Playing chicken installing Microsoft Windows XP SP2

Tom Keating : VoIP & Gadgets Blog
Tom Keating
CTO
| VoIP & Gadgets blog - Latest news in VoIP & gadgets, wireless, mobile phones, reviews, & opinions

Playing chicken installing Microsoft Windows XP SP2

A few fellow co-workers that all work in IT played a game of "chicken" yesterday. That is, we were trying to figure out who would be the guinea pig to install the Microsoft Windows XP SP2 (Service Pack 2). The conversation went something like this.
"You install SP2."
"No, you"
"Uhh, no. You first."
"But it's really good. Maybe it'll solve your PC crashing problem? or the fact that it is so slow? Go ahead, do it. Do it now!"

Finally after some bantering and each one of us not wanting to "screw up" our PCs I decided to bite the bullet and install it myself at 5:15pm Wednesday, which wasn't a smart idea since if a problem did happen I'd either be working late to fix it or have to leave it for the following morning and "stew" over my PC being broke all night long. Well, including the reboot, and logging back on, the time was 5:33pm or 18 minutes total time on a Pentium 4 3.00Ghz.

After rebooting, it looks like the same old Windows. Of course I knew it would, but with all the hype behind SP2, you'd think it was a new operating system upgrade. Well, in fact it is - under the hood anyway. I won't rehash the new features (just Google XP SP2), but I will point out that SP2 not only includes all the latest security patches but also a better firewall which is turned on by default.

Here's a screeshot of the main screen:

After the SP2 install, the following morning I decided to check my Event Viewer and I saw 2 new errors:
Error 15 - Automatic certificate enrollment for local system failed to contact the active directory (0x80072751). A socket operation was attempted to an unreachable host.
Enrollment will not be performed.

and this:
Error 1054 - Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I figured it had to do something with the new firewall blocking certain ports (Active Directory ports), so I looked at the Windows Firewall exceptions list. I saw "File and Print Sharing" as an exception, but I didn't see Active Directory as one of the "exceptions" listed. What the hell is that? How is corporate America going to access their domain controllers to authenticate? I didn't have Active Directory's ports memorized, so I had to Google "active directory" port to find the ports I needed to MANUALLY add to the list of "allowed exceptions". Take a look at the Exceptions screen where I added "ADS-3268, ADS-3269, and ADS-389":

It's possible that those 2 errors were not related to the firewall and I've had them all along, but I doubt it. I would check the Event Viewer for these errors, but somehow my Event Viewer log has been corrupted by SP2. oy! Also, I was too busy this morning to to perform any sort of tests to see if indeed the firewall caused those two error messages. But my money's on Microsoft thinking about setting up the firewall by default to protect "home users" and didn't take into consideration "business users" when they designed SP2. It's actually kind of funny that Microsoft is blocking their own Active Directory service - the very flagship and core of Microsoft security!

Here are some cool tips to manage Windows Firewall:
One of Windows Firewall's most powerful features is the ability to use Group Policy to manage client's firewall configurations - perfect for corporate environments. You can use Group Policy to configure all your firewall exceptions from one location and apply them to all target computers.

You can also manage Windows Firewall clients via the Netsh command-line tool. You can use Netsh to configure network settings through a batch file or directly from the command line. For example, the command "netsh firewall show config" displays the current settings of the Windows Firewall client. Netsh lets you configure most Windows Firewall settings which is great for scripters, who can now use a logon script to configure and verify Windows Firewall operation.

Here's a sample script that you can run from a command line (cmd.exe):
the following Netsh command will create a local firewall rule to allow certain addresses to FTP into a Windows Firewall-protected computer:

netsh firewall add portopening
protocol = TCP port = 21
name = FTP mode = ENABLE
scope = CUSTOM addresses =
192.168.0.0/255.255.255.0,
10.0.0.0/255.255.240.0

Want to know which ports are open on your firewall? Just type this from a CMD line:
netsh firewall show portopening



Featured Events