Firewall issues.

  • Thread starter Thread starter Chris Martin
  • Start date Start date
C

Chris Martin

There seems to be a bit of a choice when disabling the XP firewall using
group policeis between wether you want the Computer Browser service to crash
or if you want the firewall service to report that the LSASS service is
running and listening to a port (which is a bit silly as LSASS is a system
service that runs on all Windows machines and listens on all the time) every
other minute. I will explain further.

If you disable the firewall service using GPOs (methods are described here
http://www.windowsecurity.com/articles/Customizing-Windows-Firewall.html and
here http://technet.microsoft.com/en-us/library/bb457149.aspx) and leave the
Firewall/ICS service to keep starting at boot time, the firewall is disabled
functionally as expected, but it continuously reports that the LSA service is
listening. However, if you disable the Firewall service to prevent it from
starting, it no longer reports that LSASS is running, but then the Computer
Browser service crashes on boot, as per this KB article:
http://support.microsoft.com/kb/889320. As I have requested the fix listed in
that article several times and have recieved no response we are basically
being foreced to make a descision between our security logs filling up
continuously or the computer browser service failing. Even if I get the fix
for the Computer Browser problem it's likely to be an exe not an MSI and
therefore I will have no easy method to deploy it to 120 computers across all
of our offices. Why has this fix not been published to Windows Update so we
can deploy it via WSUS? Is there another resolution I am missing?
 
Chris Martin said:
There seems to be a bit of a choice when disabling the XP firewall
using group policeis between wether you want the Computer Browser
service to crash

In a domain, I disable that service via group policy.
or if you want the firewall service to report that
the LSASS service is running and listening to a port (which is a bit
silly as LSASS is a system service that runs on all Windows machines
and listens on all the time) every other minute. I will explain
further.

If you disable the firewall service using GPOs (methods are described
here
http://www.windowsecurity.com/articles/Customizing-Windows-Firewall.html

I also recommend that it *not* be disabled, but rather that exceptions be
set in it (via policy).
and here http://technet.microsoft.com/en-us/library/bb457149.aspx)
and leave the Firewall/ICS service to keep starting at boot time, the
firewall is disabled functionally as expected, but it continuously
reports that the LSA service is listening. However, if you disable
the Firewall service to prevent it from starting, it no longer
reports that LSASS is running, but then the Computer Browser service
crashes on boot, as per this KB article:
http://support.microsoft.com/kb/889320.

Interesting - I haven't run into that. However, as mentioned above, you
really shouldn't have to, either....
As I have requested the fix
listed in that article several times and have recieved no response

Always call Microsoft directly for hotfixes - don't email.
we
are basically being foreced to make a descision between our security
logs filling up continuously or the computer browser service failing.

...which you don't need, since you've got AD and a master browser. Run WINS
if you're going to leave NetBIOS over TCP/IP enabled at all. Otherwise,
disable it outright. Domain member workstations do not need the computer
browser service running at all (and I always use WINS even nowadays).
 
Back
Top