rattler

OK, I should learn to read everything! makecab netfw.in_ will sign it and make it ready for install, right?

That's exactly what I was looking for... Thanks, I'm sorry if I should have known that! I definitely did not read that in any of the documentation. MS's document reads; 1. Copy the default Windows Firewall INF file (Netfw.in_) from a Windows XP SP2 CD image. 2. Make the desired modifications to the INF file. Directions for modifying the INF file are provided in the "Configuration Options Provided in the Windows Firewall INF File" section of this article. 3. Save the modified INF file as Netfw.in_. Step 4 says; Sign the modified Netfw.in_. May be something I should no how to do, also, but how do I "sign" the file? 5. Replace the default Netfw.in_ with the modified Netfw.in_ in the Windows XP SP2 CD image. Should I replace both the Netfw.in_ files sitting in the ic an ip directories? Would that modify the default settings for the SP2 install? 6. Install Windows XP SP2 as normal from the modified Windows XP SP2 CD image. Again, thanks a lot for all of your help!!

Thanks for the replies!! I had gone through the same documents but came up with some other problems; When I expand out WindowsXP-KB835935-SP2-ENU.exe I get two netfw.in_ files. They are in i386\ip and i386\ic, not sure which one would be the one to use. Both files look like; MSCF ® , F ¸ 1!± netfw.inf hJÅF`¸[€€? ‚+ 4" `ofATH÷ Åë$O¶ËY†tH–(æ@*ïíàÛjwï§ÿý” š :Bb\â‰KaìÄ‚N¸-‘$”JMÿ‚ÿÿÿÿ ÿ @ ? ,……ðø¯ÿ¿Ëü€7xTÛ´·îé«$Bˆ…WL ëKM:õèJ-± ‰>Áê?ñÇ'5â²9Ídeß[¦Ìàkb’ˆ5f—bÙêBK%*4¨nL¹?¥Bl*,ú¹:åŒkÎ΀º&5›(~Ýõu¨ÜœkõaMÇÞrlzÖB”• ƒÒC" C±·ã Úîe:–6jì¼|Ý~E?@if3žúúúJ ÷ÂêbÔØ]ýnú}«ˆãÖUC–:ÝÇ_æ°Ö1ãaå@õóþy¿?Yp!<ݳ¹Ÿ<ä^§`òP…1¶LæM„mÝ5²ÇÆ]ø&?Ì{ð?8 According to the MS documentation these files should be readable. And I should be able to update the files, rename them to netfw.ini and then the settings will take. My understanding, though, is that netfw should be included, like the unattend.txt file, with a full OS, windows XP (SP2), install not just the SP2 upgrade. I guess I was assuming that since MS was forcing this update on us, they would give us the ability to configure it the way we want.... Stupid me! Either way, it looks like I am stuck. FYI. In order to get around this, we are just running a registry hack that adds the exceptions we want. Real easy, just import a .reg file to the registry with; [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "135:TCP"="135:TCP:192.168.5.0/255.255.255.255:Enabled:Port 135" Change the key to StandardProfile\GloballyOpenPorts\List for non AD domain desktops. The syntax is "<Port>:<UDP/TCP>"="<Port:<TCP/UDP:<IP Address>/<Subnet>:<Enabled/Disabled>:<Common Name>" Port is the port you want to allow through, address/subnet is the address of the remote machine that you want to allow through and common name is whatever you want to label this exception. Same thing as netfw.in_, just a little less automated.

One of our many problems with the "forced" nature of the SP2 install from automatic updates is that the installed firewall is removing our ability to monitor our desktops. We are planning on blocking all traffic to windowsupdate.microsoft.com to make sure that the updates do not come down on the 16th. Then we are planning on releasing SP2 (using update.exe) while adding some exemptions to the firewall configuration to allow our security machines to monitor certain ports. The Problem; MS has removed the /unattend:<path>\unatted.txt switch from the SP2 install. I have been through all of the MS documentation and can not find a way to include a custom firewall configuration with the SP2 install. BTW. we have already created a slipstream CD for new XO installs but this will not help with my existing XP desktops. Any ideas?