Windows XP Service Pack 2 Group Policy Settings for MetaLAN and BlackProbe Versions 1.x

http://www.hammer-software.com

Windows XP Service Pack 2

Windows XP Service Pack 2 introduces several fundamental changes to the way Windows XP communicates on a network.  By default, a new Windows Firewall is installed and enabled.  The Firewall gives the workstation better security against malicious programs and network users.  It also disables some service, management and diagnostic functionality in Windows.  This is desirable on an Internet connection. 

 

 

Reason for Windows Firewall Configuration

On a LAN connection the default setting for Windows firewall can disable network services, remote desktop, WMI, ping and many other applications that require network access to function.  MetaLAN will not be able to remote control or gather information from XP computers on your network with the default settings for Windows Firewall in XP Service Pack 2.  The need for configuring Windows firewall is not unusual as most suppliers of Network Management Software will have to release recommended configurations to Windows Firewall to allow their software to function as intended.  On most Windows 2000+ Domains the best way to configure Windows Firewall on multiple XP Clients is to use Group Policy.

 

 

Requirements for Creating Windows Firewall Group Policy

• Account that has administrative rights to create group policies on the domain.  usually a member of the built-in “domain admins” security group.
• Windows Server 2003 Administration Tools Pack.  Downloadable from Microsoft.
• Windows XP Service Pack 2 Downloadable from Microsoft.

 

 

Steps Involved

1. Install XP Services Pack 2 on the XP Workstation.
2. Install the “Windows Server 2003 Administration Tools Pack”  if not installed on XP workstation.
3. Create a Group Policy for XP Service Pack 2 Firewall.

 

 

 

 

Create a Group Policy for XP Service Pack 2 Firewall.

 

You will need an Windows XP computer with  Service Pack 2 and “Windows Server 2003 Administration Tools Pack” installed to complete the following steps.  They can be  downloaded from Microsoft’s website.

 

 

 

1. On the XP computer Click [Start] [Run] and type “dsa.msc” and click [OK].  

 

 

 

2. Select the Domain you wish to add the Group Policy to.

 

 

 

3. Right click the domain and click [Properties].

 

4. On the [Group Policy] tab click [New].

 

 

 

 

5. Give the Group Policy Object a descriptive name like “XP Service Pack 2 Firewall”.

 

 

 

6. Now with the new Group Policy selected click [Edit].  The Group Policy Editor MMC will launch with your new Group Policy.

 

7. Expand [Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile].

 

 

 

8. Configure the following settings.  Double click a setting to edit it.  Click [OK] to accept a new setting.

 

Settings not specified here can be set to any setting your network requires. 

 

 

 

 

Setting	State
Windows Firewall: Allow remote administration	Enabled
Select [Enabled] and enter the networks you will allow connections from in the dialog.  Enter “*” for all networks or follow the instructions provided on the “Setting” and “Explain” tab to allow administration from the networks you specify.     Click [OK] to accept the new setting.

 

 

 

Setting	State
Windows Firewall: Allow file and print sharing exception	Enabled
Select [Enabled] and enter the networks you will allow connections from in the dialog.  Enter “*” for all networks or follow the instructions provided on the “Setting” and “Explain” tab to allow administration from the networks you specify.     Click [OK] to accept the new setting.

 

 

Setting	State
Windows Firewall: Allow ICMP exceptions	Enabled
With out the ability to “Ping” computers via ICMP MetaLAN will not be able to determine if a computer is online.  The only setting that is required is “Allow inbound echo request”   Select [Enabled] and check [Allow inbound echo request].     Click [OK] to accept the new setting.

 

 

 

Setting	State
Windows Firewall: Define port exceptions	Enabled
This setting will allow Remote Control sessions using VNC.  If you do not wish to use VNC or you always use Windows Terminal Services or Remote Desktop to control client computers this setting is not required.   Select [Enabled].     Click [Show].   In the Define port exceptions dialog click [Show].  Now click [Add].      In the Add Item dialog type “5900:TCP:*:enabled:VNCServer”  If you wish to allow connections from specific networks only, follow the instruction provided on the “Setting” and “Explain” tab.   Click [OK] to add the new item.  Click [OK] to close the show contents window and click [OK] to accept the new setting.

 

 

 

Internet Links

 

Help installing Windows XP Service Pack 2: http://support.microsoft.com/default.aspx?scid=fh;EN-US;windowsxpsp2

 

Windows Server 2003 Administration Tools Pack: http://www.microsoft.com/downloads/ and search for “Windows Server 2003 Administration Tools Pack”.

 

Support for MetaLAN or BlackProbe: http://support.hammer-software.com