Ali's Knowledge Base

XP SP2 greatly improves XP’s network and memory protection and email handling and contains a new firewall called Windows Firewall. Windows Firewall is enabled by default; however, if an application tries to access a blocked port, the firewall lets the user opt to grant the application access to that port. XP SP2 also includes a new Control Panel feature called Windows Security Center, which the figure at Figure shows. Security Center provides an interface to the firewall configuration and ensures that Automatic Update is enabled and adequate virus protection is running. You can manage the Windows Firewall configuration through Group Policy. Microsoft has also enhanced the Remote Procedure Call (RPC) service in XP SP2 to let some parts of the service run with lower privileges (i.e., under the local system context) and make RPC less vulnerable to intruders.

XP SP2 is large (approximately a 250MB download) because Microsoft rebuilt much of the XP code with enhanced memory protection to help avoid problems such as buffer overrun when an application attempts writes that exceed its allocated memory space. XP SP2 also includes code that works with new hardware processor features to block the use of memory areas to execute code, thereby preventing the execution of worms. In addition to providing beefed-up security, XP SP2 includes some “nice-to-have” features, such as a pop-up blocker for Microsoft Internet Explorer (IE) and improved integrated Bluetooth wireless network support.

XP SP2 is a much-needed release that you should take advantage of; nevertheless, you should roll out the service pack with care–it provides several fixes that could prevent your applications from working correctly. Before you deploy XP SP2, test every application on a dedicated test platform and roll out application updates where needed. For example, the XP Messenger and Alerter services are disabled by default in XP SP2. If any of your applications use these services, you’ll need to either enable them or update the application so that it doesn’t use them. As another example, an application that incorrectly addressed memory but worked before XP SP2 will no longer work now that Windows is “fixed.”

A Microsoft source answers as follows:

“We strongly recommend that users run only one host firewall on their system. Yes, the XP SP2 Windows Firewall can coexist with third-party firewalls, but multiple firewalls don’t make you safer. Running multiple firewalls just means you have to configure the settings in multiple places (e.g., opening ports for each firewall you run). For anyone who wants to keep using a third-party firewall after installing XP SP2–for example, because they like some of the extra features–we suggest they turn off the Windows Firewall. We have already advised third-party firewall vendors to programmatically turn off the Windows Firewall in their future releases, so this will eventually be automatic.

“We don’t have any specific guidance as to whether people should use the built-in XP SP2 Windows Firewall or use a third-party product. We absolutely believe that people who don’t already have host firewalls should run the Windows Firewall in XP SP2. Almost all firewalls on the market (including the Windows Firewall) provide good security; it then boils down to what features and capabilities people want. The Windows Firewall, for example, doesn’t do any alerting or intrusion detection. Neither does it offer outbound filtering capabilities. The Windows Firewall focuses on preventing attacks from successfully penetrating a system, but it doesn’t do anything to protect systems once bad software is locally installed. Some other products also have better diagnostics and centralized reporting than the Windows Firewall (which has no reporting whatsoever). I don’t believe people are “safer” running third-party firewalls, but there may be some features in these products that they would like to have.”

The time errors might be occurring because the domain controller (DC) isn’t configured with an external time source. You can check the DC’s time-forwarding status by running the command

net time /querysntp
If the DC isn’t set to query an external Simple Network Time Protocol (SNTP) server or the configured server isn’t available, you can set a valid time value by running the command

net time /setsntp:

This error occurs when Windows Update can’t download and install the Windows Update ActiveX component. This problem sometimes occurs when a firewall blocks the download of the component. If you’ve verified that your firewall isn’t causing the error, a possible solution for the problem is to add the following sites to the Microsoft Internet Explorer (IE) Trusted Sites zone on the system on which you’re using Windows Update:

http://windowsupdate.microsoft.com
http://v4.windowsupdate.microsoft.com
https://v4.windowsupdate.microsoft.com
http://v5.windowsupdate.microsoft.com
https://v5.windowsupdate.microsoft.com
http://download.windowsupdate.com

Errors like “document.SelfHostedImage is null or not and object” are refering to the script on the web page that does not conform precisely with what IE expects. To avoid such messages (which don’t do anything useful for you since you could not in any case edit the web page’s script), go to Tools menu, Internet options, Advanced tab check the box ‘disable script debugging’ and uncheck the box ‘display a notification about every script error’, click Apply, OK.

Basic authentication on a network consists of several steps. First, the client locates a domain controller (DC), which requires DNS connectivity–port 53 on UDP and TCP. Next, the client performs a connectivity test by using a Lightweight Directory Access Protocol (LDAP) Ping–port 389 over UDP. Then, the client uses Kerberos (port 88 via UDP and TCP) and Server Message Block (SMB, port 445 via UDP and TCP) to complete the authentication to the DC. Therefore, you must enable all these ports.

When you enable a domain controller (DC) as a GC, the DC can’t start offering a GC service immediately. If you have multiple domains, the GC has to replicate information from another GC or for other domains before it can start functioning as a GC. By default, the new GC will wait at least 5 minutes before offering itself as a GC. You can check the Directory Service event log for event ID 1119, which confirms the server is now a GC.

If you want to automatically check the status of a new GC, you can create the following VBScript script on the DC:

Set objRootDSE= GetObject(“LDAP://RootDSE”)
Wscript.Echo “GC ready: ” & objRootDSE.Get(“isGlobalCatalogReady”)
Save the code in a file called gcready.vbs. Then, to run the script, enter the command

cscript gcready.vbs

An online defragmentation of the Active Directory (AD) database occurs during the (AD) Garbage Collection process that runs every 12 hours by default. This defragmentation optimizes the database’s structure but doesn’t shrink the database’s size. If you’ve deleted a large number of records from AD or, more likely, you’ve disabled a DC as a Global Catalog (GC) server and you have multiple domains, AD might benefit from an offline defragmentation to shrink the physical size of the AD database.

If this event (event ID 40960 or 40961) appears only once in the event log, you can ignore it. The error occurs when the File Replication Service (FRS) starts before the directory service. If the error persists, you most likely have a problem with the directory service and should start troubleshooting Active Directory (AD).