RE: XP-SP2 "Feature"
From: Free, Bob (RWF4_at_pge.com)
Date: 09/10/04
- Previous message: Laura A. Robinson: "RE: XP-SP2 "Feature""
- Maybe in reply to: Jordan Wiseman: "XP-SP2 "Feature""
- Next in thread: Sarbjit Singh Gill: "RE: XP-SP2 "Feature""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 10 Sep 2004 12:10:09 -0700 To: <focus-ms@securityfocus.com>
>What about Group Policy? Does anyone know if XP/2K Pro require ICMP to
>be open across firewalls?
This behavior was often discussed when many folks blocked ICMP as a
response to Nachi and had issues with profiles and GPO's. A couple of
relevent articles are below which don't explicitly mention XP but all
evidence I saw indicated XP was afected as well.
816045 - A Fast Link May Be Detected as a Slow Link Because of Network
ICMP Policies: http://support.microsoft.com/?id=816045
227260 - How a Slow Link Is Detected for Processing User Profiles and
Group Policy:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;227260
>what work-arounds are necessary in order for Group Policy (both
Computer and User) to work
>across firewalls.
Darren Mar-Elia @ gpoguy.com offers the following solution-
The bottom line here is that you have to disable slow link detection on
the computer--which can be set via policy within Computer
Configuration|Administrative Templates|System|Group Policy|Group Policy
Slow Link Detection. Doing so can be tricky however, if you've already
disabled ICMP because no GPO processing happens, thus you get a
chicken-and-egg effect where you can't disable slow link through policy
because policy processing is not occurring. The answer to this is to set
the policy directly within the registry using the following registry
values:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System]
"GroupPolicyMinTransferRate"=dword:00000000
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
"GroupPolicyMinTransferRate"=dword:00000000
Note that you have to set this policy to 0 for both the computer and the
user who will be logging into that system in order to fix this issue
completely. Note that by disabling slow link detection for that computer
and user however, you are effectively turning off the ability for GPO
processing to discern whether its connection to a DC is slow or not. The
link speed will always be considered fast. This may or may not be a good
thing, depending upon how slow the link really is.
hth
-----Original Message-----
From: Zath, Linda A [mailto:linda.a.zath@intel.com]
Sent: Wednesday, September 08, 2004 2:52 PM
To: Ian Miller
Cc: focus-ms@securityfocus.com
Subject: RE: XP-SP2 "Feature"
We experienced problems with GPO's failing when ICMP was blocked at the
FW. When ICMP traffic was allowed the GPO's worked fine. Annoying
problem that took awhile to track down as on some settings in the GPO's
failed.
Linda Zath
-----Original Message-----
From: Ian Miller [mailto:miller@ucalgary.ca]
Sent: Wednesday, September 08, 2004 8:32 AM
Cc: focus-ms@securityfocus.com
Subject: Re: XP-SP2 "Feature"
What about Group Policy? Does anyone know if XP/2K Pro require ICMP to
be open across firewalls? The reason I ask this is we have been told
(but unable to confirm) by other sources that ICMP must be available in
order for Group Policy to work. If ICMP is not required (could you
please indicate in your response) what work-arounds are necessary in
order for Group Policy (both Computer and User) to work across
firewalls.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: XP-SP2 "Feature""
- Maybe in reply to: Jordan Wiseman: "XP-SP2 "Feature""
- Next in thread: Sarbjit Singh Gill: "RE: XP-SP2 "Feature""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
