You cannot configure Windows Firewall settings or Security Center settings on a Windows XP Service Pack 2-based client computer that is in a Windows Small Business Server 2003-based network (872769)


The information in this article applies to:

  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows XP Professional Service Pack 2 (SP2)

SYMPTOMS

After you install Microsoft Windows XP Service Pack 2 (SP2) on a client computer, you may experience the following symptoms when you log on to the network:
  • Windows Firewall is disabled. You cannot use the Windows Firewall tool in Control Panel to turn on Windows Firewall or to configure Windows Firewall settings on the Windows XP SP2 client computer. When you try to configure Windows Firewall settings, some options are appear dimmed, and you may receive the following message: For your security, some settings are controlled by Group Policy.You experience this symptom even if you previously clicked On (recommended) in the Windows Firewall dialog box to turn on Windows Firewall.
  • You cannot use the Security Center item in Control Panel on the Windows XP SP2 client computer to manage security settings.
Note These symptoms occur if either of the following conditions is true:
  • You install Windows XP SP2 on a client computer that is located in a Microsoft Windows Small Business Server (SBS) 2003-based network.
  • You have joined a client computer that is running Windows XP SP2 to a Windows SBS 2003-based network

CAUSE

This issue occurs because Group Policy in Windows Small Business Server 2003 disables Windows Firewall for client computers that are running Windows XP Professional.

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Update information

An update is available for Windows Small Business Server 2003 that configures the Group Policy settings for Windows Firewall on Windows XP SP2-based computers. After you install this update, Group Policy will enable Windows Firewall on Windows XP SP2-based computers. Additionally, Group Policy will configure required exceptions in Windows Firewall to make it possible for Windows XP SP2-based computers to access network resources.

Be aware that Windows Firewall settings will continue to be dimmed in the Security Center and in the network properties of the client computers because these settings are configured by Group Policy.

To install this update, follow these steps:
  1. Install the Windows Small Business Server 2003 Update for Windows XP SP2. To obtain this update, visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=D70097C2-4317-40E0-B7DA-FEB52C6B6386&displaylang=en

    For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

    119591 How to Obtain Microsoft Support Files from Online Services

    Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The Windows Small Business Server 2003 Update for Windows XP SP2 includes the System.adm file. In Windows XP SP2, this Group Policy administrative template file manages Windows Firewall.

    Note You do not have to restart the server after you apply this update. However, to update Group Policy on the Windows XP SP2-based client computers, either restart the client computers or run the gpupdate /force command on the client computers.
  2. If you want to modify the Group Policy setting that is configured when you installed the Windows Small Business Server 2003 Update for Windows XP SP2 in step 1, install the hotfix that is described in the following Microsoft Knowledge Base article:

    842933 "The following entry in the [strings] section is too long and has been truncated" error message when you edit or view Group Policy in Windows Server 2003, in Windows XP, or in Windows 2000

Note Install both the Windows Small Business Server 2003 Update for Windows XP SP2 and the hotfix that is described in the article 842933 only if you want to modify the Group Policy setting that is configured when you installed the Windows Small Business Server 2003 Update for Windows XP SP2. If you do not install the hotfix that is described in article 842933 after you install the Windows Small Business Server 2003 Update for Windows XP SP2, you receive the following error message when you try to manage Group Policy settings:
The following entry in the [strings] section is too long and has been truncated.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows XP Service Pack 2.

MORE INFORMATION

After you install the Windows Small Business Server 2003 Update for Windows XP SP2 update, you can use the security features that are included in Windows Firewall on a computer that is running Windows XP SP2. The update changes the default Group Policy setting in Windows Small Business Server 2003 to enable Windows Firewall on client computers that are running Windows XP Professional SP2. Additionally, the update opens the ports and makes it possible to use the program exceptions that Windows Firewall requires to work with the features that are included in Windows Small Business Server 2003. After you install the update, Windows Firewall is enabled on client computers that are running Windows XP Professional SP2. However, note that Internet Connection Firewall remains disabled on client computers that are running Windows XP Professional Service Pack 1 (SP1) or earlier.

The update does not include the .adm files that you must have to manage the additional Windows XP SP2 settings for Internet Explorer and Windows Update. You use the Inetres.adm file and the Wuau.adm file to manage Internet Explorer and Windows Update settings. To manage the Windows XP SP2 settings for Internet Explorer and Windows Update, install the Windows Server 2003 Administration Tools Pack on a Windows XP SP2-based computer. You can then manage the Group Policy settings from the Windows XP SP2 computer that is running the Administration Tools. For additional information about the Windows Server 2003 Administration Tools Pack, visit the following Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en

REFERENCES

For additional information about how to manage Group Policy administration templates, click the following article number to view the article in the Microsoft Knowledge Base:

816662 Recommendations for managing Group Policy administrative template (.adm) files

For additional information about how to obtain Windows XP SP2, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Modification Type:MinorLast Reviewed:2/15/2005
Keywords:ATdownload kbWinXPsp2fix kbWinXPpreSP2fix kbfix kbbug KB872769 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.