C
Chris Martin
There seems to be a bit of a choice when disabling the XP firewall using
group policeis between wether you want the Computer Browser service to crash
or if you want the firewall service to report that the LSASS service is
running and listening to a port (which is a bit silly as LSASS is a system
service that runs on all Windows machines and listens on all the time) every
other minute. I will explain further.
If you disable the firewall service using GPOs (methods are described here
http://www.windowsecurity.com/articles/Customizing-Windows-Firewall.html and
here http://technet.microsoft.com/en-us/library/bb457149.aspx) and leave the
Firewall/ICS service to keep starting at boot time, the firewall is disabled
functionally as expected, but it continuously reports that the LSA service is
listening. However, if you disable the Firewall service to prevent it from
starting, it no longer reports that LSASS is running, but then the Computer
Browser service crashes on boot, as per this KB article:
http://support.microsoft.com/kb/889320. As I have requested the fix listed in
that article several times and have recieved no response we are basically
being foreced to make a descision between our security logs filling up
continuously or the computer browser service failing. Even if I get the fix
for the Computer Browser problem it's likely to be an exe not an MSI and
therefore I will have no easy method to deploy it to 120 computers across all
of our offices. Why has this fix not been published to Windows Update so we
can deploy it via WSUS? Is there another resolution I am missing?
group policeis between wether you want the Computer Browser service to crash
or if you want the firewall service to report that the LSASS service is
running and listening to a port (which is a bit silly as LSASS is a system
service that runs on all Windows machines and listens on all the time) every
other minute. I will explain further.
If you disable the firewall service using GPOs (methods are described here
http://www.windowsecurity.com/articles/Customizing-Windows-Firewall.html and
here http://technet.microsoft.com/en-us/library/bb457149.aspx) and leave the
Firewall/ICS service to keep starting at boot time, the firewall is disabled
functionally as expected, but it continuously reports that the LSA service is
listening. However, if you disable the Firewall service to prevent it from
starting, it no longer reports that LSASS is running, but then the Computer
Browser service crashes on boot, as per this KB article:
http://support.microsoft.com/kb/889320. As I have requested the fix listed in
that article several times and have recieved no response we are basically
being foreced to make a descision between our security logs filling up
continuously or the computer browser service failing. Even if I get the fix
for the Computer Browser problem it's likely to be an exe not an MSI and
therefore I will have no easy method to deploy it to 120 computers across all
of our offices. Why has this fix not been published to Windows Update so we
can deploy it via WSUS? Is there another resolution I am missing?