|
|
Toll Free: (866) 407-5279 Direct: (651) 407-5279 |
|
|
|
Toll Free: (866) 407-5279 Direct: (651) 407-5279 |
|
XP SP2 has now become available as of August 10th, 2004. Review of Microsoft articles relating to XP SP2 is recommended.
Service Pack 2 for Windows XP, when installed on a target machine, will tighten security by "enabling" the "Windows Firewall" software. This software exists in XP SP1, but is not enabled by default. Because the software firewall is enabled when XP SP2 is applied, it disables the use of well-known and widely-used ports 135, 139 and 445 which are for networking in general, and which are specifically used by UpdateEXPERT for deploying patches. Also disabled are product-specific ports such as Leaf-Agent ports in UpdateEXPERT.
You can employ several strategies for dealing with XP SP2:
Use the "Disable Firewall" option during UpdateEXPERT XP SP2 deployment to prevent the firewall from coming up "enabled" (Recommended)
Re-configure each XP SP2 target machine after XP SP2 deployment.
Note: Another option is to setup a "Group Policy" in Active Directory that either disables or configures the XP SP2 firewall after the XP SP2 deployment from UpdateEXPERT.
Be aware that an XP SP2 deployment may occasionally "hang" when the target reboots. See "XP SP2 AutoAdminLogon hangs on deployment".
When deploying XP SP2 with UpdateEXPERT, you will see a "Disable Firewall" option (checked "on" by default) that has been added specifically for this Service-Pack.
This option sets "EnableFirewall" in the keys below to Zero (0) so that the XP SP2 firewall software will be disabled, and therefore will NOT block ports such as 135, 139, and 445.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ... "EnableFirewall"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile ... "EnableFirewall"=dword:00000000
If you wish to retain the "Disable Firewall" setting, just click "Next".
IMPORTANT: If you UN-check "Disable Firewall", perhaps because you do not want your registry modified, you will get the following warning from the patch install wizard (after supplying credentials in next window):
"You have selected the option of NOT disabling the Firewall. Please consider selecting "< Back" and changing this selection. After SP2 has been successfully applied with the firewall enabled, UpdateEXPERT will not be able to query Agentless targets, nor Leaf-Agent targets, until significant remediation efforts are made on the target systems"
If you choose to UN-check "Disable Firewall" and deploy XP SP2, then when you query the machine later (WXPP0EN-10 below) you will get the red exclamation (! = bad network path, because the firewall is on) following:
At this point you'll want to see Re-configure each XP SP2 target machines after XP SP2 deployment.
Note that You'll need to provide Administrator account information for the XP SP2 Service-Pack. if you've taken all the defaults and click "Next", you may simply finish the Wizard dialogue and deploy XP SP2. If you unchecked "Disable Firewall" and click "Next", you'll get the warning above, and then you must decide whether to continue, or go back and select "Disable Firewall" again, or you can just "Cancel" and decide later.
After SP2 has been successfully applied, and with the SP2 firewall "enabled", UpdateEXPERT will not be able to query Agentless targets, nor Leaf-Agent targets.
To re-enable UpdateEXPERT access to agentless and leaf-agent XP SP2 machines, you can launch "Windows Firewall" from the Control Panel (on each target system), and enable the ports needed for querying and deploying patches to the XP SP2 target. A machine reboot may be necessary for the firewall configuration changes to take affect. If you cannot query the machine after firewall re-configuration, perform a reboot.
Note: Another option is to setup a "Group Policy" in Active Directory that either disables or configures the XP SP2 firewall after the XP SP2 deployment from UpdateEXPERT.
The firewall software will be "on" by default as shown below...
From the Advanced tab, select the appropriate connection (LAN in most cases, as opposed to dial up) and click "Settings...".
Below are shown "well-known" services that can be enabled or disabled by default... but we want to click "Add" to define our own named services and ports that we are going to allow for UpdateEXPERT.
Enter a "Description of service", and one or more remote "Hostnames/IP addresses" that can use the port connection to gain access to this machine. For UpdateEXPERT the machine you want to "allow" is the Master-Agent.
You then enter a port number, and whether the port should use TCP or UDP protocol as the underlying transport protocol. In most cases, you would use TCP because it is a "reliable" transport with guaranteed packet delivery. UDP is a non-guaranteed packet delivery transport which performs better because it creates less overhead.
For Agentless machines, do "Add" three times so you end up with something similar to the "enabled" (checked) items shown below.
For Leaf-Agent machines, you would do the same thing, except Leaf-Agents do not use port 135, 139 and 445, but instead use a user-defined port connection to the Master-Agent, usually 9968. This means you would only need one entry in the firewall software. Please keep in mind that after installing XP SP2, if you wish to remotely install a Leaf-Agent to the target, you would have to enable 135, 139, and 445 as shown below to allow the remote installation, enable 9968, then disable 135, 139, and 445 after you've confirmed that the Master-Agent can query the Leaf-Agent target.
Microsoft articles relating to XP SP2 include:
Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2
Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2
Changes to Functionality in Microsoft Windows XP Service Pack 2
