specify.
graphic
Click [OK] to accept the new setting.
 




Setting : Windows Firewall: Allow file and print sharing exception
 
State : Enabled
 

Select [Enabled] and enter the networks you will allow connections from in the dialog. Enter “*” for all networks or follow the instructions provided on the “Setting” and “Explain” tab to allow administration from the networks you specify.
graphic
Click [OK] to accept the new setting.
 




Setting : Windows Firewall: Allow ICMP exceptions
 
State : Enabled
 

With out the ability to “Ping” computers via ICMP MetaLAN will not be able to determine if a computer is online. The only setting that is required is “Allow inbound echo request
Select [Enabled] and check [Allow inbound echo request].
graphic
Click [OK] to accept the new setting.
 




Setting : Windows Firewall: Define port exceptions
 
State : Enabled
 

This setting will allow Remote Control sessions using VNC. If you do not wish to use VNC or you always use Windows Terminal Services or Remote Desktop to control client computers this setting is not required.
Select [Enabled].
graphic

Click [Show].
In the Define port exceptions dialog click [Show]. Now click [Add].
graphic

In the Add Item dialog type “5900:TCP:*:enabled:VNCServer” If you wish to allow connections from specific networks only, follow the instruction provided on the “Setting” and “Explain” tab.
Click [OK] to add the new item. Click [OK] to close the show contents window and click [OK] to accept the new setting.
 





Internet Links



Help installing Windows XP Service Pack 2:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;windowsxpsp2



Windows Server 2003 Administration Tools Pack:

http://www.microsoft.com/downloads/ and search for “Windows Server 2003 Administration Tools Pack”.



Support for MetaLAN:

http://support.hammer-software.com





www.hammer-software.com