Tuesday, July 27, 2010

D3 Tape Configuration using the dev-make command

For each physical tape drive, several devices can be created with different characteristics to deal with
different situations.
The tape type is optionally followed by a label size for compatibility with tapes generated on other
platforms, typically a tape written on a Pick licensee’s machine. For example, to read a 4mm tape made
on a machine with a label size of 80 bytes, create a device with a tape type of d80. The users may also
have several DAT devices which can deal with a label size of 50 or 512 bytes.
The TCL command dev-make allows creating devices immediately. There is no need to stop and restart
the D3 VME service. The general syntax is:
dev-make -t tape -a “tape.name,tape.type{label size}{,density}”
where tape.name is the device name as defined in Windows Tape Devices (i.e. tape0. Tape1).
and tape.type is one of the following:
f for floppy } optionally followed by the floppy density
p for pseudo tape
q for quarter inch QIC/SCT
h for half inch
d for 4mm DAT } optionally followed by
v for 8mm/Video } a numeric tape label size
label size can be any number. Example:
a 4mm DAT with 80-byte label: dev-make -t tape -a “tape0,d80”
and density is for tape density.
For floppy: q=quad (1.44)
h=high (1.2)
o=octal (2.88)
d=standard (360),
s=single (180).
For other tape devices, densities are included for information only, not for functionality. Possible
densities are: h=high, m=medium, l=low, and s=standard.
The following three commands can be entered at TCL or added to the user coldstart proc to create three
Pick tape devices, if tape0 is a DAT drive in the NT registry, in the example:
dev-make -t tape -a “\\.\tape0,d80,h” (80-byte label)
dev-make -t tape -a “\\.\tape0,d50,h” (50-byte label)
dev-make -t tape -a “\\.\tape0,d,h” (defaults to 512)
Note: ALL dev-make commands are lost once D3 has been shutdown or stopped. All dev-make
commands should be added to the user-coldstart proc so that the tape devices will be available again
once the D3 service is restarted.

Tuesday, July 13, 2010

Automatically Boot into Safe Mode

This batch file will backup your current boot.ini file, then add two safe mode options to your boot.ini file.
One is the same you would get when pressing F8 and choosing Safe Mode, the other is the just the minimal safe mode with no logging or display of drivers.
Copy the text in the code block into Notepad and save the file on your desktop as addsafe.bat (Be sure to change the Save as Type box in Notepad's Save dialog to All Files)
Double click the file to add the Safe Mode options.
Double click again to remove them.

Code:
@Echo Off
SetLocal EnableDelayedExpansion
PushD %SystemDrive%\
If Not Exist boot.ini Echo Unable to locate the boot.ini file&Goto _End
Attrib -H -R -S boot.ini
If Exist boot.TO~ (
Attrib -H -R -S boot.TO~
Del Boot.ini
Ren boot.TO~ boot.ini>Nul
Echo Safe Mode options have been removed from the boot menu
Goto _End
) Else (
Copy boot.ini boot.TO~>Nul
Attrib +H +R +S boot.TO~
)
If Exist boot.tmp Del boot.tmp
For /F "Tokens=1,2 Delims==" %%I In (boot.ini) Do (
Set _line=%%I
If /I "%%I"=="default" Set _Def=%%J
If "!_line:~0,1!"=="[" (
>>boot.tmp Echo.%%I
) Else (
>>boot.tmp Echo.%%I=%%J
))
>>boot.tmp Echo.%_Def%="Windows XP Safe Mode (minimal)" /safeboot:minimal
>>boot.tmp Echo.%_Def%="Windows XP Safe Mode (F8)" /safeboot:minimal /sos /bootlog /noguiboot
Del boot.ini
Ren boot.tmp boot.ini
Echo Safe Mode options have been added to the boot menu
:_End
Attrib +H +R +S boot.ini>Nul
PopD
Pause

Tuesday, July 6, 2010

Can't open EXE files

SYMPTOMS
When you try to open EXE files, you may get errors messages like: "Access Deny",...

When you try to open EXE files, you may get errors messages like: "Access Deny", "Runtime error" etc.

CAUSE
Corrupt registry settings or some third party product (or virus) can change the...

Corrupt registry settings or some third party product (or virus) can change the default configuration for running EXE files. This may lead to failed operation when you try to run EXE files.

1. Click Start, and then click Run.


2. Type "command.com" , and then press Enter. (A DOS window opens.)


3. Type the following:

"cd\"

"cd \windows"

Press Enter after typing each one.

4. Type copy "regedit.exe regedit.com" and then press Enter.

5. Type "start regedit.com" and then press Enter.

6. Navigate to and select the key:

HKEY_CLASSES_ROOT\exefile\shell\open\command

7. In the right pane, double-click the (Default) value.

8. Delete the current value data, and then type:

"%1" %*

Tip: Type the characters: quote-percent-one-quote-space-percent-asterisk.

9. Close Regedit utility.


Note: If you are using Windows XP and you enable "System Restore" , you need to
disable "System Restore" in "Safe Mode" before using the instructions above.

Wednesday, June 30, 2010

Set Up Find My iPhone on Multiple iPhones With One MobileMe Account


Find My iPhone, to many people, is the ultimate integration between the iPhone and MobileMe. With your iPhone connected to your MobileMe account you can quickly find your lost, or stolen, iPhone and return to your landscape texting ways.

Unfortunately, some families have multiple iPhones and only one MobileMe account. If your wife, husband, or any family member or close friend, has an iPhone and a penchant for losing it, there is a way to add Find My iPhone to their device without dumping your entire email, contact and calendars on their iPhone.

setting

1. Navigate on the iPhone in question to Settings>Mail, Contacts, Calendars.

fetch

2. Tap on Fetch New Data. Turn on Push. You'll need this to communicate with MobileMe in a timely fashion.

mobileme

3. Return Settings>Mail, Contacts, Calendars, tap on Add Account... Tap the MobileMe option

info

4. Add your super-secret information. Note: Once you place your MobileMe account on another iPhone or iPod touch, that person has access to your email and contact information.

mobileme

5. Turn off the other MobileMe options. Your kid probably doesn't care that you have a meeting at 11:30 to discuss the latest proposal. Turn on Find My iPhone.

find

6. Fire up your favorite browser and head to Me.com. Click on the Settings tab and then on the Find My iPhone option. After about 15 minutes, the iPhone will show up with its location.

find

UPDATE: On the Find My iPhone page, each phone will get its own map. There is no need to "choose" which iPhone is being displayed. Just scroll down to see the rest of your activated iPhones.

I personally have two iPhones set up on my one MobileMe account with no problem. Have fun stalking finding your family's iPhones.

Thursday, June 24, 2010

Cannot start Microsoft Office Outlook. Cannot open the Outlook window.

Start->run..then type the following -> "Outlook.exe /resetnavpane"

Should solve your problem.

Wednesday, June 16, 2010

How to manage the Office 2003 templates in Office 2003 programs

Office 2003 saves all the new custom template files that you create in any Office 2003 program in one location.

There are four template categories in Office 2003. When you click On my computer in the New task pane, the Office 2003 program that you are using looks in the following locations for the templates that belong to that program:
  • The User templates file location
  • The Workgroup templates file location
  • The Advertised and Installed templates file location
  • The non-file-based templates files location

The User templates file location

Newly created or newly modified templates are saved in a folder in your profile directory. The folders that are under your profile contain your configuration preferences and options. Everything that has to roam with you is stored in these directories as part of your profile.

By default, User templates files are stored in the following location:
C:\Documents and Settings\user name\Application Data\Microsoft\Templates
Note You can change the location of User templates files.

How to change the template location

You can use Microsoft Office Word 2003 to change the location where your new templates are saved. To do this, follow these steps.

Note If you use Word 2003 to change the location where your new templates are saved, you will also change the location where all Office 2003 program templates are saved.
  1. Start Word 2003.
  2. On the Tools menu, click Options.
  3. On the File Locations tab, click User templates, and then click Modify.
  4. In the Modify Location dialog box, change the setting in the Folder name or the Look in list to the folder where you want to save your new templates, and then click OK.
  5. Click OK or Close to close the Options dialog box.
The changed path is noted in the Windows registry, and it is used the next time that you want to save a new template. For more information, see the "Changes in the Windows Registry settings for the User templates file location and for the Workgroup templates file location" section.

Note A network administrator can change the location where your new templates are saved by using the policy templates that are included with the Microsoft Office 2003 Resource Kit. For more information, contact your network administrator.

You can also create custom tabs that appear in the Templates dialog box by creating a new folder within the Templates folder in your profile. Tabs with the same name as your new folder appear in the Templates dialog box. These tabs let you categorize your new templates even more.

To view the Templates dialog box, use one of the following methods depending on the Office 2003 program that you are using:
  • In Microsoft Office Access 2003, click New on the File menu, and then click On my computer in the New File task pane.
  • In Microsoft Office Excel 2003, click New on the File menu, and then click On my computer in the New Workbook task pane.
  • In Microsoft Office FrontPage 2003, click New on the File menu, and then click More page templates or More Web site templates.
  • In Microsoft Office PowerPoint 2003, click New on the File menu, and then click On my computer in the New Presentation task pane.
  • In Microsoft Office Publisher 2003, click New on the File menu, and then click Templates on the New Publication task pane.

    Note There is no Templates dialog box in Publisher 2003. Instead, your new custom template folder will appear under Templates on the New Publication task pane.
  • In Word 2003, click New on the File menu, and then click On my computer on the New Document task pane.

Workgroup templates file location

The templates that are saved in this location are basically the same as the templates that are saved in your User templates file location, except that the location is typically a shared folder on a network drive. By default, the Workgroup templates file location is not set to a specific folder and is blank.

Note Your network administrator may set a shared location as a source from which to provide templates that are used throughout your workgroup or company. The Workgroup template file location typically is a read-only shared network folder.

Besides looking in your default User templates file location for existing templates, Office 2003 programs look in the Workgroup templates file location for additional templates that may exist.

For more information about the Workgroup templates file location and about how to share a template with your workgroup or your company, contact your network administrator.

Advertised and Installed templates file location

Advertised templates are the templates that are included with Office 2003. These templates appear in the Templates dialog box. Depending on the type of installation, you may not have all the templates installed on your computer. However, in the Templates dialog box, each Office 2003 program displays the templates as they are available.

When you select a template, the Office 2003 program determines whether the template is installed. If the template is installed, a new document that is based on the template opens. If the template is advertised but not installed, you receive a message from the program to install the template.

You can remove installed templates by starting the Office 2003 installation program and then by setting the template group to Installed on First Use. This effectively removes the templates from the computer, and they again become advertised templates. By default, all Microsoft Office installed templates are installed to the following folder:
C:\Program Files\Microsoft Office\Templates\Language ID Number
Note The language ID number is a four-digit code representing the language types currently installed. For example, the English (US) version of Office 2003 installs a "1033" folder, the Arabic version installs a "1025" folder, and the German version installs a "1031" folder. Office 2003 supports many other languages, and you can have multiple languages installed at the same time. Therefore, you may have a Templates folder that contains several of these language ID folders.

Non-file-based templates

Office 2003 programs use non-file-based templates to create new workbooks, documents, databases, and slides. As the name suggests, there is no physical template from that these special files are created from. Each Office 2003 program has the necessary information to create a new file of the correct type.

For example, if the global template (Normal.dot) that Microsoft Word uses to create a blank document, Word uses its internally stored settings to create a new blank document.

Changes in the Windows Registry settings for the User templates file location and for the Workgroup templates file location

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

Office 2003 uses two registry keys to record the User templates file location and the Workgroup templates file location. Both of these settings are recorded in the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\General
The user templates location is stored in the UserTemplates string value.

The workgroup templates location is stored in the SharedTemplates string value.

These string values do not exist until you make a change to the default locations for your custom templates. By default, all Office 2003 programs look for their installed templates. Therefore, no string value is required for the location of Office 2003 programs.

If you change the user templates location back to the default location as described in the "User templates file location" section, the UserTemplates string value is deleted from the registry. However, if you change the workgroup templates location back to its default, the SharedTemplates string value is retained in the registry.

Tuesday, March 23, 2010

Reset Account Password In Safe Mode

This can happen to any of us, usually we forget Windows accounts' passwords, when we want it least of all. But such situations are very common and this is good when you know how to reset it, as it will save your time and efforts in future.

This is an instruction how to reset account password in Windows XP (on condition that you do not have password set on Administrator account):

1. Reboot PC/laptop in Safe Mode (press and hold 'F8' button when the PC starts and choose 'Safe Mode' in the list). Log in under 'Administrator' account.

Frequently this account doesn't have password set.

You're prompted to set password on it during Windows XP installation.

2. Go to [Start] > [Control Panel] > [Administrative Tools] > [Computer Management] :

Computer Management.PNG

3. Expend 'System Tools' node, then 'Local Users & Groups' and choose 'Users'. On the right side choose user account and right-click on it. Menu with options will appear.

Select "Set Password..." option.

Set Password.PNG

4. The confirmation window will appear. Press 'Proceed' button to continue the process of resetting password:

Proceed button.PNG

5. After that the window with the passwords fields will appear. Enter new password twice, or leave these fields empty to log in without password.

Reset the password.PNG

Wednesday, March 10, 2010

Troubleshoot Slow Start Ups with Windows Boot Performance Diagnostics



Sometimes, Windows might start correctly but might take an unusually long time to do so. Such a problems can be difficult to troubleshoot, because there’s no straightforward way to monitor processes while Windows is starting. To help administrators identify the source of startup performance problems, and to automatically fix some problems, Windows Vista includes Windows Boot Performance Diagnostics.
You can use the Group Policy settings to manage Windows Boot Performance Diagnostics in an Active Directory environment. In the Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Boot Performance Diagnostics node, edit the Configure Scenario Execution Level policy. When this policy is enabled, you can choose from the following two settings:

Detection And Troubleshooting Only Windows Boot Performance Diagnostics will identify startup performance problems and will add an event to the Event Log, allowing administrators to detect the problem and manually troubleshoot it. Windows Boot Performance Diagnostics will not attempt to fix the problem, however.

Detection, Troubleshooting, And Resolution
Windows Boot Performance Diagnostics will identify startup performance problems and automatically take steps to attempt to alleviate the problems.
If you disable the setting, Windows Boot Performance Diagnostics will neither identify nor attempt to resolve startup performance problems. For Windows Boot Performance Diagnostics to function, the Diagnostic Policy Service must be running.
Settings for Windows Shutdown Performance Diagnostics, which function similarly to the Windows Boot Performance Diagnostics, are located in the Computer Configuration\Administrative Templates\System\Troubleshooting And Diagnostics\Windows Shutdown Performance Diagnostics node.

Windows 7 God Mode - Get Access To All Your Tweaks and Options in One Directory


All your Tweaks and Options in One Huge Folder

Windows 7 has many tweaks and features that turn options on and off or adjust things. The problem is they are buried under Control Panel and other places that are a few clicks away. Many people don't know there are Master Folders that you can set up which give you easy access to this. This is called God Mode. To create the most common God Mode follow these directions.

  • Create a restore point in case you mess something up
  • Create a "New Folder" somwhere easily accessible to you (don't use an existing folder).
  • After you have created a new folder
  • Highlight the folder and choose rename
  • Copy this string to the folder name GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
  • Thursday, March 4, 2010

    Copy the names in AutoComplete to another computer

    Applies to
    Microsoft Office Outlook® 2003

    Do you miss the convenience of Outlook automatically completing people's names as you begin to type them on your new computer? Are you upgrading to a new computer and don't want to lose all the names stored in your Outlook AutoComplete feature? Wouldn't it be nice if Outlook installed on your new computer just "remembered" the names and filled them in for you?

    Automatically complete e-mail addresses

    You can copy the names in AutoComplete from your old computer to your new one.


    Important You must exit Outlook before starting the following procedure. The names will be included in AutoComplete when you restart Outlook.

    1. On the computer with the saved AutoComplete names, go to drive:\Documents and Settings\user name\Application Data\Microsoft\Outlook.

      Note Depending on your file settings, this folder might be hidden. To view the files in this folder, do one of the following:

      HideMicrosoft Windows XP

      1. Click Start, and then click My Computer.
      2. On the Tools menu, click Folder Options.
      3. Click the View tab, and then, under Advanced settings, under Hidden files and folders, click Show hidden files and folders.

      ShowMicrosoft Windows 2000

      1. Double-click My Computer on your desktop.
      2. On the Tools menu, click Folder Options.
      3. Click the View tab, and then click Show hidden files and folders.
    2. Right-click profile name.nk2, and then click Copy.

      Tip You can copy the file to removable media, such as a floppy disk or a CD, and then copy the file to the correct location on the other computer. Or you can attach the file to an e-mail message and send the message to yourself. On the new computer, open the attachment in Outlook, and then save it to the correct location.

    3. On the computer where you want to populate the AutoComplete feature, copy the file to drive:\Documents and Settings\user name\Application Data\Microsoft\Outlook.
    4. If the Outlook user profile name is different on the computer where you are moving the .nk2 file, you must rename the file with the same Outlook user profile name after you copy it to the correct folder. For example, if you move Kim Akers.nk2 from the original computer with an Outlook user profile name of Kim Akers, and you copy the Kim Akers.nk2 file to the new computer, you must rename it with the Outlook profile name being used on the new computer.
    5. When prompted about replacing the existing file, click Yes.
    6. Open Outlook to view changes.

    Monday, February 1, 2010

    Modify Master Browser Election by GPO

    If you are getting the following in the Event Log on Your Domain controller

    "The master browser has received a server announcement from the computer that believes that it is the master browser for the domain on transport NetBT_Tcpip_{1A4EAF02-78F1
    -47. The master browser is stopping or an election is being forced."

    - Join the club I had this problem 13/09/04 here’s how to fix it

    Essentially you can stop this in two ways - Stop all the routers on your network forwarding UDP traffic (to much work for me) or change the registry key below on all your clients

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList from Auto to FALSE
    You can do this from login script (bear in mind all users don’t have rights to change this key - if your network is setup securely.)

    As Im a lazy sod! I decided to farm this change out via Group policy.

    Go to a client PC that has the domain admin tools installed (adminpak.msi is on the 2K/2K3 CD or you can download it from my website http://www.petenetlive.com/Downloads/download.htm)

    Log on with administrative access.

    Start > Run > Regedit {enter}

    Navigate to
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters

    In the right hand window double click MaintainServerList and change its setting to FALSE (note upper case)

    Exit the registry Editor

    Click Start >administrative Tools > Active directory users and computers.

    NOTE: At this point you can edit an existing policy if you wish but I prefer to keep a policy just for Registry changes,

    Right click the domain name >Properties > Group policy > New

    Call the new policy Reg_Changes, select the new policy and click Edit.

    Computer Configuration > Windows Settings, In the right hand window open security settings.

    Right Click Registry and select "Add Key"

    Navigate to Machine > System > CurrentControlSet > Services > Browser > Parameters

    Click OK, You will be prompted for security settings highlight USERS and select Full control, then Add Domain Users and give them Full Control. Click Apply then OK.

    If you are prompted again for permissions select, "Propagate inheritable Permission to all sub keys" Click OK.

    Exit Group policy Editor and Reboot.

    Thursday, January 7, 2010

    How to Configure Windows Firewall in a Small Business Environment Using Group Policy

    Introduction

    This document explains how to configure the features of Windows Firewall on computers running Microsoft® Windows® XP Professional Service Pack 2 (SP2) in a small or medium-sized business (SMB) environment. The environment might include domain controllers running Microsoft Windows Small Business Server 2003, Microsoft Windows Server™ 2003, or Microsoft Windows 2000 Server.

    The most efficient way to manage Windows Firewall settings in an organization's network is to use the Active Directory® directory service and configure Windows Firewall settings in Group Policy. Active Directory and Group Policy allow you to centrally configure settings for Windows Firewall and apply those settings to all Windows XP SP2 client computers.

    Windows XP SP2 includes new administrative templates for Group Policy objects (GPOs) to enhance security for your client computer and domain including functionality for Windows Firewall. To apply these templates you might have to install hotfixes, depending on the operating system of the domain server or workstation in use.

    After these templates are applied, any Group Policy updates will include settings for Windows Firewall. Group Policy updates are sent from the domain controller to all members of the domain and may also be requested by a domain member through the use of the GPUpdate utility.

    To configure Windows Firewall, use the Group Policy Object Editor while logged in as a member of the Domain Admins group or the Group Policy Creator/Owner security group.

    The following table lists the default settings for Windows Firewall.

    Table 1. Default Windows Firewall Settings

    Option

    Default configuration

    Modify when

    Network connection settings

    All connections

    You no longer require the protection of Windows Firewall on a specific network connection or you require individual settings for each network connection.

    Program exceptions

    Remote Assistance only

    You need to receive connections from other programs or services to your computer.

    Port exceptions

    None

    You require connections from another computer that uses specific ports on your computer.

    ICMP exceptions

    None

    You require other computers to verify that your computer is running and TCP/IP is configured correctly.

    Notifications

    On

    You no longer wish to receive notification when other computers attempt to connect to your computer and fail.

    Logging

    Off

    You require a record of connections or connection attempts made to your computer.

    Don't allow exceptions

    Off

    You learn that your computer has a security vulnerability or you use your computer in a less secure environment such as an airport lounge.

    The tasks to configure Windows Firewall using Group Policy are:

    • Add hotfixes to the GPO administrative workstations and Windows Small Business Server 2003.

    • Create and update GPOs.

    • Configure Windows Firewall settings with Group Policy.

    • Apply configuration with GPUpdate.

    • Verify Windows Firewall settings are applied.

    Complete the tasks described in this document to help keep your computer safe from computer worms and other malicious code and continue to allow connections to and from the Internet.

    Microsoft strongly recommends that you test any Windows Firewall Group Policy settings in a test environment before you deploy them in your production environment to ensure that your Group Policy configuration does not cause downtime or loss of productivity.

    For definitions of security-related terms, see the following:

    Objective of this Security Document

    By conducting the processes detailed in this document, you will protect your Windows XP Professional clients from unauthorized users and malicious software by using a host–based firewall. In addition, these steps will enable advanced security management with Active Directory.

    Before You Begin

    Important The instructions in this document were developed with the default menu that displays when you click the Start button. If you have modified your Start menu, the steps might differ slightly.

    Windows XP with SP2 can be used on client computers in an Active Directory domain using domain controllers that run one of the following:

    • Windows Server 2003

    • Windows Small Business Server 2003

    • Windows 2000 Server SP4 or later

    In most networks, the network hardware firewall, proxy, and other security systems provide a level of protection from the Internet to network computers.

    If you do not have a host firewall (a locally installed software firewall) such as Windows Firewall, on your computer’s network connections, you are vulnerable to malicious programs that might be introduced by other computers when they attach to your network. Also, you are vulnerable when you use your computer away from your network, such as when you use a laptop computer at home or you connect to a hotel or airport network.

    Before you install hotfixes, make sure that you have a good backup of the computer, including a backup of the registry.

    For more information on how to back up the registry, see the following:

    Adding Hotfixes to Administrative Workstations and Windows Small Business Server 2003

    If you manage GPO settings on computers that run earlier operating systems or service packs (for example, Windows XP with SP1 or Windows Server 2003), you must install a hotfix (KB842933) so policy settings appear correctly in the Group Policy Object Editor.

    If you use Small Business Server 2003 you must install an additional hotfix (KB872769). By default, Small Business Server 2003 disables Windows Firewall. The hotfix resolves this issue.

    Note The listed hotfixes are not included as part of Microsoft Update and must be installed separately. These hotfixes must be applied to all affected computers individually.

    The KB842933 hotfix applies to the following:

    • Microsoft Windows Server 2003, Web Edition

    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)

    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

    • Microsoft Windows Server 2003, Enterprise Edition for Itanium–based Systems

    • Microsoft Windows XP Professional SP1

    • Microsoft Windows Small Business Server 2003 Premium Edition

    • Microsoft Windows Small Business Server 2003 Standard Edition

    • Microsoft Windows 2000 Advanced Server

    • Microsoft Windows 2000 Server

    • Microsoft Windows 2000 Professional Edition

    The KB872769 hotfix applies to the following:

    • Microsoft Windows Small Business Server 2003 Standard Edition

    • Microsoft Windows Small Business Server 2003 Premium Edition

    For more information or to obtain these hotfixes, see the following:

    • Microsoft Knowledge Base article 842933 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35474.

    • Microsoft Knowledge Base article 872769 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35477.

    For additional information about how to download Microsoft Support files, see the following:

    Requirements to Perform This Task

    You will need the following to complete this task:

    • Credentials. You must log on to the client computer with an account that is a member of the Domain Admins or Local Administrators security group.

    • Tools. The appropriate downloaded hotfix for your operating system as explained in Knowledge Base articles 842933 and 872769.

    How to Add Hotfixes

    To add hotfix 842933 to Windows Small Business Server 2003 , Windows 2000 Server SP4 or later , Windows XP SP1 , or Windows Server 2003

    1. From the Windows desktop, click Start, click Run, type the path and file name of the downloaded hotfix, and then click OK.

    2. On the Welcome to KB842933 Setup Wizard screen, click Next.

    3. On the License page, review the terms of the license agreement. To continue, click I Agree and then click Next.

    4. On the Completing the KB842933 Setup Wizard screen, click Finish to complete the hotfix installation and restart the computer.

    5. Repeat steps 1 through 4 for all affected computers (servers and management workstations).

    To add hotfix 872769 to Windows Small Business Server 2003

    1. From the Windows desktop, click Start, click Run, type the path and file name of the downloaded 872769 hotfix, and then click OK.

    2. On the Welcome to KB872769 Setup Wizard screen, click Next.

    3. On the License page, review the terms of the license agreement. To continue, click I Agree and then click Next.

    4. On the Completing the KB872769 Setup Wizard page, click Finish to complete the hotfix installation and restart the computer.

    Create and Update a Group Policy Object

    Windows XP SP2 adds settings to the Administrative Templates. To configure these new settings, you must update each GPO with the new Administrative Templates found in Windows XP SP2. If you do not update the GPOs, the Windows Firewall settings are not available.

    On a Windows XP SP2 computer, you can use Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed to update GPOs by simply opening an existing GPO.

    After a GPO has been updated, you can configure the network protection settings that are appropriate for your computers that run Windows XP SP2. In the following exercise we will create a new GPO that will immediately have these updated network protection settings.

    Requirements to Perform This Task

    You will need the following to complete this task:

    • Credentials. You must log on to a Windows XP SP2 computer that is an Active Directory domain client, and you must use an account that is a member of the Domain Admins or the Group Policy Creator/Owner security group.

    • Tools. Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

    Creating and Updating Group Policy Objects

    To update Group Policy Objects with Windows XP SP2 new administrative templates

    1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. On the Standalone tab, click Add.

    4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and then click Add.

    5. In the Select Group Policy Object dialog box, click Browse.

    6. In the Browse for a Group Policy Object dialog box (shown in the following screen shot), click the Create New Group Policy Object button and name this new GPO Test Client Windows Firewall Policy.

      WFGP01.GIF

    7. Click OK, and then click Finish to close the Group Policy Wizard and apply the new administrative template to the selected GPO.

    8. In the Add Standalone Snap-in dialog box, click Close.

    9. In the Add/Remove Snap-in dialog box, click OK.

    10. Close the MMC, click File then click Exit. Do not save changes to the console settings.

      Note Although you do not save console changes, this procedure imports the new Administrative Templates from Windows XP SP2 into the GPO. The Templates must be imported into each defined GPO.

    11. Repeat the preceding steps for every GPO used to apply Group Policy to Windows XP SP2–based computers.

    To update your GPOs for network environments using Active Directory and Windows XP SP2, Microsoft recommends that you use the Group Policy Management Console, a free download. For more information, see the following:

    Configuring Windows Firewall Settings Using Group Policy

    There are two sets of Windows Firewall settings to configure:

    • Domain profile. These settings are used by computers that are connected to a network that contains domain controllers for the domain of which the computers are a member.

    • Standard profile. These settings are used by computers when they are not connected to a network, for example, when you travel with a laptop computer.

    If you do not configure standard profile settings, the default values remain unchanged. Microsoft highly recommends that you configure both domain and standard profile settings, and that you enable Windows Firewall for both profiles. The only exception is if you are already using a third-party host firewall product (a locally installed software firewall). Microsoft recommends that you disable Windows Firewall if you are already using a third-party host firewall product.

    The standard profile settings are typically more restrictive than the domain profile, because the standard profile settings do not include applications and services that are only used in a managed domain environment.

    In a GPO, both the domain profile and standard profile contain the same set of Windows Firewall settings. Windows XP SP2 relies on network determination to apply correct profile settings.

    Note For more information about network determination, see "Network Determination Behavior for Network-Related Group Policy Settings" on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?linkid=35480.

    This section describes the possible Windows Firewall settings in a GPO and the recommended settings for a SMB environment. It also demonstrates how to configure the four major types of GPO settings.

    Requirements to Perform This Task

    You will need the following to complete this task:

    • Credentials. You must log on to a Windows XP SP2 computer that is an Active Directory domain client, and you must use an account that is a member of either the Domain Admins security group or the Group Policy Creator/Owner security group.

    • Tools. Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

    Note To open a GPO, use either an MMC with the Group Policy Object Editor snap-in or the Active Directory Users and Computers console. To use the Active Directory Users and Computers console on a Windows XP client computer, you must first run Aadminpak.msi from the Windows Server 2003 CD.

    Configuring Windows Firewall Settings Using Group Policy

    Use the Group Policy snap-in to modify the Windows Firewall settings in the appropriate GPOs.

    After you complete the following steps tp configure the Windows Firewall settings, wait for the settings to be applied to client computers by the standard refresh cycles or use the GPUpdate utility on the client computer. By default, these refresh cycles are every 90 minutes, with a random offset of +/- 30 minutes. The next refresh of Computer Configuration Group Policy will download the new Windows Firewall settings and applies them to computers that run Windows XP SP2.

    To configure Windows Firewall settings using Group Policy

    1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. On the Standalone tab, click Add.

    4. In the Available Standalone Snap-ins list, locate and click Group Policy Object Editor, and then click Add.

    5. In the Select Group Policy Object dialog box, click Browse.

    6. Select the Test Client Windows Firewall Policy GPO, click OK, and then click Finish.

    7. Click Close to close the Add Stand-alone Snap-in box, and then on the Add/Remove Snap-in box click OK.

    8. In the console tree of the Group Policy Object Editor, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall (shown in the following screen shot).

      WFGP02.GIF

    9. Select either Domain Profile (shown in the following screen shot) or Standard Profile.

      WFGP03.GIF

      The following table summarizes the Windows Firewall Group Policy recommended settings for the domain and standard profiles.

      Table 2. Windows Firewall Setting Recommendations

      Setting

      Description

      Domain profile

      Standard profile

      Protect all network connections

      Specifies that all network connections have Windows Firewall enabled.

      Enabled.

      Enabled.

      Do not allow exceptions

      Specifies that all unsolicited incoming traffic is dropped, including excepted traffic.

      Not configured.

      Enabled, unless you must configure program exceptions.

      Define program exceptions

      Defines excepted traffic in terms of program file names.

      Enabled and configured with the programs (applications and services) used by the computers running Windows XP SP2 on your network.

      Enabled and configured with the programs (applications and services) used by the computers running Windows XP SP2 on your network.

      Allow local program exceptions

      Enables local configuration of program exceptions.

      Disabled, unless you want local administrators to configure program exceptions locally

      Disabled.

      Allow remote administration exception

      Enables remote configuration using tools.

      Disabled, unless you want to be able to remotely administer your computers with MMC snap-ins.

      Disabled.

      Allow file and print sharing exception

      Specifies whether file and printer sharing traffic is allowed.

      Disabled, unless the computers running Windows XP SP2 are sharing local resources.

      Disabled.

      Allow ICMP exceptions

      Specifies the types of ICMP messages that are allowed.

      Disabled, unless you wish to use the ping command to troubleshoot.

      Disabled.

      Allow Remote Desktop exception

      Specifies whether the computer can accept a Remote Desktop-based connection request.

      Enabled.

      Enabled.

      Allow UPnP framework exception

      Specifies whether the computer can receive unsolicited UPnP messages.

      Disabled.

      Disabled.

      Prohibit notifications

      Disables notifications.

      Disabled.

      Disabled.

      Allow logging

      Allows traffic logs and configures log file settings.

      Not configured.

      Not configured.

      Prohibit unicast response to multicast or broadcast requests

      Discards the unicast packets received in response to a multicast or broadcast request message.

      Enabled.

      Enabled.

      Define port exceptions

      Specifies excepted traffic in terms of TCP and UDP.

      Disabled.

      Disabled.

      Allow local port exceptions

      Enables local configuration of port exceptions.

      Disabled.

      Disabled.

    10. Double-click each setting listed in Table 2, click Enabled, Disabled or Not Configured, and then click OK.

    Enabling Exceptions for Ports

    To enable exceptions for ports

    1. In either the Domain Profile or the Standard Profile settings area, double-click Windows Firewall: Define port exceptions. The following dialog box will display.

      WFGP04.GIF

    2. Select Enabled, and then click Show. The Show Contents dialog box (shown in the following screen shot) will display.

      WFGP05.GIF

    3. Click Add, and the Add Item dialog box will display. Type the information about the port that you want to block or enable. The syntax is as follows:

      port:transport:scope:status:name

      • port is the port number

      • transport is TCP or UDP

      • scope is either * (for all computers) or a list of the computers that are allowed to access the port

      • status is either enabled or disabled

      • name is a text string used as a label for this entry

      The example shown in the following screen shot is named WebTest and enables TCP port 80 for all connections.

      WFGP06.GIF

    4. After you enter the information, click OK to close the Add Item dialog box. The Show Contents dialog box (shown in the following screen shot) will display.

      WFGP07.GIF

    5. Click OK to close the Show Contents dialog box.

    6. Click OK to close Windows Firewall: Define port exceptions Properties.

    Enabling Exceptions for Programs

    To enable exceptions for programs

    1. In either the Domain Profile or the Standard Profile settings area, double-click Windows Firewall: Define program exceptions. The following dialog box will display.

      WFGP08.GIF

    2. Select Enabled, and then click Show. The Show Contents dialog box (shown in the following screen shot) will display.

      WFGP09.GIF

    3. Click Add, and the Add Item dialog box will display. Type the information about the program that you want to block or enable. The syntax is as follows:

      path:scope:status:name

      • path is the program path and file name

      • scope is either * (for all computers) or a list of the computers that are allowed to access the program

      • status is either enabled or disabled

      • name is a text string used as a label for this entry

      The example shown in the following screen shot is named Messenger and enables the Windows Messenger program at %program files%\messenger\msmsgs.exe for all connections.

      WFGP10.GIF

    4. After you enter the information, click OK to close the Add Item dialog box. The Show Contents dialog box (shown in the following screen shot) will display.

      WFGP11.GIF

    5. Click OK to close the Show Contents dialog box.

    6. Click OK to close Windows Firewall: Define program exceptions Properties.

    Configuring Basic ICMP Options

    To configure basic ICMP options

    1. In either the Domain Profile or the Standard Profile settings area, double-click Windows Firewall: Allow ICMP exceptions. The following dialog box will display.

      WFGP12.GIF

    2. Select Enabled, and then select the appropriate ICMP exception or exceptions to enable. The example in this screen shot selects Allow inbound echo request.

      You can also select Disabled to disable one or more ICMP exceptions.

    3. Click OK to close Windows Firewall: Allow ICMP exceptions Properties.

    Logging Dropped Packets and Successful Connections

    To log dropped packets and successful connections

    1. In either the Domain Profile or the Standard Profile settings area, double-click Windows Firewall: Allow logging. The following dialog box will display.

      WFGP13.GIF

    2. Select Enabled, select Log dropped packets, and then select Log successful connections. Type a Log file path and name, and leave the default Size limit (KB) for the log file size. Then click OK.

      Note Ensure that the log file is saved in a secured location to prevent accidental or deliberate modification.

    3. When you have completed making changes to the Windows Firewall settings, close the console.

      Note When you close the console, you will be prompted to save the console. Regardless of whether you save the console, your GPO settings will be saved.

    4. If prompted to save console settings, click No.

    Applying Configuration with GPUpdate

    The GPUpdate utility refreshes Active Directory–based Group Policy settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default, these refresh cycles are every 90 minutes, with a random offset of +/- 30 minutes. To refresh Group Policy right away, you can use the GPUpdate utility.

    Requirements to Perform This Task

    You will need the following to complete this task:

    • Credentials. You must be logged on to a Windows XP SP2 computer that is an Active Directory domain client, and you must use an account that is a member of the Domain Users group.

    Running GPUpdate

    To run GPUpdate

    1. From the Windows XP SP2 desktop click Start, and then click Run.

    2. In the Run dialog box type cmd, and then click OK.

    3. At the command prompt type GPUpdate, and then press ENTER. You should a screen similar to the following:

      WFGP14.GIF

    4. To close the command prompt type Exit, and then press ENTER.

    Verifying Windows Firewall Settings Are Applied

    Note When you use Group Policy to configure Windows Firewall, you can prevent access to some elements of the configuration for local administrators. If you have prevented access, some tabs and options in the Windows Firewall dialog box are unavailable on user's local computers.

    Requirements to Perform This Task

    You will need the following to complete this task:

    • Credentials. You must be logged on to a Windows XP SP2 computer that is an Active Directory domain client, and you must use an account that is a member of the Domain Users group.

    To verify Windows Firewall settings are applied

    1. From the Windows XP SP2 desktop, click Start, and then click Control Panel.

    2. Under Pick a category, click Security Center. A screen similar to the following will display.

      WFGP15.GIF

    3. Under Manage security settings for, click Windows Firewall.

    4. Click the General, Exceptions, and Advanced tabs, and verify that the configuration in Group Policy is also applied to Windows Firewall on the client computer.

    If the configuration settings are not applied, you must troubleshoot the application of Group Policy. To do so, see the following:

    Related Information

    For more information about the Windows XP SP2 firewall, see the following:

    For more information about Windows XP SP2 security, see the following:

    For definitions of security-related terms, see the following: