rattler Posted August 12, 2004 Share Posted August 12, 2004 One of our many problems with the "forced" nature of the SP2 install from automatic updates is that the installed firewall is removing our ability to monitor our desktops.We are planning on blocking all traffic to windowsupdate.microsoft.com to make sure that the updates do not come down on the 16th. Then we are planning on releasing SP2 (using update.exe) while adding some exemptions to the firewall configuration to allow our security machines to monitor certain ports.The Problem;MS has removed the /unattend:<path>\unatted.txt switch from the SP2 install. I have been through all of the MS documentation and can not find a way to include a custom firewall configuration with the SP2 install.BTW. we have already created a slipstream CD for new XO installs but this will not help with my existing XP desktops.Any ideas? Link to comment Share on other sites More sharing options...
peachy Posted August 12, 2004 Share Posted August 12, 2004 Have you seen this tool from Microsoft to temporarily block Automatic Update from downloading SP2?As for your other problems, I'm not sure how to fix that, yet. Link to comment Share on other sites More sharing options...
Alanoll Posted August 12, 2004 Share Posted August 12, 2004 expand netfw.in_ from teh SP2 network install. (I'm assuming you've already extracted teh 200 meg file to it's components). There is a docuemnt on teh Microsof tservers on how to add entries for what you want (trusted sites and settings) Go to the MSFN main page, and go to search >> Firewall (i'll put a link in a sec).http://www.microsoft.com/downloads/details...&DisplayLang=enwhen done modifying it, makecab netfw.infAs far as I'm aware, the original SP1a executable had NO /unattend either. It uses teh simple update.exe file, with teh typicaly switches to mke it silent ( /N /Z /O /Q or some such /? for more info). That will install SP2 and use your settings from netfw.inf taht you specify. Link to comment Share on other sites More sharing options...
rattler Posted August 13, 2004 Author Share Posted August 13, 2004 Thanks for the replies!!I had gone through the same documents but came up with some other problems;When I expand out WindowsXP-KB835935-SP2-ENU.exe I get two netfw.in_ files. They are in i386\ip and i386\ic, not sure which one would be the one to use. Both files look like;MSCF ® , F ¸ 1!± netfw.inf hJÅF`¸[€€? ‚+ 4" `ofATH÷ Åë$O¶ËY†tH–(æ@*ïíàÛjwï§ÿý” š :Bb\â‰KaìÄ‚N¸-‘$”JMÿ‚ÿÿÿÿ ÿ @ ? ,……ðø¯ÿ¿Ëü€7xTÛ´·îé«$Bˆ…WL ëKM:õèJ-±‰>Áê?ñÇ'5â²9Ídeß[¦Ìàkb’ˆ5f—bÙêBK%*4¨nL¹?¥Bl*,ú¹:åŒkÎ΀º&5›(~Ýõu¨ÜœkõaMÇÞrlzÖB”• ƒÒC" C±·ãÚîe:–6jì¼|Ý~E?@if3žúúúJ÷ÂêbÔØ]ýnú}«ˆãÖUC–:ÝÇ_æ°Ö1ãaå@õóþy¿?Yp!<ݳ¹Ÿ<ä^§`òP…1¶LæM„mÝ5²ÇÆ]ø&?Ì{ð?8According to the MS documentation these files should be readable. And I should be able to update the files, rename them to netfw.ini and then the settings will take. My understanding, though, is that netfw should be included, like the unattend.txt file, with a full OS, windows XP (SP2), install not just the SP2 upgrade.I guess I was assuming that since MS was forcing this update on us, they would give us the ability to configure it the way we want.... Stupid me!Either way, it looks like I am stuck.FYI. In order to get around this, we are just running a registry hack that adds the exceptions we want. Real easy, just import a .reg file to the registry with;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]"135:TCP"="135:TCP:192.168.5.0/255.255.255.255:Enabled:Port 135"Change the key to StandardProfile\GloballyOpenPorts\List for non AD domain desktops. The syntax is"<Port>:<UDP/TCP>"="<Port:<TCP/UDP:<IP Address>/<Subnet>:<Enabled/Disabled>:<Common Name>"Port is the port you want to allow through, address/subnet is the address of the remote machine that you want to allow through and common name is whatever you want to label this exception.Same thing as netfw.in_, just a little less automated. Link to comment Share on other sites More sharing options...
gamehead200 Posted August 13, 2004 Share Posted August 13, 2004 Thanks for the replies!!I had gone through the same documents but came up with some other problems;When I expand out WindowsXP-KB835935-SP2-ENU.exe I get two netfw.in_ files. They are in i386\ip and i386\ic, not sure which one would be the one to use. Both files look like;---According to the MS documentation these files should be readable. And I should be able to update the files, rename them to netfw.ini and then the settings will take. My understanding, though, is that netfw should be included, like the unattend.txt file, with a full OS, windows XP (SP2), install not just the SP2 upgrade.I guess I was assuming that since MS was forcing this update on us, they would give us the ability to configure it the way we want.... Stupid me!Either way, it looks like I am stuck.FYI. In order to get around this, we are just running a registry hack that adds the exceptions we want. Real easy, just import a .reg file to the registry with;---Port is the port you want to allow through, address/subnet is the address of the remote machine that you want to allow through and common name is whatever you want to label this exception.Same thing as netfw.in_, just a little less automated.You have to expand the files! Open CMD.exe and do:expand netfw.in_ netfw.ini(I'm not too sure if its an INI or an INF file, try both and see which one works! Link to comment Share on other sites More sharing options...
maxXPsoft Posted August 13, 2004 Share Posted August 13, 2004 I have been through all of the MS documentation and can not find a way to include a custom firewall configuration with the SP2 install.Deploying Windows Firewall Settings for Windows XP Service Pack 2Ever wondered how to customize the operational mode and exception list entries in the new Windows Firewall in Windows XP SP2? Learn more about this powerful new feature and how to modify its settings before or after installation.Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2Ever wondered how to customize settings such as the operational mode and exception list entries in the new Windows Firewall in Windows XP SP2? Learn more about this powerful new feature and how network administrators can modify its settings before or after installationThese help?They all come from herehttp://www.microsoft.com/technet/prodtechn...n/winxpsp2.mspx Link to comment Share on other sites More sharing options...
tbone587 Posted August 13, 2004 Share Posted August 13, 2004 im using sp2 2149 how come windows update hasnt downloaded the sp2 final yet? I am planning on formatting soon with the final sp2 but not yet.. Link to comment Share on other sites More sharing options...
prathapml Posted August 13, 2004 Share Posted August 13, 2004 Open CMD.exe and do:expand netfw.in_ netfw.ini(I'm not too sure if its an INI or an INF file, try both and see which one works! Or rename to "netfw.cab" and use winrar to extract.It contains a text file called "netfw.inf". Link to comment Share on other sites More sharing options...
Gunr Posted August 13, 2004 Share Posted August 13, 2004 If this is for a company, are you using AD? If you are, update a GPO with the new firewall settings that you require open and push it down that way. We are using that at our company and it works great. If you find later that you need another port open, modify the GPO and when the clients refresh they will get the new settings automatically. Link to comment Share on other sites More sharing options...
rattler Posted August 13, 2004 Author Share Posted August 13, 2004 You have to expand the files! Open CMD.exe and do:expand netfw.in_ netfw.ini(I'm not too sure if its an INI or an INF file, try both and see which one works! That's exactly what I was looking for... Thanks, I'm sorry if I should have known that! I definitely did not read that in any of the documentation. MS's document reads;1. Copy the default Windows Firewall INF file (Netfw.in_) from a Windows XP SP2 CD image.2. Make the desired modifications to the INF file. Directions for modifying the INF file are provided in the "Configuration Options Provided in the Windows Firewall INF File" section of this article. 3. Save the modified INF file as Netfw.in_.Step 4 says;Sign the modified Netfw.in_.May be something I should no how to do, also, but how do I "sign" the file?5. Replace the default Netfw.in_ with the modified Netfw.in_ in the Windows XP SP2 CD image.Should I replace both the Netfw.in_ files sitting in the ic an ip directories? Would that modify the default settings for the SP2 install?6. Install Windows XP SP2 as normal from the modified Windows XP SP2 CD image.Again, thanks a lot for all of your help!! Link to comment Share on other sites More sharing options...
rattler Posted August 13, 2004 Author Share Posted August 13, 2004 OK, I should learn to read everything!makecab netfw.in_ will sign it and make it ready for install, right? Link to comment Share on other sites More sharing options...
neleus Posted August 23, 2004 Share Posted August 23, 2004 Ok .. here it is .. in case noone has posted otherwise .. the how to step by stepHow to disable the Windows XP SP2 Firewall DURING Installation1. There are 2 netfw.in_ files in the Network installation download of SP2 for IT professionals.2. Take 1, and go to a command prompt, type "expand netfw.in_ netfw.inf"3. Open it up and make the file look like what is below[version]Signature = "$Windows NT$"DriverVer =07/01/2001,5.1.2600.2180[DefaultInstall]AddReg=ICF.AddReg.DomainProfileAddReg=ICF.AddReg.StandardProfile[iCF.AddReg.DomainProfile]HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile","EnableFirewall",0x00010001,0HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile","DisableNotifications",0x00010001,1[iCF.AddReg.StandardProfile]HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","EnableFirewall",0x00010001,0HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","DisableNotifications",0x00010001,14. Once you have made this file, use "makecab netfw.inf netfw.in_" and copy this new netfw.in_ back into the IC and IP directory. This will make the firewall disabled upon installation. Link to comment Share on other sites More sharing options...
eixt Posted August 24, 2004 Share Posted August 24, 2004 Cheers mate. Any ideas how i could then get this modified pack to be installed by SUS? Link to comment Share on other sites More sharing options...
Denney Posted August 24, 2004 Share Posted August 24, 2004 Just on the expand command...You should use the command "expand -r netfw.in_".That way, it automatically extracts whatever file is inside it and then renames it the way it should be named. Link to comment Share on other sites More sharing options...
eth0 Posted August 24, 2004 Share Posted August 24, 2004 Cheers mate. Any ideas how i could then get this modified pack to be installed by SUS?I think you might prefer using the extracted sp2 files and use the update.msi in an installation GPO (you're using SUS, so I presume you're running AD anyway). Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now