MN XPSP2

Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet
Microsoft Corporation Published: July 2004
The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of Microsoft Corp. Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. 2004 Microsoft Corp. All rights reserved.
Table of Contents
Introduction Activation and Registration Associated with a New Installation or an Upgrade Certificate Support and the Update Root Certificates Component Device Manager and Hardware Wizards Dynamic Update Event Viewer File Association Web Service Help and Support Center: The Headlines and Online Search Features HyperTerminal Internet Explorer 6 Internet Games on Windows XP Internet Information Services in Windows XP with SP2 Internet Printing Internet Protocol Version 6 (IPv6) MSN Explorer NetMeeting Outlook Express 6 Plug and Play Program Compatibility Wizard Remote Assistance Search Companion Windows Error Reporting Windows Media Player Windows Messenger Windows Movie Maker Windows Time Service Windows Update and Automatic Updates Appendices Appendix A: Resources for Learning About Automated Installation and Deployment Appendix B: Learning About Group Policy and Updating Administrative Templates Appendix C: Group Policy Settings Listed Under the Internet Communication Management Key Appendix D: Differences Between Service Pack 1 and Service Pack 2 Appendix E: Internet Connection Sharing, Windows Firewall, and Network Bridge Appendix F: Add Network Place Wizard and Web Publishing Wizard Appendix G: Online Ordering Wizards and Tasks Appendix H: New Connection Wizard and Internet Connection Wizard Related Links
Introduction
The Microsoft Windows XP Professional operating system includes a variety of technologies that communicate with the Internet to provide increased ease of use and functionality. Browser and e-mail technologies are obvious examples, but there are also technologies such as Automatic Updates that help users obtain the latest software and product information, including bug fixes and security patches. These technologies provide many benefits, but they also involve communication with Internet sites, which administrators might want to control. Control of this communication can be achieved through a variety of options built into individual components, into the operating system as a whole, and into server components designed for managing configurations across your organization. For example, as an administrator, you can use Group Policy to control the way some components communicate. For some components, you can direct all communication to the organizations own internal Web site instead of to an external site on the Internet. This white paper provides information about the communication that flows between components in Windows XP Professional with Service Pack 2 (SP2) and sites on the Internet, and describes steps to take to limit, control, or prevent that communication in an organization with many users. The white paper is designed to assist you, the administrator, in planning strategies for deploying and maintaining Windows XP Professional with SP2 in a way that helps to provide an appropriate level of security and privacy for your organizations networked assets. This white paper provides guidelines for controlling components in the following set of operating systems: Windows XP Professional with SP2 on user computers. The focus is on the installation or configuration steps needed for these computers.
Note This white paper does not cover desktop products other than Windows XP Professional with SP2. For example, it does not cover Windows XP Home Edition or Windows XP Media Center Edition. Windows Server 2003 on servers. The white paper does not focus on these computers, but it provides information for using these servers as part of your deployment or maintenance strategies. For instance, it describes ways of using Group Policy on a server running Windows Server 2003 to control the behavior or configuration of users computers running Windows XP with SP2. In many instances, procedures that can be used on a server running Windows Server 2003 can also be used on a server running Windows 2000.
The white paper is organized around individual components found in Windows XP Professional with SP2, so that you can easily find detailed information for any component you are interested in. This white paper provides links to privacy statements for a number of individual components in Windows XP Professional with SP2. You can read the overall privacy statement for Windows XP Professional with SP2 on the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=25243
Using Windows XP Professional with Service Pack 2 in a Managed Environment
What This White Paper Covers and What It Does Not Cover
This section describes the following: Types of components covered in this white paper Types of components not covered in this white paper Security basics that are beyond the scope of this white paper, with listings of some other sources of information about these security basics
Types of Components Covered in This White Paper

This white paper provides: Information about components that in the normal course of operation send information to or receive information from one or more sites on the Internet. An example of this type of component is Windows Error Reporting. If a user chooses to use this component, it sends information to a site on the Internet. Information about components that routinely display buttons or links that make it easy for a user to initiate communication with one or more sites on the Internet. An example of this type of component is Event Viewer. If a user opens an event in Event Viewer and clicks a link, the user is prompted with a message box that says, "Event Viewer will send the following information across the Internet. Is this OK?" If the user clicks OK, information about the event is sent to a Web site, which replies with any additional information that might be available about that event. Brief descriptions of components like Microsoft Internet Explorer and Microsoft Outlook Express that are designed to communicate with the Internet. It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users connect to sites on the Internet, download items from the Internet, send and receive e-mail, and perform similar actions. This white paper does, however, provide basic information about how components such as Internet Explorer and Outlook Express work, and it provides suggestions for other sources of information about balancing your organizations requirements for communication across the Internet with your organizations requirements for protection of networked assets.
Types of Components Not Covered in This White Paper

This white paper does not provide: Information about managing or working with applications, scripts, utilities, Web interfaces, Microsoft ActiveX controls, extensible user interfaces, the .NET Framework, and application programming interfaces (APIs). These are either applications, or are layers that support applications, and as such provide extensions that go beyond the operating system itself.
Windows Installer is not covered in this white paper, although Windows Installer includes some technology that (if you choose) you can use for installing drivers or other software from the Internet. Such Windows Installer packages are not described here because they are like a script or utility that is created specifically for communication across the Internet.
You must work with your software provider to learn what you can do to mitigate any risks that are part of using particular applications (including Web-based applications), scripts, utilities, and other software that runs on Windows XP with SP2. Information about components that store local logs that could potentially be sent to someone or could potentially be made available to support personnel. This information is similar to any other type of information that can be sent through e-mail or across the Internet in other ways. You must work with your support staff to provide guidelines about the handling of logs and any other similar information you might want to protect.
Security Basics That are Beyond the Scope of This White Paper
This white paper is designed to assist you, the administrator, in planning strategies for deploying and maintaining Windows XP Professional with SP2 in a way that helps provide an appropriate level of security and privacy for your organizations networked assets. The white paper does not describe security basics, that is, strategies and risk-management methods that provide a foundation for security across your organization. It is assumed you are actively evaluating and studying these security basics as a standard part of network administration. Some of the security basics that are a standard part of network administration include: Monitoring. This includes using a variety of software tools, including tools to assess which ports are open on servers and clients. Virus-protection software. The principle of least privilege (for example, not logging on as an administrator if logging on as a user is just as effective). The principle of running only the services and software that are necessarythat is, stopping unnecessary services and keeping computers (especially servers) free of unnecessary software. Strong passwords, that is, requiring all users and administrators to choose passwords that are not easily cracked. Risk assessment as a basic element in creating and implementing security plans. Software deployment and maintenance routines to help ensure that your organizations software is running with the latest security updates and patches. Defense-in-depth. In this context, defense-in-depth (also referred to as in-depth defense) means redundancy in security systems. An example is using firewall settings together with Group Policy to control a particular type of communication with the Internet.
Other Sources of Information About Security Basics

The following books and Web sites are a few of the many sources of information about the security basics described previously: Howard, Michael, et al. Designing Secure Web-Based Applications for Microsoft Windows 2000. Redmond, WA: Microsoft Press, 2000.
Howard, Michael, and David LeBlanc. Writing Secure Code. Redmond, WA: Microsoft Press, 2002.
Kaufman, C., R. Perlman, and M. Speciner. Network Security: Private Communication in a Public World. Upper Saddle River, New Jersey: Prentice-Hall Inc., 2002. Smith, B., B. Komar, and the Microsoft Security Team. Microsoft Windows Security Resource Kit. Redmond, WA: Microsoft Press, 2003.
For more information, see the Microsoft Press Web site at: http://go.microsoft.com/fwlink/?LinkId=29168 The Security Guidance Center on the Microsoft Web site at:
http://www.microsoft.com/security/guidance/ The Prescriptive Architecture Guides on the Microsoft Web site at:
http://go.microsoft.com/fwlink/?linkid=29413 The Web page focused on security for Windows on the Microsoft Windows Web site at:
http://www.microsoft.com/windows/security/ The Web page focused on security on the Microsoft Developer Network (MSDN) Web site at:
http://msdn.microsoft.com/security/ The Web page focused on security on the Microsoft TechNet Web site at:
http://www.microsoft.com/technet/security/
Activation and Registration Associated with a New Installation or an Upgrade

This section provides information about: The purposes of activation and registration associated with a new installation or an upgrade How a users computer communicates with sites on the Internet during activation and registration Choosing volume licensing so that product activation need not take place (to limit the flow of information to and from Internet sites) Using Group Policy to prevent users from connecting to the Microsoft Web site for online registration
Purposes of Activation and Registration Associated with a New Installation or an Upgrade

This subsection briefly describes the differences between product activation and registration, and then describes the purpose of each. Product registration involves the provision of personally identifiable information, such as an e-mail address, to Microsoft for the purpose of receiving information about product updates and special offers. Registration is usually done on a per-product basis and is not required. If registration is completed, all registration information is stored using a variety of security technologies. When you register, you can specify what kinds of communication you wish to receive and whether your information can be used in particular ways. For example, if you provide a mailing address during registration, you can specify whether your mailing address can be shared with other companies. Other than the uses you specify, your registration information is never loaned or sold outside Microsoft. Product activation involves the authentication with Microsoft of nonpersonally identifiable information, including the product identifier for Microsoft Windows XP Professional with Service Pack 2 (SP2) and a hardware hash representing the computer, for the purpose of reducing software piracy. (A hardware hash is a non-unique number generated from the computer's hardware configuration.) Activation of Windows XP is required in situations where the product is not purchased through a volume licensing program such as Microsoft Select License, Microsoft Enterprise Agreement, or Microsoft Open License. Many computer manufacturers can bypass activation on software preinstalled on a new computer by binding the software to the computers basic input/output system (BIOS). In this situation, no activation of that software is required. Detailed information about product activation can be found on the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=29484 For more information about volume licensing, see "Choosing Volume Licensing So That Individual Product Activation Need Not Take Place," later in this section. Activation is aimed at reducing software piracy as well as ensuring that Microsoft customers are receiving the product quality that they expect. Activation means that a specific product key
becomes associated with the computer (the hardware) it is installed on. After that happens, that product key cannot be used for activation on other computers (unless the owner is enrolled in a special program that permits additional activations, for example, a program through the Microsoft Developer Network [MSDN]).
Overview: Activation and Registration in the Context of a Managed Environment

Product activation is an anti-piracy technology designed to verify that software products have been legitimately licensed. If you have software re-imaging rights granted under a Microsoft volume license agreement, and if you obtained Windows XP Professional with SP2 through a retail channel or preinstalled by the computer manufacturer, you can re-image it with Windows XP Professional with SP2 licensed through one of the Microsoft volume licensing programs. With volume licensing, there is no need to perform product activation. Product registration involves the provision of personally identifiable information, such as an e-mail address, to Microsoft for the purpose of receiving information about product updates and special offers. In a managed environment, you might want to prevent users from registering the product with Microsoft. You can use Group Policy to do this.
How a Computer Communicates with Sites on the Internet During Activation and Registration
Windows XP with SP2 can be activated through the Internet or by phone. When it is activated through the Internet, Windows XP with SP2 communicates with Web sites as follows: Specific information sent or received: During activation of Windows XP with SP2, the following information is sent to the activation server at Microsoft: Request information, that is, protocol information necessary for successfully establishing communication with the activation server. Product key information in the form of the product ID, plus the product key itself. A hardware hash (a non-unique number generated from the computer's hardware configuration). The hardware hash does not represent any personal information or anything about the software. It is based on the MD5 message-digest hash algorithm, and consists of a combination of partial MD5 hash values of various computer components. The hardware hash cannot be used to determine the make or model of the computer, nor can it be backward-calculated to determine the raw computer information. Date and time. The language being used on the system (so that any error message that is sent back can be in the correct language). The operating system being activated (and the version number of the activation software).
Depending on the owners preference, the preceding information is either sent over the Internet to the activation system at Microsoft, or the product key information and hardware hash (combined into one number) are called in by phone.
Default setting and ability to disable: Product activation can only be disabled by installing the operating system with software acquired through one of the Microsoft volume licensing programs. Product activation can be bypassed by many computer manufacturers if they bind the product to the computers BIOS instead. In all other cases, product activation cannot be disabled. Trigger and notification for activation: When activation is required, the operating system provides a reminder each time a user logs on and at common intervals until the end of the activation grace period stated in the End-User License Agreement (thirty days is the typical grace period). With software acquired through one of the Microsoft volume licensing programs, there is no need for activation, and therefore there are no reminders that appear about activation.
Trigger and notification for registration: Registration is optional. A user can register at activation time by choosing appropriate options on the Windows Product Activation interface. As an alternative, a user can type regwiz /r to start the Registration Wizard for Windows XP with SP2. Before the wizard starts and in the first page of the wizard, brief explanations notify the user that completing the wizard will cause the product to be registered. Logging: Entries that track the progress of activation and registration (for example, return codes and error codes) are logged into a text file, systemroot\setuplog.txt. This file can be used for troubleshooting if activation (or any part of setup) fails. If the owner of Windows XP chooses to register the product, two entries are made in this text file. One entry records the country or region that was chosen for the operating system. A second entry records whether the owner chooses to have Microsoft (or the computer manufacturer) send information about product updates and special offers. No other registration data is logged. Privacy, encryption, and storage for activation data: Customer privacy was a paramount design goal in building the product activation technology. No personally identifiable information is collected as part of activation. The data is encrypted (using HTTPS) during transmission and is stored on servers located in controlled facilities at Microsoft. The data is accessible to a restricted number of server and program support personnel who oversee and maintain the activation servers and the product activation program.
To review the Microsoft online privacy statement on activation, see the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=29923 Privacy, encryption, and storage for registration data: When a user registers at activation time (through the Windows Product Activation interface), registration data is encrypted (using HTTPS) during transmission. When a user registers by using the Registration Wizard (which is started by typing regwiz /r), registration data is encrypted (using HTTPS) during transmission unless the wizard is unable to establish an HTTPS connection through port 443 with the Microsoft registration server. In this situation, registration data will be sent unencrypted, using HTTP through port 80.
Registration data, which contains information that the user chooses to send to Microsoft, is stored on servers with restricted access that are located in controlled facilities. The data can be seen by customer service representatives and marketing personnel. To review the Microsoft online privacy statement on product registration, see the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=29508 Transmission protocol and port:
10
For Windows Product Activation: When Windows XP with SP2 is activated through the Internet and a modem is not used, the first transmission uses HTTP through port 80 and goes to wpa.one.microsoft.com/ to check the HTTP response code. A response code of less than 500 indicates that a product activation server is available. (With a modem, there is only a check to see whether the modem can currently be used to make a connection to the Internet.) If the product activation server can be reached (or for a modem, if a connection to the Internet can be made), any activation or registration data that is sent by Windows Product Activation uses HTTPS through port 443. For the Registration Wizard: When a user registers by using the Registration Wizard (which is started by typing regwiz /r), HTTPS is used through port 443 unless the wizard is unable to establish an HTTPS connection through port 443 with the Microsoft registration server. In this situation, HTTP is used through port 80.
Activation Improvements in Windows XP Service Packs

Microsoft has introduced additional technological measures in Windows XP Service Pack 1 (SP1) and Windows XP Service Pack 2 (SP2) aimed at ensuring that legally licensed customers receive the full benefits of owning their valid license. Some of the changes include: Product key validation during activation. The addition of a three-day grace period, where re-activation is required because of a significant hardware change. (Before SP1, there was no grace period for reactivation after a significant hardware change.) The ability for volume license customers to encrypt their volume license product keys in unattended installations.
The preceding changes were made in SP1 and are continued in SP2. For more information about the changes to activation in that occurred in SP1, see the Microsoft Web site at: http://go.microsoft.com/fwlink/?linkid=29225 http://go.microsoft.com/fwlink/?linkid=29226
Choosing Volume Licensing So That Individual Product Activation Need Not Take Place
If you use the rights granted under a volume licensing agreement to purchase or re-image software, you cannot and need not perform activation on the individual computers that are installed under the volume license. Qualifying as a volume licensing customer is not difficult. Customers can qualify for a Microsoft volume license by purchasing as few as five licenses. For more information, see the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=29878
Procedure for Preventing Online Product Registration with Microsoft

Use the following procedure to configure Group Policy to prevent online registration with Microsoft.
11
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 3. In the details pane, double-click Turn off Registration if URL connection is referring to Microsoft.com, and then click Enabled. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
12
Certificate Support and the Update Root Certificates Component

This section provides information about: The benefits of the certificate functionality built into Microsoft Windows XP Professional with Service Pack 2 (SP2), including the benefits of Update Root Certificates How Update Root Certificates in Windows XP with SP2 communicates with sites on the Internet How to control Update Root Certificates to limit the flow of information to and from the Internet
Benefits and Purposes of Certificate Functionality

Certificates, and the public key infrastructure of which they are a part, support authentication and encrypted exchange of information on open networks, such as the Internet, extranets, and intranets. A certificate securely binds a public key to the entity that holds the corresponding private key. With certificates, host computers on the Internet no longer have to maintain a set of passwords for individual subjects who need to be authenticated as a prerequisite to access. Instead, the host merely establishes trust in a certification authority that certifies individuals and resources that hold private keys. The host can establish this trust through a certificate hierarchy that is ultimately based on a root certificate, that is, a certificate from a certification authority that establishes a well-defined level of integrity and security for the hierarchy. Examples of times that a certificate is used are when a user: Uses a browser to engage in a Secure Sockets Layer (SSL) session Accepts a certificate as part of installing software Accepts a certificate when receiving an encrypted or digitally signed e-mail message
When learning about public key infrastructure, it is important to learn not only about how certificates are issued, but about how certificates are revoked and how information about those revocations is made available to clients. This is because certificate revocation information is crucial for a users application that is seeking to verify that a particular certificate is currently (not just formerly) considered trustworthy. Certificate revocation information is often stored in the form of a certificate revocation list, although this is not the only form it can take. Applications that have been presented with a certificate might contact a site on an intranet or the Internet not only for information about certification authorities, but also for certificate revocation information. In an organization where clients run Microsoft Windows XP Professional and servers run Windows Server 2003, you have a variety of options in the way certificates and certification revocation lists (or other forms of certificate revocation information) are handled. For more information about these options, see the references listed in the next subsection, "Overview: Using Certificate Components in a Managed Environment." The Update Root Certificates component in Windows XP with SP2 is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site when this check is
13
needed by a users application. Specifically, if the application is presented with a certificate issued by a certification authority that is not directly trusted, the Update Root Certificates component (if present) will contact the Microsoft Windows Update Web site to see if Microsoft has added the certification authority to its list of trusted authorities. If the certification authority has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the trusted certificate store on the users computer. Note that the Update Root Certificates component is optional with Windows XP with SP2that is, it can be removed or excluded from installation on a computer running Windows XP with SP2.
Overview: Using Certificate Components in a Managed Environment

In an organization where clients run Windows XP Professional and servers run Windows Server 2003, you have a variety of options in the way certificates are handled. For example, you can establish a trusted root authority, also known as a root certification authority inside your organization. The first step in establishing a trusted root authority is to install the Certificate Services component. Another step that might be appropriate is to configure the publication of certificate revocation information to the Active Directory directory service. When implementing public key infrastructure, we recommend that you also learn about Group Policy as it applies to certificates. Procedures for these steps are provided in the resources listed at the end of this subsection. When you configure a certification authority inside your organization, the certificates it issues can specify a location of your choosing for retrieval of additional evidence for validation. That location can be a Web server or a directory within your organization. Because it is beyond the scope of this white paper to provide full details about working with certification authorities, root certificates, certificate revocation, and other aspects of public key infrastructure, this section provides a list of conceptual information and a list of resources to help you learn about certificates. Some of the concepts to study when learning about certificates include: Certificates and the X.509 V3 standard (the most widely used standard for defining digital certificates) as well as the public key infrastructure for X.509 (PKIX). PKIX is described in RFC 3280, which you can search for on the Internet Engineering Task Force (IETF) Web site at:
http://www.ietf.org/rfc.html You can also learn about PKIX on the Internet Engineering Task Force (IETF) Web site at: http://go.microsoft.com/fwlink/?LinkId=29924 Standard protocols that relate to certificates, for example, Transport Layer Security (TLS), Secure Sockets Layer (SSL), and Secure Multipurpose Internet Mail Extensions (S/MIME). Encryption keys and how they are generated. Certification authorities, including the concept of a certification authority hierarchy and the concept of an offline root certification authority. Certificate revocation. Ways that Active Directory and Group Policy can work with certificates.
14
The following list of resources can help you as you plan or modify your implementation of certificates and public key infrastructure: Help for products in the Windows Server 2003 family.
You can view Help for products in the Windows Server 2003 family on the Web at: http://go.microsoft.com/fwlink/?linkid=29881 The Microsoft Windows Server 2003 Deployment Kit and the Microsoft Windows Server 2003 Technical Reference.
You can view links on the Windows Deployment and Resource Kits Web site at: http://www.microsoft.com/windows/reskits/ "Troubleshooting Certificate Status and Revocation," a white paper on the Microsoft TechNet Web site at:
http://go.microsoft.com/fwlink/?LinkId=27081 Links to information about public key infrastructure for both Windows Server 2003 and Windows XP on the Microsoft Web site at:
http://go.microsoft.com/fwlink/?linkid=29886 In a medium-size to large organization, for the greatest control of communication with the Internet, it is recommended that you manage the list of certification authorities yourself, meaning that on users computers, you would control or remove the Update Root Certificates component or prevent it from being installed with Windows XP with SP2.
How Update Root Certificates Communicates with Sites on the Internet

This subsection focuses on how the Update Root Certificates component communicates with sites on the Internet. The previous subsection, "Overview: Using Certificate Components in a Managed Environment" provides references for the configuration choices that control the way other certificate components communicate with sites on the Internet. If the Update Root Certificates component is installed on a users computer and has not been disabled through Group Policy, and the users application is presented with a certificate issued by a root certification authority that is not directly trusted, the Update Root Certificates component communicates across the Internet as follows: Specific information sent or received: Update Root Certificates sends a request to the Windows Update Web site, asking for the current list of root certification authorities in the Microsoft Root Certificate Program. If the untrusted certificate is named in the list, Update Root Certificates obtains that certificate from Windows Update and places it in the trusted certificate store on the users computer. No user authentication or unique user identification is used in this exchange.
The Windows Update Web site is located at: http://windowsupdate.microsoft.com/ Default setting and ability to disable: Update Root Certificates is installed by default in Windows XP with SP2. You can disable this component with Group Policy, or you can remove it or exclude it from installation on users computers.
15
Trigger and user notification: Update Root Certificates is triggered when the user is presented with a certificate issued by a root certification authority that is not directly trusted. There is no user notification. Logging: Events containing information such as the following will be logged:
For Event ID 7: Description: Successful auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site For Event ID 8: Description: Failed auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site with error: hexadecimal_error_value Encryption, privacy, and storage: When requests or certificates are sent to or from Update Root Certificates, no encryption is used. Microsoft does not track access to the list of trusted authorities that it maintains on the Microsoft Windows Update Web site. Transmission protocol and port: The transmission protocol is HTTP and the port is 80.
Controlling the Update Root Certificates Component to Prevent the Flow of Information to and from the Internet
If you want to prevent the Update Root Certificates component in Windows XP with SP2 from communicating automatically with the Microsoft Windows Update Web site, you can disable this component with Group Policy, or you can remove it or exclude it from installation on users computers. You can exclude the component during workstation deployment by using standard methods for unattended installation or remote installation, as described in Appendix A, "Resources for Learning About Automated Installation and Deployment. If you are using an answer file, the entry is as follows: [Components] Rootautoupdate = Off For information about how to disable Update Root Certificates through Group Policy, see To Disable the Update Root Certificates Component by Using Group Policy, later in this section.
How Disabling, Removing, or Excluding Update Root Certificates from Users Computers Can Affect Users and Applications
If the user is presented with a certificate issued by a root certification authority that is not directly trusted, and the Update Root Certificates component is not installed on the users computer, the user will be prevented from completing the action that required authentication. For example, the user might be prevented from installing software, viewing an encrypted or digitally signed e-mail message, or using a browser to engage in an SSL session.
16
Procedures for Preventing Root Certificates from Being Updated on an Individual Computer
The following procedures describe: How to use Group Policy to disable the Update Root Certificates component on users computers. How to use Control Panel to remove the Update Root Certificates component from an individual computer running Windows XP with SP2. How to exclude the Update Root Certificates component during unattended installation of Windows XP with SP2 by using an answer file.
To Disable the Update Root Certificates Component by Using Group Policy

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 3. In the details pane, double-click Turn off Automatic Root Certificates Update, and then click Enabled. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
To Remove the Update Root Certificates Component from an Individual Computer Running Windows XP with SP2
1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click Add or Remove Programs. 3. Click Add/Remove Windows Components (on the left). 4. Scroll down the list of components to Update Root Certificates, and make sure the check box for that component is cleared. 5. Follow the instructions to complete the Windows Components Wizard.
To Exclude the Update Root Certificates Component During Unattended Installation by Using an Answer File
1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment."
17
2. In the [Components] section of the answer file, include the following entry: Rootautoupdate = Off
18
Device Manager and Hardware Wizards

This section provides information about: The benefits of Device Manager. How hardware wizards communicate with sites on the Internet.
Device Manager provides an interface for viewing the configuration of hardware devices, and the wizards help with installing and configuring the correct driver for a device. Therefore, this section describes how the wizards communicate with the Internet, while providing background about Device Manager. How to control hardware wizards to limit the flow of information to and from the Internet.
For procedures related to disabling Windows Update, see "Windows Update and Automatic Updates" in this white paper.
Benefits and Purposes of Device Manager

Device Manager provides users and administrators with information about how the hardware on their computers is installed and configured, and how the hardware interacts with the computers applications. With Device Manager, administrators can update the drivers (or software) for hardware devices, modify hardware settings, and troubleshoot problems. Note Only administrators or users with administrative credentials can install or update device drivers.
Overview: Using Device Manager in a Managed Environment

Administrators can access Device Manager through Administrative Tools\Computer Management. Users can access Device Manager through Control Panel\System\Hardware to view information about the hardware installed on their computers, but they must have administrative credentials to modify or update hardware. Administrators or users with administrative credentials will typically use Device Manager to check the status of hardware and to update device drivers. Administrators who have a thorough understanding of computer hardware might also use Device Manager's diagnostic features to resolve device conflicts and change resource settings. Device Manager can work in conjunction with hardware wizards and Windows Update to deliver updated drivers for installed hardware. On a computer running Windows XP with SP2, when a driver is being upgraded, the person at the computer is prompted to find out whether to search the Windows Update Web site for an appropriate device driver. The same prompt is displayed if the person has attached a new Plug and Play device for which the driver is not included as part of Windows XP with SP2. As an administrator, you can prevent this, if you choose, by using Control Panel or Group Policy. The following subsection provides details about how hardware wizards interact with the Internet.
19
How Hardware Wizards Communicate with Sites on the Internet

Hardware wizards search for device drivers in slightly different ways, depending on the type of device for which a driver is needed: An existing device for which a new device driver is available.
To update a device driver, a person logged on to Windows XP as an administrator opens Device Manager, selects a hardware device, and clicks Update Driver on the Action menu. Alternatively, the person can open Device Manager, right-click a hardware device, and click Update Driver. This activates the Hardware Update Wizard. If Windows Update device driver searching has not been disabled, by default, the Hardware Update Wizard prompts the person to find out whether to search the Windows Update Web site for an updated device driver. A new Plug and Play device for which the driver is not included as part of Windows XP with SP2.
To install a new Plug and Play device, a person logged on to Windows XP as an administrator first attaches the device. In some instances, Windows XP then finds the appropriate driver locally and installs it without input from the user. In other instances, Windows XP cannot find an appropriate driver locally, and the Found New Hardware Wizard starts. If Windows Update device driver searching has not been disabled, by default, the Found New Hardware Wizard prompts the person to find out whether to search the Windows Update Web site for an updated device driver. A device that is not Plug and Play.
After a person logged on to Windows XP as an administrator attaches a device that is not Plug and Play, he or she can use Add Hardware in Control Panel to start the Add Hardware Wizard. This wizard does not connect to the Internet for device drivers. When the person at the computer responds to a prompt by agreeing to the Internet search for a device driver, the Hardware Update Wizard or Found New Hardware Wizard communicate with the Windows Update Web site. Therefore, much of the information in this subsection is the same as for Windows Update. Additional details are as follows: Specific information sent or received: See the section Windows Update and Automatic Updates in this white paper. None of the communication between the computer and the Internet uniquely identifies the user. Default settings: By default, the hardware wizards prompt to find out whether to search Windows Update for a device driver. Triggers: A person logged on as an administrator starts the Hardware Update Wizard, or adds a new Plug and Play device for which Windows XP cannot find an appropriate driver locally. User notification: By default, when the Hardware Update Wizard is started, it asks whether to search Windows Update for the device driver, and offers the following choices: Yes, this time only Yes , now and every time I connect a device No, not this time
20
Choosing the second choice, Yes, now and every time I connect a device, causes the Hardware Update Wizard to stop offering the preceding three prompts, but these prompts can be restored through System Properties (in Control Panel). To restore the three prompts, in System Properties, click the Hardware tab, click the Windows Update button, and choose Ask me to search Windows Update every time I connect a new device. To use System Properties to turn off Windows Update Device Driver searching, see Procedures for Controlling How Drivers Are Updated Through Device Manager, later in this section. Logging: Errors that result from problems installing hardware devices without drivers are logged to the event log. Encryption, access, privacy, transmission protocol, and port: See the section Windows Update and Automatic Updates in this white paper. To view the privacy statement for Windows Update, go to the Web site and click Read our privacy statement:
http://windowsupdate.microsoft.com/ Ability to disable: You cannot disable Device Manager, but you can use Control Panel or Group Policy to prevent hardware wizards from searching for drivers on Windows Update. Alternatively, you can turn off all access to Windows Update.
Controlling Hardware Wizards to Limit the Flow of Information to and from the Internet
To prevent hardware wizards from searching Windows Update for device drivers, you can use either Control Panel or Group Policy. You can also turn off all access to Windows Update by using Group Policy. If you turn off all access to Windows Update, users will still be able to use Device Manager to view information about their hardware devices. For administrators to be able to update drivers there is the option for manually downloading driver updates from the Windows Update Catalog, or from an intranet server, whereby they can be distributed on your managed network as needed. For more information about the Windows Update Catalog, see the Windows Update Web site at: http://windowsupdate.microsoft.com/
Procedures for Controlling Communication Between Hardware Wizards and Windows Update
The procedures for turning off Windows Update device driver searching by using either Control Panel or Group Policy are included here. When you turn off Windows Update device driver searching, Windows XP does not search the Windows Update Web site for device drivers, regardless of any action taken through Device Manager or the hardware wizards. For the procedure to turn off all access to Windows Update or configure automatic updating, see the section Windows Update and Automatic Updates in this white paper.
21
To Turn Off Windows Update Device Driver Searching by Using Control Panel
1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click System. 3. In System Properties, click the Hardware tab. 4. Click Windows Update. 5. Click Never search Windows Update for drivers.
To Turn Off Windows Update Device Driver Searching by Using Group Policy
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 3. In the details pane, double-click Turn off Windows Update device driver searching, and then click Enabled. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
22
Dynamic Update
This section provides information about: The benefits of Dynamic Update How Dynamic Update communicates with sites on the Internet How to control Dynamic Update to limit the flow of information to and from the Internet
Benefits and Purposes of Dynamic Update

With Dynamic Update, Windows XP Setup can check the Windows Update Web site for new Setup files, including drivers and other files, while Windows XP is being installed. In an interactive installation (in contrast to an unattended installation), the person installing Microsoft Windows XP Professional with Service Pack 2 (SP2) chooses whether to allow Dynamic Update to occur. In a managed environment, if you are using Setup (Winnt32.exe) for unattended installation, you can create a shared folder on a server and deliver Dynamic Update files to destination computers from that shared folder (instead of downloading the files directly from the Windows Update Web site to the computer being installed). For additional information about how to do this, see "How Dynamic Update Communicates with Sites on the Internet" and "Controlling Dynamic Update to Limit the Flow of Information to and from the Internet," later in this section. Whenever an important update is made to any crucial Setup file, that update is made available through Dynamic Update functionality built into the Windows Update Web site. Some of the updated files will be replacements (for example, an updated Setup file) and some will be additions (for example, a driver not available at the time that the Setup CD was created). All files on the Dynamic Update section of the Windows Update Web site are carefully tested, and only files that are important in ensuring that Setup runs well are made available. Using Dynamic Update reduces the need to apply patches to recently installed systems, and makes it easier to run Setup with hardware that requires a driver that was recently added or updated on Windows Update. For example, if a new video adapter requires a driver that was recently added to Windows Update, with Dynamic Update, the video adapter is recognized and supported during Setup. Dynamic Update downloads only the files that are required for a particular computer, which means that the Dynamic Update software briefly examines the computer hardware. No personal information is collected, and no information is saved. The only purpose for examining the hardware is to select appropriate drivers for it. This keeps the download time as short as possible and ensures that only necessary drivers are downloaded to the hard disk.
23
Overview: Using Dynamic Update in a Managed Environment

If you do not want Dynamic Update to connect to the Windows Update Web site during the installation of Windows XP, you have several options: Creating a shared folder on a server and delivering Dynamic Update files to destination computers from that shared folder: You can create a shared folder on a server in your organization, download Dynamic Update files to that server, and by using Winnt32.exe for unattended installations, ensure that when Setup for Windows XP with SP2 is run in your organization, Dynamic Update uses the files you placed on the server and does not connect to the Internet. Avoiding Dynamic Update: You can avoid using Dynamic Update, which means Setup will use only the files and drivers provided on the CD for Windows XP with SP2. For more information, see "Avoiding Dynamic Update," later in this section.
The subsections that follow provide more information about these options. For additional sources of information about performing unattended installations, see Appendix A, "Resources for Learning About Automated Installation and Deployment."
How Dynamic Update Communicates with Sites on the Internet

This subsection focuses on the communication that occurs between Dynamic Update and the Windows Update Web site during an interactive installation (or a pre-installation compatibility check) when the computer has access to the Internet. This subsection also provides some description of the default behavior of Dynamic Update with unattended Setup. For information about how you can control the behavior of Dynamic Update during unattended installations, see "Controlling Dynamic Update to Limit the Flow of Information to and from the Internet," later in this section. Specific information sent or received: When Dynamic Update contacts the Windows Update Web site, it sends only the information necessary for appropriate drivers to be selected. In other words, it collects only necessary information about the hardware (devices) on that particular computer. No personal information is collected.
The Setup files and drivers downloaded by Dynamic Update consist only of files that are important in ensuring that Setup runs successfully. Files with minor updates that will not significantly affect setup are not made available through the Dynamic Update section of the Windows Update Web site. Some of the updated files will be replacements (for example, an updated Setup file) and some will be additions (for example, a driver not available at the time that the setup CD was created). Default behavior and triggers:
Dynamic Update may connect to the Internet, depending on how Setup is run. The following two tables provide details. The first table provides contrasting scenarios to show the broad outlines of choices among command-line options and answer file entries. The second table provides details about additional scenarios.
24
Three Contrasting Scenarios for Running or Preventing Dynamic Update Does Dynamic Update Connect to the Internet?
Yes, if you choose to run Dynamic Update.
Scenario
Interactive installation in which you permit Dynamic Update to run Unattended installation in which you prevent Dynamic Update from running Unattended installation in which you create a shared folder on a server and deliver Dynamic Update files to destination computers from that shared folder
Steps to Take and Effect on Dynamic Update

Start Setup from the CD or a network and run it interactively. You are offered the choice of running Dynamic Update or skipping Dynamic Update.
Run Winnt32.exe with the /unattend and /DUdisable command-line options. If the /DUdisable option is used, Dynamic Update is not triggered, regardless of whether an answer file is used. Prepare a shared folder as outlined in "Creating a Shared Folder on a Server and Delivering Dynamic Update Files to Destination Computers from that Shared Folder," later in this section. Then choose one of two methods for handling installations: One method is to run Winnt32.exe with the /DUShare = path_to_downloaded_files option. Dynamic Update uses the folder specified in the /DUShare option and does not connect to the Internet. Another method is to create an answer file that includes an [Unattended] section with an entry that specifies DUShare = path_to_downloaded_files. Run the Winnt32.exe command with the /unattend:answer_file option. Dynamic Update uses the folder specified in the DUShare entry and does not connect to the Internet.
No.
No, Dynamic Update uses the files in the shared folder that you created.
Additional Scenarios for Running or Preventing Dynamic Update Does Dynamic Update Connect to the Internet?
Yes, if you choose to run Dynamic Update.
Scenario
Pre-installation compatibility check
Steps to Take and Effect on Dynamic Update

Insert the Setup CD and choose the appropriate options for checking system compatibility. You are offered the choice of running Dynamic Update or skipping Dynamic Update. Run the Winnt32.exe command with the /unattend option, but do not provide the name of an answer file and do not specify /DUdisable or any other options that affect Dynamic Update. Dynamic Update is triggered under these conditions for both unattended installation and unattended upgrade.
Unattended Setup in which you do not use an answer file and you allow Dynamic Update to run
Yes.
25
Unattended Setup in which you use an answer file and you allow Dynamic Update to run
Create an answer file that includes an [Unattended] section with an entry that specifies DUDisable = No. Run the Winnt32.exe command with the /unattend:answer_file option. Dynamic Update is triggered. (However, note that if you run Winnt32.exe from the command line with the /DUdisable option, Dynamic Update is always prevented from running.) Run the Winnt32.exe command with the /unattend:answer_file command-line option. By default, if the answer file does not specify any options that affect Dynamic Update, Dynamic Update is disabled.
Yes.
Unattended Setup in which you prevent Dynamic Update by creating an answer file that does not specify any options that affect Dynamic Update
No.
User notification: During an interactive installation, the user is notified when the choice of whether to run Dynamic Update is offered. During an unattended installation, there is no notification (unattended installation by definition means that no user interaction is required). Logging: By default, the progress of Setup is logged in systemroot\Winnt32.log. By using command options for the Winnt32.exe command, you can control the name of the log and the level of detail it contains. Encryption: The data is transferred from Microsoft using HTTPS. Access: No information about the hardware (devices) on a particular computer is saved or stored, so no one can access this information. The information is used only to select appropriate drivers. Privacy: Dynamic Update is covered by the same policy that covers Windows Update. To view the privacy statement for Windows Update, go to the Web site and click Read our privacy statement:
http://windowsupdate.microsoft.com/ Transmission protocol and port: The transmission protocol is HTTPS and the port is 443. Ability to disable: You can control the behavior of Dynamic Update by running Setup in specific ways, as shown in the previous table. (Of course you can also disable Dynamic Update by preventing access to the Internet, or by blocking HTTPS over port 443.)
If you do not want to disable Dynamic Update but only want to prevent it from communicating with an Internet site, as noted earlier, you can create a shared folder on a server and deliver Dynamic Update files to destination computers from that shared folder.
Controlling Dynamic Update to Limit the Flow of Information to and from the Internet
As summarized in "Overview: Using Dynamic Update in a Managed Environment," earlier in this section, if you do not want Dynamic Update to connect to the Windows Update Web site during the installation of Windows XP, you have several options. With the appropriate methods for unattended installation, you can create a shared folder on a server and deliver Dynamic Update
26
files to destination computers from that shared folder. Another alternative is to avoid using Dynamic Update at all.
Creating a Shared Folder on a Server and Delivering Dynamic Update Files to Destination Computers from that Shared Folder
This subsection briefly describes the steps for creating a shared folder on a server and delivering Dynamic Update files to destination computers from that shared folder. The subsection also provides links to more detailed information. The steps can be summarized as follows: Step 1: Determine what packages you need to download from the Windows Update Web site. Step 2: Download the packages and prepare them and the folder they are in for use with Dynamic Update. This step includes extracting files and placing them in folders, as well as running Winnt32.exe with the /duprepare option, which creates subfolders and copies appropriate files to those subfolders. This step also requires other actions, such as sharing the folder and setting permissions. Step 3: Configure the answer file and Winnt32.exe settings for Dynamic Update (and for any other configuration options you want). Step 4: Run the unattended installations.
For more detailed information about performing the preceding steps, see the Microsoft Windows Server 2003 Deployment Kit, specifically the book titled Automating and Customizing Installations. To view the Microsoft Windows Server 2003 Deployment Kit, see the Microsoft Windows Server 2003 Web site at: http://go.microsoft.com/fwlink/?linkid=29887 Similar information is available in the Dynamic Update article on the Microsoft Web site at: http://go.microsoft.com/fwlink/?linkid=29313 For additional sources of information about performing unattended installations, see Appendix A, "Resources for Learning About Automated Installation and Deployment."
Avoiding Dynamic Update

You can avoid using Dynamic Update, which means that Setup will use only the files and drivers provided on the CD for Windows XP with SP2. The method by which you avoid using Dynamic Update depends on how you are performing the installation: Interactive installation: During interactive installation (not unattended installation), you can select No when offered the option to use Dynamic Update. As an alternative, you can ensure that the computer does not have Internet access. Unattended Setup: Dynamic Update is disabled when you run Setup in specific ways, as shown in the tables in "How Dynamic Update Communicates with Sites on the Internet," earlier in this section. As the tables show, the simplest way to ensure that Dynamic Update does not run during unattended Setup is to use the /DUdisable option in the command line. This ensures that Dynamic Update will not occur during the installation.
27
How avoiding Dynamic Update or directing Dynamic Update to a server on your network can affect users and applications
Regardless of whether you use Dynamic Update, you can obtain updated system and driver files after installations are complete (for example, through Windows Update or a service pack). Allowing Dynamic Update to run during Setup, however, helps ensure Setup success. If you create a shared folder on a server and deliver Dynamic Update files to destination computers from that shared folder (instead of downloading the files directly from Windows Update to the computers), you can control the exact set of updated files to be installed. By contrast, when you download the current set of Dynamic Update files directly from the Windows Update Web site to users computers, you might introduce inconsistencies among your destination computers because the Windows Web Site is periodically updated, and you cannot control when these updates occur.
Procedures for Controlling Dynamic Update

For detailed descriptions of Dynamic Update and procedures for controlling it, see the Microsoft Windows Server 2003 Deployment Kit, specifically the book titled Automating and Customizing Installations. To view the Microsoft Windows Server 2003 Deployment Kit, see the Microsoft Windows Server 2003 Web site at: http://go.microsoft.com/fwlink/?linkid=29887 Similar information is available in the Dynamic Update article on the Microsoft Web site at: http://go.microsoft.com/fwlink/?linkid=29313
28
Event Viewer
This section provides information about: The benefits of Event Viewer How Event Viewer communicates with sites on the Internet How to control Event Viewer to prevent the flow of information to and from the Internet
Benefits and Purposes of Event Viewer

Administrators can use Event Viewer to view and manage event logs. Event logs contain information about hardware and software problems and about security events on your computer. A computer running Microsoft Windows XP Professional with Service Pack 2 (SP2) records events in three kinds of logs: application, system, and security. While Event Viewer is primarily a tool for administrators to manage event logs, users can also view application and system logs on their computer. Only administrators can gain access to security logs.
Overview: Using Event Viewer in a Managed Environment

Users can access event logs for their own computers through Control Panel\Administrative Tools\Event Viewer. The user can obtain detailed information about a particular event by either double-clicking the event or selecting the event and clicking Properties on the Action menu. The dialog box gives a description of the event, which can contain one or more links to Help. Links can either be to Microsoft servers or to servers managed by the software vendor for the component that generated the event. On Windows XP with SP2, most events that originate from Microsoft products will have standard text containing a URL at the end of the description ("For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp"). When users click the link, they are asked to confirm that the information presented to them can be sent over the Internet. If the user clicks Yes, the information listed will be sent to the Web site named in the link. The parameters in the original URL will be replaced by a standard list of parameters whose contents are detailed in the confirmation dialog box. This list is provided in the next subsection under "Specific Information Sent or Received." You may want to prevent users from sending this information over the Internet through this link and accessing a Web site. Alternatively, you may want to redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization. In Windows XP with SP2, you can do either of these things through Group Policy.
29
How Event Viewer Communicates with Sites on the Internet

In order to access the relevant Help information provided by the link in the Event Properties dialog box, the user must send the information listed about the event. The collected data is confined to what is needed to retrieve more information about the event from the Microsoft Knowledge Base. User names and e-mail addresses, names of files unrelated to the logged event, computer addresses, and any other forms of personally identifiable information are not collected. The exchange of information that takes place over the Internet is as follows: Specific information sent or received: Information about the event sent over the Internet includes the following: Company name (software vendor) Date and time Event ID (for example, 1704) File name and version (for example, userenv.dll, 5.1.2600.1106) Product name and version (for example, Microsoft Windows Operating System, 5.1.2600.1106) Registry source (for example, userenv) Type of event message (for example, Error)
The information the user receives is from the Web site named in the link. Default settings: Access to Event Viewer is enabled by default. Triggers: The user chooses to send information about the event over the Internet in order to obtain more information about the event. User notification: When a user clicks the link, a dialog box listing the information that will be sent is provided. Logging: This is a feature of Event Viewer. Encryption: The information may or may not be encrypted, depending on whether the link uses HTTP or HTTPS. Access: No information is stored. Privacy: In Event Viewer, click Help, click Help Topics, click the Search tab, and type privacy statement. Transmission protocol and port: Communication occurs over the standard port for the protocol in the URL, using either HTTP or HTTPS. Ability to disable: The ability to send information over the Internet or to be linked to a Web site can be prevented through a Group Policy setting.
30
Controlling Event Viewer to Prevent the Flow of Information to and from the Internet
You can prevent users from sending information across the Internet and accessing Internet sites through Event Viewer by configuring Group Policy. Alternatively, you can redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization. You can do these things by configuring Group Policy. These Group Policy settings affect only the flow of information to and from an intranet or the Internet through Event Viewer, not the other functions of Event Viewer.
Procedures for Preventing the Flow of Information to and from the Internet Through Event Viewer
The following procedure tells how to use Group Policy to prevent users from sending information across the Internet and accessing Internet sites through Event Viewer.
To Use Group Policy to Prevent the Flow of Information to and from the Internet Through Event Viewer
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 3. In the details pane, double-click Turn off Event Viewer "Events.asp" links, and then click Enabled. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key." The following procedure tells how to use Group Policy to redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization.
To Use Group Policy to Redirect Links in Event Viewer to a Web Server in Your Organization
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Event Viewer.
31
3. In the details pane, double-click Events.asp URL, click Enabled, and then type in the URL for the Web page that you want Event Viewer links to go to. Click OK. 4. In the details pane, double-click Events.asp program, click Enabled, and then type the path for the program that should be used for displaying the URL that you typed in the previous step. If you want the page to be displayed in the Web browser and the Web browser is in the system path, you can type the name of the Web browser executable alone, for example, iexplore.exe. 5. In the details pane, double-click Events.asp program command line parameters, click Enabled, and then type any command line parameters required for the program you typed in the previous step. If the program you typed in the previous step does not use parameters, clear the text box. Note Even after the preceding settings go into effect, when users click a link in Event Viewer, the user notification still appears, stating that Event Viewer will send information across the Internet and asking for confirmation. Regardless of the user notification, if you carry out the preceding procedure and redirect events to a Web server in your organization, the information goes to that server, not across the Internet.
32
File Association Web Service

This section provides information about: The benefits of the file association Web service How the file association Web service communicates with sites on the Internet How to control the file association Web service to limit the flow of information to and from the Internet
Benefits and Purposes of the File Association Web Service

The file association Web service in Microsoft Windows XP Professional with Service Pack 2 (SP2) extends the scope of information stored locally by the operating system about file name extensions, file types, and the applications or components to use when opening a particular file type. Both the locally stored information and the file association Web service are intended to provide the user with the ability to open (double-click) a file without having to specify which application or component to open it with. The operating system associates the file name extension (for example, .txt or .jpg) with a file type, and it opens each file type with the application or component specified for that file type. For example, file name extensions .htm and .html are both "HTML Document" file types. The operating system first checks for the file association information locally. If no local information is available about the file name extension and its associated file type, the operating system offers the user the option of looking for more information on a Microsoft Web site. For details about the URL for this Web site, see "How the File Association Web Service Communicates with Sites on the Internet," later in this section.
Overview: Using the File Association Web Service in a Managed Environment

To limit the flow of information from the file association Web service to the Internet, you have several options. You can use firewall settings, you can disable the file association Web service using Group Policy, you can configure automatic server-based software installation through Group Policy, and you can train users so that they understand how to specify an association between a file type and the application or component that is used to open that file type. You can also use scripts to limit the file types that users can store, view, or use, which will limit the likelihood that users will need to obtain information about those file types.
How the File Association Web Service Communicates with Sites on the Internet
The file association Web service communicates with sites on the Internet as follows: Specific information sent or received: If the operating system does not find local information about a file name extension, it offers the user the option of sending a query to look for more information on a Microsoft Web site. The site is language-
33
specific. The file name extension that the user double-clicks is appended to the query. The query takes the following form: http://shell.windows.com/fileassoc/nnnn/xml/redir.asp?Ext=AAA where nnnn is a hexadecimal value used in Windows XP to map to a language identifier (that is, to an RFC1766 identifier), and AAA is the file name extension for which information is needed. An example of a hexadecimal value and its corresponding language identifier is 0409 for en-us, English (United States). Notes For more information about these hexadecimal values, see information about the multiple language (MLang) registry settings on the MSDN Web site at: http://go.microsoft.com/fwlink/?linkid=29165 To search for information about MLang registry settings or the Microsoft Internet Explorer Multiple Language application programming interface (MLang API), use the Search tool on the MSDN Web site at: http://msdn.microsoft.com/ Default setting and ability to disable: The service is enabled by default. It can be disabled by using Group Policy, as described in "Disabling the file association Web service," later in this section.
There are ways of reducing the likelihood that a person will trigger the file association Web service. One basic way is to configure automatic, server-based software installation based on Group Policy settings. For more information, see article 816102, HOW TO: Use Group Policy to Remotely Install Software in Windows Server 2003, in the Microsoft Knowledge Base at: http://go.microsoft.com/fwlink/?linkid=29166 Trigger and user notification: When the user tries to open a file (for example, by double-clicking the file), and there is no local information about the correct application or component to use when opening the file, the operating system offers the user the option either to "Use the Web service to find the appropriate program" or to "Select the program from a list." Logging: No events are logged by the file association Web service. Encryption, storage, and privacy: The file name extension sent in a query to the Internet is not encrypted. Nothing in the query identifies the user. If the local computers browser is configured to store information about recently visited Internet sites, the browser will store the query containing the file name extension. Otherwise, the query containing the file name extension is not stored anywhere. Transmission protocol and port: The transmission protocol is HTTP and the port is 80.
Controlling the File Association Web Service to Limit the Flow of Information to and from the Internet
If you want to limit the flow of information from the file association Web service to the Internet, you can use one or more of the following methods: Use your firewall to block access to any Web site that contains the following string:
34
http://shell.windows.com/fileassoc/ Disable the file association Web service by using Group Policy, as described in "Disabling the file association Web service," later in this section. Configure automatic, server-based software installation. To do this, configure one or more servers with the Software Installation extension of Group Policy in Windows Server 2003. When you do this, if a user tries to open a file for which the corresponding application is not installed locally, a copy of the application (stored on a server) is installed automatically. In this situation, the file association Web service will not be triggered. For more information, see article 816102, HOW TO: Use Group Policy to Remotely Install Software in Windows Server 2003, in the Microsoft Knowledge Base at:
http://go.microsoft.com/fwlink/?linkid=29166 Train users to work with file associations as follows: Instruct users that an association exists (stored by the local operating system) between a file name extension, a file type, and the application or component that is used to open that file type. Provide users with information about the file name extensions for the files they need to work with most often, the file type for each extension, and the application that should be used to open each file type. For example, file name extensions .htm and .html are both "HTML Document" file types. Show users how to use Control Panel, Folder Options, and the File Type tab in Folder Options to associate a file name extension with a file type, and a file type with an application. Explain to them that the operating system stores this information on the local computer. Instruct users to always click Select the program from a list if they see a message box offering the two options, Use the Web service to find the appropriate program or Select the program from a list. Use scripts to scan your organizations computers for file types that you do not want users to store, view, or use. Take actions to ensure that these files do not remain on individual computers hard disks. If unwanted file types do not exist on the hard disks, it decreases the need for the user to obtain information about the file name extension used for that file type.
How Using a Firewall to Block Access to the File Association Web Site Can Affect Users
If you use your firewall to keep users from gaining access to http://shell.windows.com/fileassoc/, users will require other sources of information in order to work with unfamiliar file types. For example, if users in the normal course of work are sent a file with an unfamiliar file name extension, and the operating system does not have locally stored information about that file name extension (or about the file type, or the application or component to use when opening the file), users will need other sources of information to work with the file, such as a document posted on your organizations intranet.
35
Procedures that Limit Internet Communication Generated by the File Association Web Service
This section contains the following information: A procedure for disabling the file association Web service by using Group Policy. Procedures that can be used as a basis for training users about file name extensions, file types, and the application or component that the operating system uses when opening a specific file type.
Disabling the File Association Web Service

The following procedure explains how to disable the file association Web service by using Group Policy.
To Disable the File Association Web Service by Using Group Policy

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, click Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, click User Configuration. 3. Click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 4. In the details pane, double-click Turn off Internet File Association service, and then click Enabled. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management or in User Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
Specifying Associations Between File Name Extensions, File Types, and Applications or Components
You can use the following procedures as a basis for training users about file name extensions, file types, and the application or component that the operating system uses when opening a specific file type.
36
To Associate a File Name Extension with a File Type

1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click Folder Options, and then click the File Types tab. 3. Click New. 4. Type a new or existing file name extension, and then click Advanced. 5. In Associated File Type, do one of the following: Type or select New to create a file type to associate with the file name extension. Type or select a different file type to associate with the extension.
Note When you type a file name extension in the Create New Extension dialog box, the Associated File Type list displays the file type that is associated with that extension. To select New, scroll to the top of the list.
To Associate a File Name Extension with an Application

1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click Folder Options, and then click the File Types tab. 3. Under Registered file types, click a file type. 4. Click Change, and then choose the application you want to use to open this file.
Related Links
For more information about automatic server-based software installation based on Group Policy settings, see article 816102, HOW TO: Use Group Policy to Remotely Install Software in Windows Server 2003, in the Microsoft Knowledge Base at: http://go.microsoft.com/fwlink/?linkid=29166
37
Help and Support Center: The Headlines and Online Search Features
This section provides information about: The benefits of the Headlines and Online Search features in Help and Support Center How the Headlines and Online Search features communicate with sites on the Internet How to control the Headlines and Online Search features to limit the flow of information to and from the Internet
Benefits and Purposes of Headlines and Online Search

Help and Support Center is a self-help portal that was first included in Microsoft Windows Millennium Edition. It is also included in all versions of Windows XP, including Windows XP Professional with Service Pack 2 (SP2). Users access Help and Support Center in a number of ways, including: Selecting Help and Support from the Start menu. Selecting Help and Support from the Help menus for Control Panel, Windows Explorer, My Network Places, My Pictures, My Computer, My Music, or My Documents.
Headlines
A useful feature of Help and Support Center is the Headlines area. This area is typically titled "Did you know?" and is usually located in the lower-right corner of the main window, unless the window has been customized by the OEM or modified for certain languages. A page in Help and Support Center with more Headlines is exposed to users when they click the "View more headlines" hyperlink at the bottom of the "Did you know?" section. Headlines provides a dynamic source of content that users can visit frequently to find help and support on current issues as well as those that were known at the time the operating system was released. For example, it may display links to topics that inform the user about new security bulletins, software updates, or new Help content.
Online Search
Online Search, another useful feature of Help and Support Center, enables users to query online Web sites automatically when performing a search. By default, the Microsoft Knowledge Base is designated as one of the Web sites for online searches. OEMs often customize the Online Search feature by, for example, adding a check box to the search window to enable the search engine to query their OEM-specific Web sites for results. To produce the most informative results when querying the Microsoft Knowledge Base, certain information such as the version of the product installed is collected from the users computer and uploaded to the servers hosting the Microsoft Knowledge Base.
38
Overview: Using Headlines and Online Search in a Managed Environment

By using Group Policy or using the Windows user interface, you can control the extent to which the Headlines and Online Search features access the Internet. More details on the methods and procedures for controlling these features are described in the following subsections.
How Headlines and Online Search Communicate with Sites on the Internet
Headlines
The Headlines area is updated only when there is Internet connectivity. The user is not required or prompted to connect to the Internet. Help and Support Center uses information contained in the NewsSet.xml file (stored in the systemroot\PCHealth\Helpctr\Config folder) on the users computer to determine: Whether or not to update the Headlines area How frequently to update the Headlines area Where on the Internet to obtain the Headlines updates
This subsection summarizes the communication process: Specific information sent or received: If there is Internet connectivity, when the user starts Help and Support Center, the Help and Support service (helpsvc) compares the current date to the date specified by the TIMESTAMP attribute in the NewsSet.xml file and calculates the total number of days that have elapsed since the last time Headlines was successfully updated.
Then, if the number of elapsed days is greater than the number of days specified by the FREQUENCY attribute in NewsSet.xml, the Help and Support service connects to the Web site specified by the URL attribute and downloads an updated version of the file NewsVer.xml to the systemroot\PCHealth\Helpctr\Config\News folder. The user is not uniquely identified. Note For Headlines supplied by Microsoft, the URL attribute in NewsSet.xml is: http://go.microsoft.com/fwlink/?LinkID=11 For Windows XP, this currently redirects the user to the following site: http://windows.microsoft.com/windowsxp/newsver.xml The downloaded NewsVer.xml file contains links to the news content files (news blocks) for the Windows XP operating system and the installed language. These news blocks contain the information used to update the Headlines areathat is, links to and descriptions of the latest information from Help and Support Center, Windows, or support-related articles posted on Microsoft Web sites, such as the Windows XP site (http://www.microsoft.com/windowsxp/).
Note If the OEM has customized the Headlines feature, then the OEM-supplied Headlines may have links to the OEMs Web site. If there is no Internet connectivity, Help and Support Center displays an offline message in the Headlines area similar to the following:
39
When you are connected to the Internet, this area will display links to timely help and support information. If you want to connect to the Internet now, start the New Connection Wizard and see how to establish a Web connection through an Internet service provider. Default and recommended settings: The Headlines feature is enabled by default. Recommended settings are described in the next subsection, "Controlling Headlines and Online Search to Limit the Flow of Information to and from the Internet." Triggers: The Headlines feature is automatically triggered if there is Internet connectivity when the user starts Help and Support Center. User notification: Users are not given the choice to select whether or not to update the Headlines area before an update is performed. An "Updating " status indicator is displayed in the Headlines area, however, to indicate when an update is being performed. Once Help and Support Center has completed checking for new headlines, the Headlines area is labeled "Updated: date," where date is the current date. Logging: No information related to Headlines is entered into the event log. Encryption: The data transferred to Microsoft is not encrypted. Access: The only data generated on servers at Microsoft from the process of updates to the Headlines area is a single number telling how many times a connection has been made, by any computer, to the link that supports Headlines updates. No computer is identified in the process of a Headlines update. The data can be viewed by the Microsoft group that provides support for the link through which Headlines is updated. Transmission protocol and port: The transmission protocol used is HTTP and the port is 80. Ability to disable: You can disable Headlines by using Group Policy. For more information, see "Procedure for Disabling Headlines and Online Search," later in this section.
Online Search
Online Search can only query online Web sites like the Microsoft Knowledge Base when there is Internet connectivity. Users are neither required nor prompted to connect to the Internet. When a user performs a search in Help and Support Center, if search options have been set to search the Microsoft Knowledge Base or an OEM-designated Web site, the search engine automatically searches the specified site. This subsection summarizes the communication process: Specific information sent or received: To produce relevant results when querying the Microsoft Knowledge Base, certain information is collected from the users computer and uploaded to a server at Microsoft that hosts the Microsoft Knowledge Base. The user is not uniquely identified. Following is a list of the information collected: The search text string entered by the user The language code of the operating system The product Knowledge Base to be searched (for example, Windows XP or Outlook)
40
The version of the operating system installed (for example, Home Edition or Professional) The number of results the user has indicated that they want in their result set Titles field status (indicates whether or not to search the article title only) Type field status (indicates whether to search using "all" or "any" of the search string) Default and recommended settings: Online Search is enabled by default. Recommended settings are described in the next subsection, "Controlling Headlines and Online Search to Limit the Flow of Information to and from the Internet." Triggers: Online Search is automatically triggered if the search options are left at the default or are set to encompass searches on the Internet. (Online Search is also dependent on having Internet connectivity when the search is performed.) User notification: Users are not notified before Help and Support Center performs an Online Search. A permanent headline is provided in the Headlines area that instructs users about setting their Online Search options, including how to turn the feature off. Logging: No information related to Online Search is entered into the event log. Encryption: The data transferred to Microsoft is not encrypted. Access: The data uploaded to the server at Microsoft is aggregated and clustered. Information about the most common queries is later made available to the Windows Product Support Services and Windows User Assistance teams to help in developing new content or in revising existing content. Privacy: Microsoft does not retrieve any personally identifiable information from a user's computer during an online search. A permanent headline is provided in the Headlines area that instructs users about setting their Online Search options, including how to turn the feature off. Transmission protocol and port: The transmission protocol used is HTTP and the port is 80. Ability to disable: You can disable Online Search by using Group Policy or through the Help and Support Center user interface.
Controlling Headlines and Online Search to Limit the Flow of Information to and from the Internet
The following tables describe Group Policy settings and other configuration options for both Headlines and Online Search. For more information, see "Procedures for Disabling Headlines and Online Search," later in this section. Configuration Settings for Headlines and Online Search
Headlines: Configuration Tool Group Policy
Setting In Computer Configuration\Administrative Templates\System\Internet Communication
Result Help and Support Center no longer retrieves text for the
41
Management\Internet Communication settings, enable Turn off Help and Support Center "Did you know?" content.
Headlines area and instead replaces it with white space.
Online Search: Configuration Tool Help and Support Center user interface (Set Search Options pane)
Setting Clear any check boxes for querying the Microsoft Knowledge Base or OEM Web sites for results.
Result Disables online searches. The search results window neither displays an area for the online Web sites (such as the Microsoft Knowledge Base) nor returns any search results from online Web sites. Removes the Knowledge Base section from the Help and Support Center Set search options page. Searches for information from Help topics are performed locally only.
Group Policy
In Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings, enable Turn off Help and Support Center Microsoft Knowledge Base search.
Headlines and Online Search: Configuration Tool Firewall
Setting Block HTTP port 80.
Result Displays offline message text in Headlines area. The search results window displays an area for the online Web sites (such as the Microsoft Knowledge Base), but it does not return any search results from online Web sites.
How Controlling Headlines and Online Search Can Affect Users and Applications
The Headlines area provides a good way for users to obtain up-to-date solutions to common problems, updated self-help content, and information about software and driver updates. If you decide to disable the Headlines feature, the Headlines ("Did you know?") area in the Help and Support Center user interface will be blank and links to new content or software update notifications will never be presented to the user. The Online Search feature enables users to obtain help from online Web sites and can often reduce the support load on the internal Help desk. If you decide to disable the Online Search feature, users will only be able to query local Help content. Disabling Headlines and Online Search will not affect any other applications.
42
Procedures for Disabling Headlines and Online Search

The following procedures describe how to: Disable the Headlines feature by using Group Policy Disable the Online Search feature on individual computers Disable the Online Search feature by using Group Policy
To Disable the Headlines Feature by Using Group Policy

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 3. In the details pane, double-click Turn off Help and Support Center "Did you know?" content, and then click Enabled. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
To Disable the Online Search Feature on Individual Computers

1. Click Start, and then click Help and Support. 2. Below the Search box, click Set search options. 3. Clear the Microsoft Knowledge Base check box and any other check boxes below it. For example, the manufacturer of your computer may have added a check box to enable your search to query their Web site for results. 4. Close Help and Support Center.
To Disable the Online Search Feature by Using Group Policy

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 3. In the details pane, double-click Turn off Help and Support Center Microsoft Knowledge Base search.
43
Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
44
HyperTerminal
This section provides information about: The benefits of HyperTerminal How HyperTerminal communicates with sites on the Internet How to control HyperTerminal to prevent the flow of information to and from the Internet
Benefits and Purposes of HyperTerminal

HyperTerminal is a program that you can use to connect to other computers, Telnet sites, bulletin board systems (BBSs), online services, and host computers. HyperTerminal connections are made using a modem, a null modem cable (used to emulate modem communication), or an Ethernet connection. HyperTerminal has capabilities beyond making connections to other computers. It can, for example, transfer large files from a computer onto your portable computer using a serial port rather than requiring you to set up your portable computer on a network. It can help debug source code from a remote terminal. It can also communicate with many older, character-based computers. HyperTerminal records the messages passed to and from the computer or service on the other end of your connection. It can therefore serve as a valuable troubleshooting tool when setting up and using your modem. To make sure that your modem is connected properly or to view your modem's settings, you can send commands through HyperTerminal and check the results. HyperTerminal also has scroll functionality that enables you to view received text that has scrolled off the screen. Note HyperTerminal is designed to be an easy-to-use tool yet it is not meant to replace other full-featured tools. You can use HyperTerminal as described in this subsection, but you should not attempt to use HyperTerminal for more complex communication. For more information about what HyperTerminal does and does not support, see the list of frequently asked questions on the Hilgraeve Web site at: http://go.microsoft.com/fwlink/?linkid=29890 (Web addresses can change, so you might be unable to connect to the Web site mentioned here.)
Overview: Using HyperTerminal in a Managed Environment

In a managed environment, you might choose to disable HyperTerminal. With Windows XP Service Pack 2 (SP2), you can disable HyperTerminal in different ways: You can use Group Policy to prevent users from running Hypertrm.exethat is, from starting HyperTerminal.
45
You can remove visible entry points to HyperTerminal during unattended installation by creating an answer file.
Following are a few security issues to consider when deciding how to configure HyperTerminal for your organization: Viruses: Incoming files might contain viruses or malicious programs that could compromise or destroy data on your computer. To reduce this risk, use virus-scanning software and ensure that incoming files are from a reliable and trusted source. ID and password: HyperTerminal cannot automatically provide your login ID and password when you make a connection. If you provide a password when using HyperTerminal for a Telnet session, be aware that this password will be sent to the remote computer using plaintext (as with all Telnet connections). Automatic download: The automatic download feature of the Zmodem protocol can pose a security risk by allowing remote users to send files to your computer without your explicit permission. To avoid this risk, you should select a protocol other than Zmodem in the Receive File dialog box or you should clear the Allow remote host-initiated file transfers check box on the Settings tab of Connection Properties.
Complete information about concepts and procedures associated with using or configuring HyperTerminal is beyond the scope of this white paper. For more information, start HyperTerminal, click Help, and then click Help Topics.
How HyperTerminal Communicates with Sites on the Internet

The exchange of information that takes place during the HyperTerminal connection is as follows: Specific information sent or received: When using HyperTerminal for Telnet connectivity, the user ID and password are sent in plaintext format (as with all Telnet connections). If files are being transmitted, only the protocol, terminal emulation data, and file-specific binaries are sent. The computer running HyperTerminal is identified by its IP address when the connection type is TCP/IP. The computer is not uniquely identified when the connection type is not TCP/IP. Default settings: HyperTerminal is installed by default on computers running Windows XP Professional with SP2. To remove or uninstall HyperTerminal, see "Controlling HyperTerminal to Prevent the Flow of Information to and from the Internet," later in this section. Triggers: When HyperTerminal is set to automatically answer incoming connections, a file transfer can be initiated if the Zmodem transfer protocol is used. Otherwise, communication through HyperTerminal is only triggered when the user deliberately initiates it. User notification: After a user starts a HyperTerminal connection session, the status of the connection that is currently open within HyperTerminal is displayed in the HyperTerminal title bar. The status of the file and text transfer is displayed in the HyperTerminal window during the transfer process. HyperTerminal does not display connection or transfer status information when the automatic download feature of the Zmodem protocol is used. For more information about the HyperTerminal automatic download feature, see "Overview: Using HyperTerminal in a Managed Environment," earlier in this section.
46
Encryption: Information sent or received by HyperTerminal is not encrypted. Transmission protocol and port: The protocols used are Kermit, Xmodem, Xmodem1K, Ymodem, Ymodem-G, and Zmodem transmissions protocols on port 23. Ability to disable: You can disable HyperTerminal by using the procedures in "Controlling HyperTerminal to Prevent the Flow of Information to and from the Internet," later in this section.
Controlling HyperTerminal to Prevent the Flow of Information to and from the Internet
HyperTerminal is installed by default on all computers running Windows XP with SP2. The following procedures provide steps for disabling HyperTerminal.
To Prevent Users from Starting HyperTerminal by Using Group Policy

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. In Group Policy, click User Configuration, click Administrative Templates, and then click System. 3. In the details pane, double-click Dont run specified Windows applications. 4. Click Enabled, click Show, click Add, and then type the executable name: Hypertrm.exe
To Exclude HyperTerminal During Unattended Installation by Using an Answer File

1. Using the methods you prefer for unattended installation or remote installation, create an answer file for the computers you plan to install. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment." 2. In the [Components] section of the answer file, include the following entry: hypertrm = Off
Related Links
For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment." For more information about what HyperTerminal does and does not support, see the HyperTerminal list of frequently asked questions on the Hilgraeve Web site at:
http://go.microsoft.com/fwlink/?linkid=29890
47
Internet Explorer 6
This section provides information about: The benefits of Microsoft Internet Explorer 6 in Windows XP Professional with Service Pack 2 (SP2). Steps for planning and deploying configurations for Internet Explorer 6 in a way that balances your users requirements for Internet access with your organizations requirements for protection of networked assets. Examples of the security-related features offered in Internet Explorer 6 (as compared to Internet Explorer 5). Resources for learning about topics related to security in Internet Explorer 6. This includes resources that help you learn about: Security and privacy settings in Internet Explorer 6. Mitigating the risks inherent in Web-based applications and scripts. Methods for deploying specific configurations of Internet Explorer 6 across your organization using Group Policy, the Internet Explorer Administration Kit (IEAK), or both.
Information about removing all visible entry points to Internet Explorer 6 in Windows XP Professional with SP2, for situations where you do not want users to have access to Internet Explorer, or where you want users to use another Web browser exclusively. There are several ways to do this: During unattended installation. Through Add or Remove Programs in Control Panel. With Set Program Access and Defaults, through which the administrator of a computer running Windows XP with SP2 can specify which Web browser is shown on the Start menu, desktop, and other locations. Information about setting the security level to High for specific Web sites.
Notes This section of the white paper describes Internet Explorer 6, but does not describe the related components Outlook Express 6 (the e-mail component in Windows XP), the New Connection Wizard, or the error reporting tool in Internet Explorer. For information about these components, see the respective sections of this white paper (the error reporting tool in Internet Explorer is described in the "Windows Error Reporting" section of this white paper). Also note that the New Connection Wizard replaces the Network Connection Wizard and the Internet Connection Wizard in Windows 2000. It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users connect to Web sites, run software from the Internet, download items from the Internet, and perform similar actions. This section, however, provides overview information as well as suggestions for other sources of information about how to
48
balance users requirements for Internet access with your organizations requirements for protection of networked assets. For more information about Internet Explorer, see the following resources: Help for Internet Explorer (with Internet Explorer open, click the Help menu and select an appropriate option) The Internet Explorer page on the Microsoft Web site at:
http://www.microsoft.com/windows/ie/ The Resource Kit for Internet Explorer. To learn about this and other Resource Kits, see the Microsoft TechNet Web site at:
http://go.microsoft.com/fwlink/?linkid=29894 The privacy statement for the version of Internet Explorer in Windows XP SP2. This privacy statement is on the Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=28456
Benefits and Purposes of Internet Explorer 6

Internet Explorer 6 in Windows XP Professional with SP2 is designed to make it easy to browse and interact with sites on an intranet or on the Internet. It differs from most of the other components described in this white paper in that its main function is to communicate with sites on the Internet or an intranet (which contrasts with components that communicate with the Internet in the process of supporting some other activity). Internet Explorer 6 is also designed to be highly configurable, with security and privacy settings that can protect your organizations networked assets while at the same time providing users with access to useful information and tools. Internet Explorer 6 offers more security-related options and settings than were available in Internet Explorer 5. With an understanding of the settings and options available in Internet Explorer 6, you can choose the settings appropriate to your organizations requirements and create a plan for one or more standard Internet Explorer configurations. After planning your standard configurations, you can use deployment tools to deploy and maintain them. The subsections that follow provide more information about these steps.
Steps for Planning and Deploying Configurations for Internet Explorer 6

This section outlines a list of steps that can help you deploy Internet Explorer 6 in a way that provides users with Internet access, while at the same time providing your organizations networked assets with an appropriate level of protection from the risks inherent in the Internet. (If you prefer to remove all visible entry points to Internet Explorer, see "Procedures for Removing Visible Entry Points to Internet Explorer in Windows XP with SP2," later in this section.) A recommended set of steps is: Assess the other elements in your security plan that will work together with Internet Explorer 6 to provide users with access to the Internet while still providing an
49
appropriate degree of protection for your organizations networked assets. These elements include: Your proxy server. Your firewall. Your basic security measures, as described in the introduction to this white paper. These security measures include using virus-protection software and setting requirements for strong passwords.
It is beyond the scope of this white paper to provide detailed recommendations for these security elements. For more information about security, see the references listed in the introduction, as well as the documentation for your proxy server, firewall, virus-protection software, and other software you use to protect networked assets. Learn about the security-related features offered in Internet Explorer 6, some of which are described in "Examples of the Security-Related Features Offered in Internet Explorer 6," later in this section. Using information about these features, identify the ones of most value for your business and security requirements. Learn how to configure security settings in Internet Explorer 6, as described in "Learning About Security and Privacy Settings in Internet Explorer 6," later in this section. Learn about ways to mitigate the risks inherent in code that can be run through a browser, as described in "Learning About Mitigating the Risks Inherent in Web-based Applications and Scripts," later in this section. After gathering information about the previous three items (security-related features, security settings, risks inherent in code), plan one or more standard Internet Explorer configurations for the desktops in your organization. Learn about ways of deploying configurations of Internet Explorer 6 across your organization: Learn about using Group Policy to control the configuration of Internet Explorer 6 on desktops across your organization, as described in "Learning About Group Policy Objects That Control Configuration Settings for Internet Explorer 6," later in this section. Learn about the deployment technologies available in the Internet Explorer Administration Kit (IEAK) 6 SP1, some of which are described in "Learning About the Internet Explorer Administration Kit," later in this section.
Using the information about Group Policy and the IEAK, create a plan for deploying and maintaining your standard Internet Explorer configurations.
Excluding Internet Explorer 6 from the Desktop

For information about removing visible entry points to Internet Explorer 6 in Windows XP Professional with SP2, see "Procedures for Removing Visible Entry Points to Internet Explorer 6 in Windows XP Professional with SP2," later in this section.
Examples of the Security-Related Features Offered in Internet Explorer 6

Using Windows XP Professional with Service Pack 2 in a Managed Environment 50
This subsection describes enhancements in some of the security-related features in Internet Explorer 6, as compared to Internet Explorer 5. These features include: A Privacy tab that provides greater flexibility in specifying whether cookies will be blocked from specific sites or types of sites. An example of a type of site that could be blocked is one that does not have a compact policythat is, a condensed computer-readable privacy statement. (The Privacy tab was not available in Internet Explorer 5.) Security settings that specify how Internet Explorer 6 handles such higher-risk items as ActiveX controls, downloads, and scripts. These settings can be customized as needed, or they can be set to these predefined levels: high, medium, medium-low, or low. You can specify different settings for a number of zones, the most basic being the four preconfigured zones: Local intranet zone: Contains addresses inside the boundary defined by your proxy server or firewall. Trusted sites: Includes sites you designate as "trusted." Restricted sites: Includes sites you designate as "restricted." Internet zone: Includes everything that is not in another zone and is not on the local computer.
You can also specify different settings for the customized zones that you add programmatically using the URL security zones application programming interface (API). For more information, search for "URL security zones" on the MSDN Web site at: http://msdn.microsoft.com/ Support for content-restricted IFrames (inline floating frames). This type of support enables developers to implement these frames in a way that makes it more difficult for malicious authors to start e-mail-based or content-based attacks. Improvements in Windows XP Service Pack 2 (SP2) that increase the overall security and reliability of Internet Explorer 6. These improvements include a configurable popup blocker, an interface from which you can manage add-ons (programs that extend the capabilities of the browser), and enhancements to other security features.
For more information about features available in Internet Explorer, see the information in the next subsection, as well as the Internet Explorer page on the Microsoft Web site at: http://www.microsoft.com/windows/ie/
Resources for Learning About Topics Related to Security in Internet Explorer 6

This subsection lists resources that can help you learn about the following topics related to security in Internet Explorer 6: Security and privacy settings available in Internet Explorer 6 Methods for mitigating the risks inherent in Web-based programs and scripts Ways to use Group Policy objects that control configuration settings for Internet Explorer 6
51
The Internet Explorer Administration Kit
In addition, for information about unattended installation, see the resources listed in Appendix A, "Resources for Learning About Automated Installation and Deployment."
Learning About Security and Privacy Settings in Internet Explorer 6

Two important sources of detailed information about the security and privacy settings in the version of Internet Explorer 6 in Windows XP with SP2 are as follows: Changes to Functionality in Microsoft Windows XP Service Pack 2, which contains information about the pop-up blocker, the interface from which you can manage add-ons (programs that extend the capabilities of the browser), and enhancements to other security features. This document is available on the Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=30566 Microsoft Internet Explorer 6 Resource Kit
To learn about this and other resource kits, see the Microsoft TechNet Web site at: http://go.microsoft.com/fwlink/?linkid=29894 The Microsoft Internet Explorer 6 Resource Kit consists of a number of parts that include these titles: "Privacy and Security Features" "Preparation for Deployment" "Customization and Installation" "Maintenance and Support," including information about keeping programs updated Appendices, including an appendix titled "Setting System Policies and Restrictions" The privacy statement for the version of Internet Explorer in Windows XP SP2. This privacy statement is on the Microsoft Web site at:
Learning About Mitigating the Risks Inherent in Web-based Applications and Scripts
In a network-based and Internet-based environment, code can take a variety of forms including scripts within documents, scripts within e-mail messages, or applications or other code objects running within Web pages. This code can move across the Internet and is sometimes referred to as "mobile code." Configuration settings provide ways for you to control the way Internet Explorer 6 responds when a user tries to run mobile code. Two examples of the ways you can customize the Internet Explorer configuration deployed in your organization are as follows: Two examples of the ways you can customize the Internet Explorer configuration deployed in your organization are as follows: You can control the code (in ActiveX controls or in scripts, for instance) that users can run. You can do this by customizing Authenticode settings, which can, for
52
example, prevent users from running any unsigned code or enable them to only run code signed by specific authors. If you want to permit the use of ActiveX controls, but you do not want users to download code directly from the Internet, you can specify that when Internet Explorer 6 looks for a requested executable, it goes to your own internal Web site instead of the Internet. For more information, see the white paper titled "Managing Mobile Code with Microsoft Technologies" at the end of this list, and search for CodeBase.
You can use the following sources to learn more about mitigating the risks inherent in Web-based applications and scripts: To understand more about how a particular Microsoft programming or scripting language works, see the MSDN Web site at:
http://msdn.microsoft.com/ To learn about approaches to mitigating the risks presented by mobile code, see "Managing Mobile Code with Microsoft Technologies," a white paper on the TechNet Web site at:
Learning About Group Policy Objects That Control Configuration Settings for Internet Explorer 6
You can control configuration settings for Internet Explorer 6 by using Group Policy objects (GPOs) on servers running Windows Server 2003. (You can also control the configuration of Internet Explorer by using the Internet Explorer Administration Kit. For more information, see "Learning about the Internet Explorer Administration Kit," later in this section.) For sources of information about Group Policy, see the appropriate appendices in this white paper. To learn about specific Group Policy settings that can be applied to computers running Windows XP Professional with SP2, see the following two sources of information: Changes to Functionality in Microsoft Windows XP Service Pack 2 on the Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=30566 The Group Policy Settings Reference on the Microsoft Download Center Web site at:
Learning About the Internet Explorer Administration Kit

With the deployment technologies available in the Internet Explorer Administration Kit (IEAK), you can efficiently deploy Internet Explorer and control the configuration of Internet Explorer across your organization. (You can also control the configuration of Internet Explorer by using Group Policy. For more information, see "Learning about Group Policy objects that control configuration settings for Internet Explorer 6," earlier in this section.) A few of the features and resources in the IEAK include:
53
Internet Explorer Customization Wizard. Step-by-step screens guide you through the process of creating customized browser packages that can be installed on client desktops. IEAK Profile Manager. After you deploy Internet Explorer, you can use the IEAK Profile Manager to change browser settings and restrictions automatically. IEAK Toolkit. The IEAK Toolkit contains a variety of helpful tools, programs, and sample files. IEAK Help. IEAK Help includes many conceptual and procedural topics that you can view by using the Index, Contents, and Search tabs. You can also print topics from IEAK Help.
For more information about the IEAK, see the Windows Web site at: http://go.microsoft.com/fwlink/?linkid=29479
Procedures for Controlling Internet Explorer in Windows XP with SP2

The following subsections provide procedures for carrying out two types of tasks: Removing visible entry points to Internet Explorer in Windows XP with SP2 Setting the security level for specific Web sites
Procedures for Removing Visible Entry Points to Internet Explorer in Windows XP with SP2
This subsection provides information about removing all visible entry points to Internet Explorer in Windows XP with SP2, for situations where you do not want users to have access to Internet Explorer, or where you want users to use another Web browser exclusively. The procedures explain how to do the following: Remove visible entry points with Set Program Access and Defaults, through which the administrator of a computer running Windows XP with SP2 can specify which Web browser is shown on the Start menu, desktop, and other locations. Remove visible entry points through Add or Remove Programs in Control Panel. Remove visible entry points during unattended installation.
To Specify Which Web Browser Is Shown on the Start Menu, Desktop, and Other Locations on a Computer Running Windows XP with SP2
To perform the following procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. 1. Click Start and then click Set Program Access and Defaults.
54
2. Click the Custom button. Note Alternatively, you can click the Non-Microsoft button, which will not only remove visible entry points to Internet Explorer, but also to Outlook Express, Windows Media Player, and Windows Messenger. If you do this, skip the remaining steps of this procedure. 3. To disable access to Internet Explorer on this computer, to the right of Internet Explorer, clear the check box for Enable access to this program. 4. If you want a different default Web browser to be available to users of this computer, select the Web browser from the options available. Note For the last step, if your program does not appear by name, contact the vendor of that program for information about how to configure it as the default. Also, for related information about registry entries that are used to designate that a program is a browser, e-mail, media playback, or instant messaging program, see the MSDN Web site at: http://go.microsoft.com/fwlink/?linkid=29306 For more information about Set Program Access and Defaults, see article 328326, How to Use the Set Program Access and Defaults Feature in Windows XP Service Pack 1 in the Microsoft Knowledge Base at: http://go.microsoft.com/fwlink/?linkid=29309
To Remove Visible Entry Points to Internet Explorer on an Individual Computer Running Windows XP with SP2
To perform the following procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. 1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click Add or Remove Programs. 3. On the left, click Add/Remove Windows Components. 4. In the Windows Components Wizard, scroll down and make sure the check box for Internet Explorer is cleared. 5. Follow the instructions to complete the Windows Components Wizard.
To Remove Visible Entry Points to Internet Explorer During Unattended Installation by Using an Answer File
1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment." 2. In the [Components] section of the answer file, include the following entry: IEAccess = Off
55
For complete details about how the IEAccess entry works, see the resources listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).
Procedures for Setting the Security Level to High for Specific Web Sites
The procedures that follow provide information about how to set the security level for a particular Web site to High, which prevents actions such as the running of scripts and the downloading of files from the site. For information about planning a configuration for your organization to control whether Internet Explorer allows downloads or allows plug-ins, ActiveX controls, or scripts to be run, see Examples of the Security-Related Features Offered in Internet Explorer 6 and Learning About Security and Privacy Settings in Internet Explorer 6, earlier in this section.
To Configure a Specific Computer with a Security Level of High for Specific Sites
1. On the computer on which you want to configure a security level of High for specific sites, in Internet Explorer, click Tools, click Internet Options, and then click the Security tab. 2. Select Restricted sites. 3. Under Security level for this zone, make sure the slider for the security level is set to High. If the security level for the zone is Custom, click Default Level and make sure the slider for the security level is set to High. You can view the individual settings that make up High security by clicking Custom Level. For example, you can click Custom Level and then scroll down to confirm that for High security, the settings for active scripting and for file download are both Disable. After viewing the settings, click Cancel. 4. With Restricted sites still selected, click Sites. 5. In Add this Web site to the zone, type the Web site address. You can use an asterisk for a wildcard. For example, for Web sites at Example.Example.com and www.Example.com, you could type: http://*.Example.com 6. Click the Add button.
To Use Group Policy to Set the Security Level to High for Specific Sites That Users in Your Organization Might Connect To
1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. In Group Policy, click User Configuration, click Windows Settings, click Internet Explorer Maintenance, and then click Security. 3. In the details pane, double-click Security Zones and Content Ratings. 4. Under Security Zones, click Import the current security zones and privacy settings, and then click Modify Settings. 5. Select Restricted sites.
56
6. Under Security level for this zone, make sure the slider for the security level is set to High. If the security level for the zone is Custom, click Default Level and make sure the slider for the security level is set to High. You can view the individual settings that make up High security by clicking Custom Level. For example, you can click Custom Level and then scroll down to confirm that for High security, the settings for active scripting and for file download are both Disable. After viewing the settings, click Cancel. 7. With Restricted sites still selected, click Sites. 8. In Add this Web site to the zone, type the Web site address. You can use an asterisk for a wildcard. For example, for Web sites at Example.Example.com and www.Example.com, you could type: http://*.Example.com 9. Click the Add button.
57
Internet Games on Windows XP

This section provides information about: The benefits of Internet games on Windows XP How Internet games on Windows XP communicate with servers on the Internet hosted by Zone.com (the Internet Games service for MSN) How to control Internet games on Windows XP to prevent the flow of information to and from the Internet
Benefits and Purposes of Internet Games on Windows XP

Microsoft Windows XP Professional with Service Pack 2 (SP2) includes six standard games for Windows and five Internet games as part of the installation package. These games can be accessed through Start\All Programs\Games or Start\Programs\Games. The six standard games do not interact with the Internet in any way, in other words, the user plays against the computer. The Internet games, however, communicate across the Internet so the user can play against human opponents (not the computer). To allow moves to be passed between players, the Internet games open a connection to servers hosted by Microsoft. Internet games use client-server technology. The only Internet communication sent by the Internet games clients is to the centralized game servers. The game servers proxy the connection for all the players in a game and broadcast game moves and status messages to clients as required. Players in a game do not send Internet traffic directly to other players in the game.
Overview: Using Internet Games on Windows XP in a Managed Environment

The Internet games in Windows XP are similar to the games offered on the MSN Web site, MSN Games by Zone.com, which is located at: http://www.zone.msn.com However, the games in Windows XP have reduced functionality. They do not support free-form chat, the ability to customize the users name, competitions, tournaments, lists of contacts, and access to ratings and recorded scores, among other features. The Internet games that come with Windows XP do not have any Web component in and of themselves and their functionality and communication with the game servers is limited, as described in the following subsection. The games that come packaged with Windows XP can be excluded from installation or removed. By eliminating access to the Internet games on the client computer, you will eliminate communication with the game servers. Direct access to this site can also be blocked at the firewall or gateway server as described in Controlling Internet Games on Windows XP to Prevent the Flow of Information to and from the Internet, later in this section.
58
How Internet Games on Windows XP Communicate with Sites on the Internet

When the user navigates to Start\All Programs\Games or to Start\Programs\Games, and then clicks one of the five Internet games listed, a dialog box opens announcing the intended connection to the free game server. The dialog box displays a warning message concerning information being passed and gives the user the option to cancel the interaction. If the user chooses to connect, a limited interactive session with the server is established. This section describes various aspects of the data that is sent to and from the Internet, and how the exchange of information takes place: Specific information sent or received: When a user plays an Internet game in Windows XP, the information that is sent to the game server consists of the following:
Randomly generated identifier: A randomly generated, globally unique identifier (GUID) is created on first use and is stored on the server and the client. This is used to anonymously (but uniquely) identify each client connecting. Locale setting: The locale setting for Windows XP is sent to the game server when the user connects. Game play data: Each of the players moves is sent to the game server. The server validates each move, updates the state of the game, and broadcasts any required updates to the other clients in the game (cards played, pieces moved, and so on). The server retains only the information necessary to track the current status of the game. Predefined chat messages: The user can choose from 30 predefined chat messages to send to other players in the game (the messages are passed through the game server). Users can turn the chat capability on or off. There is no capability for free-form chat. Triggers: Users must select one of the Internet games from the Games menu and then click OK after seeing the splash screen. User notification: No information is sent if the user does not proceed past the splash screen, which briefly describes the information sent to the game server. Encryption: There is no encryption of data. Access: Game server support staff and MSN Games by Zone.com operational support staff have access to a limited set of data. The data consists of the number of successful games completed, the number of disconnected games per GUID, plus data about the performance and load on the game servers. Note that the history of moves made and past games are not stored on the servers. Privacy: A limited privacy statement is displayed in the splash screen for the Internet games. The text is as follows:
This game matches you with players from around the world. If you choose to PLAY, the game sends Zone.com certain system information and a computer ID solely to administer and enhance game play. No personal information is ever collected. No information is sent if you click 'Quit' now. If you are not already connected to the Internet, you will be prompted to do so in the next screen. Click 'Play' to continue. Port: The port ranges are 28000 through 29000.
59
Transmission protocol: The client connects to the server using TCP/IP Winsock (Windows sockets API). Ability to disable: User acceptance is required to play the games. It is possible to uninstall the games by using Windows XP Setup, or to block access to the MSN Games by Zone.com Web site through the use of a firewall rule. Uniquely identify user: The randomly generated GUID described earlier in this list is used to anonymously (but uniquely) identify each client connecting. No personally identifiable information about the user is transmitted to the game server.
Controlling Internet Games on Windows XP to Prevent the Flow of Information to and from the Internet
The most direct method of preventing the flow of information is to exclude or remove the Internet games from the installation. Since Windows XP clients connect to the game servers through a Domain Name System (DNS) entry, however, using a firewall to block the DNS entry for the MSN Games by Zone.com Web site at www.zone.msn.com will block the connection from the Windows XP game clients to the server. If a client requests access to the site, an error message will be returned. Procedures for removing the Internet games through Control Panel and by using an answer file (during unattended installation) are described in the next subsection.
Procedures for Configuration of Internet Games on Windows XP

The following procedures describe: How to use Control Panel to remove Internet games from an individual computer running Windows XP with SP2. How to exclude Internet games during unattended installation of Windows XP with SP2 by using an answer file.
To Remove Games from Windows XP Through Control Panel

1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click Add or Remove Programs. 3. Click Add/Remove Windows Components (on the left). 4. Select Accessories and Utilities, and then click Details. 5. Select Games, and then click Details. 6. From the Games dialog box, clear the check boxes for the games that you want to remove from the installation. There is a single check box for all the Internet games. If any Internet games are removed, all are removed. 7. Follow the instructions to complete the Windows Components Wizard.
60
To Exclude Internet Games During Unattended Installation by Using an Answer File

1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment." 2. In the [Components] section of the answer file, include the following entry: Zonegames = Off Note You can also check a registry key (manually or with a script) on a computer running Windows XP with SP2 to see whether the games component is installed. Do not, however, change this registry key. A registry key value of 0x00000000 means the component is not installed, and a value of 0x00000001 means the component is installed. The key is as follows: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\Subcomponents\zonegames
61
Internet Information Services in Windows XP with SP2

This section provides information about: The benefits of Internet Information Services (IIS) in Microsoft Windows XP Professional with Service Pack 2 (SP2). How to control IIS on users computers to prevent the flow of information to and from the Internet
Benefits and Purposes of IIS in Windows XP with SP2

IIS 5.1 is one of the optional components in Windows XP with SP2 and by default is not installed. Allowing selected users to install this component provides them with an easy way to publish information on the Internet or an intranet. IIS includes innovative security features and a broad range of administrative features for managing Web sites. By using programmatic features like Active Server Pages (ASP and ASP.NET), users who have been given the responsibility to create Web sites can more easily create and deploy scalable, flexible Web applications. IIS is not installed by default with Windows XP with SP2 but can be added using Add or Remove Programs in Control Panel. IIS in Windows XP Professional with SP2 can, by default, service only 10 simultaneous client connections, with one Web site only, and does not use all the features of the server versions. IIS 5.1 in Windows XP Professional with SP2 includes the Microsoft Management Console (MMC) snap-in for managing IIS. For more information about IIS features, see the following Web sites: The IIS 5.1 page (part of the Windows XP Professional evaluation pages) at:
http://go.microsoft.com/fwlink/?linkid=29895 The IIS Security page (part of TechNet) at:
Overview: IIS on Computers Running Windows XP with SP2 in a Managed Environment

In a managed environment, it is recommended that you carefully select and train any users who will be permitted to install IIS on their computers running Windows XP with SP2. In some respects, such users have responsibilities like those of a server administrator, and they should therefore be trained about security, auditing, and monitoring. It is beyond the scope of this white paper to provide details about maintaining security on a computer that hosts a Web site. However, as a best practice, on any client on which IIS is installed, we recommend that you run the IIS Lockdown Tool (before or after installing the service pack). Because administrators will most likely exclude IIS from standard desktop configurations in a managed environment, the sections that follow provide details about how to prevent the installation of this component.
62
Controlling IIS on Users Computers to Prevent the Flow of Information to and from the Internet
To maximize the security of computers in your organization and prevent the flow of information through IIS on clients running Windows XP with SP2, if IIS is not required on those clients, remove or exclude it. You can do this during workstation deployment by using standard methods for unattended installation or remote installation. If you are using an answer file, the following table shows the entries, all of which are in the [Components] section. Note By default, the components listed in the table are not installed with Windows XP Professional. The following table shows the answer file entries as well as the associated registry keys. Do not change the registry keys. They are shown for use in a script that could check whether a particular component is installed on a particular computer. A registry key value of 0x00000000 means the component is not installed, and a value of 0x00000001 means the component is installed. Answer File Entries and Registry Keys Associated with IIS Subcomponents
Registry Key (for use in a script that checks whether a component is installed): 0x00000000 means it is not installed, 0x00000001 means it is installed HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Setup\Oc Manager\ Subcomponents\iis_common HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Setup\Oc Manager\ Subcomponents\iis_ftp HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Setup\Oc Manager\ Subcomponents\iis_inetmgr HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Setup\Oc Manager\ Subcomponents\iis_smtp HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Setup\Oc Manager\ Subcomponents\iis_www HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Setup\Oc Manager\ Subcomponents\fp_extensions
IIS Subcomponent IIS common files
Answer File Entry (in the [Components] Section) iis_common = Off
File Transfer Protocol (FTP) service IIS MMC snap-in
iis_ftp = Off
iis_inetmgr = Off
Simple Mail Transfer Protocol (SMTP) service World Wide Web (WWW) service FrontPage server extensions
iis_smtp = Off
iis_www = Off
fp_extensions = Off
Procedures for Checking or Preventing the Installation of IIS Subcomponents on a Client

The following procedures explain how to: View the registry keys listed in the table in the previous section View the components currently installed on a computer running Windows XP
63
Prevent the installation of IIS subcomponents during unattended installation by using an answer file Obtain the IIS Lockdown Tool for use on any client on which IIS is necessary
To View Registry Keys Related to IIS Subcomponents

1. Open Registry Editor by clicking Start, clicking Run, and then typing regedit. Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. 2. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\Subcomponents\. 3. View the registry keys listed in the table in the previous section, and the value associated with each key. A value of 0x00000000 means the component is not installed. A value of 0x00000001 means the component is installed. 4. Close Registry Editor.
To View the Components Currently Installed on a Computer Running Windows XP

1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click Add or Remove Programs. 3. Click Add/Remove Windows Components (on the left). 4. Scroll down to Internet Information Services (IIS) and click Details. 5. View the list of subcomponents and each check box, which show whether a particular subcomponent has been installed.
To Prevent the Installation of IIS Subcomponents During Unattended Installation by Using an Answer File
1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment." 2. In the [Components] section of the answer file, ensure that there are no entries for the subcomponents listed in the preceding table, "Answer file entries and registry keys associated with IIS subcomponents." If you want to list any of these subcomponents, ensure that the entries specify Off. If IIS subcomponents are not listed in an answer file for unattended installation of Windows XP Professional, by default, these subcomponents are not installed.
64
To Obtain the IIS Lockdown Tool for Clients on Which IIS is Necessary
The IIS Lockdown Tool, designed for use on computers on which IIS is installed, is available from the Microsoft TechNet Web site at:
65
Internet Printing
This section provides information about: The benefits of Internet printing How Internet printing communicates with sites on the Internet How to control Internet printing to prevent the flow of information to and from the Internet
Benefits and Purposes of Internet printing

Internet printing makes it possible for client computers running Microsoft Windows XP Professional with Service Pack 2 (SP2) to use printers located anywhere in the world by sending print jobs using Hypertext Transfer Protocol (HTTP). Additionally, computers running Windows XP can use Microsoft Internet Information Services (IIS) or a Web peer server to create a Web page that provides information about printers and provides the transport for printing over the Internet.
Overview: Using Internet Printing in a Managed Environment

You need to consider both the server and client components of Internet printing: Server: It is possible for a person who logs on as the administrator of a computer running Windows XP to install IIS and then configure that computer to act as a print server, allowing Internet printing. In a managed environment, you may want to prevent users from logging on as administrators so they cannot install IIS. You may also want to disable the Internet printing functionality of IIS, or properly secure IIS and Internet printing so that they are available only to authorized users. Client: Client computers can install an Internet printer using a Web browser, the Add Printer Wizard, or the Run dialog box. In order to prevent Internet printing, you must remove the ability for users to add an Internet printer.
Details on how to configure your Windows XP implementation to achieve these goals can be found later in this section.
How Internet Printing Communicates with Sites on the Internet

The Internet printing process is as follows: 1. A user connects to a print server over the Internet by typing the URL for the print device. 2. The HTTP request is sent over the Internet to the print server.
66
3. The print server requires the client to provide authentication information. This ensures that only authorized users print documents on the print server. 4. After a user has authorized access to the print server, the server presents status information to the user by using Active Server Pages (ASP), which contain information about currently available printers. 5. When the user connects to any of the printers on the Internet printing Web page, the Windows XP client first tries to find a driver for the printer locally. If an appropriate driver cannot be found, the print server generates a cabinet file (.cab file, also known as a setup file) that contains the appropriate printer driver files. The print server downloads the .cab file to the client computer. The user on the client computer is prompted for permission to download the .cab file. 6. After users connect to an Internet printer, they can send documents to the print server by using Internet Printing Protocol (IPP). Communication for Internet printing uses IPP and HTTP (or HTTPS) over any port that the print server has configured for this service. Because the service is using HTTP or HTTPS, this is typically port 80 or port 443. Because Internet printing does support HTTPS traffic, communication can be encrypted, depending on the users Internet browser settings. Client computers running Windows XP can use Internet printing by default. Users must be authenticated by the print server, however, before they can use any of the printers connected to that server. If you install IIS on Windows XP (which requires being logged on as an administrator), Internet printing is automatically enabled as a feature of IIS. As described earlier, you can disable or restrict computers running Windows XP from hosting Internet printing through a variety of methods. See the following subsections for additional details. The print server can use IIS and other technologies to collect and log extensive data about the user, the computer that sends the printing request, and the request itself. It is beyond the scope of this white paper to describe Web site operations and the specifics of what type of information can be collected. For more information about IIS and other related resources, see "Internet Information Services in Windows XP with SP2" in this white paper.
Controlling Internet Printing to Prevent the Flow of Information to and from the Internet
Client Computers
To prevent the use of Internet printing from a client computer running Windows XP, you can configure Group Policy.
Print Servers
As described earlier, only a person logged on as an administrator on a computer running Windows XP can install IIS and configure that computer to act as a print server. In order to control this, you can: Prevent users from logging on as administrators, which prevents them from installing IIS (recommended)
67
Use Group Policy to disable Internet printing when IIS is installed Restrict access to the printer to limited user IDs
Procedures for Disabling Internet Printing

Procedures for Disabling Internet Printing on a Client Computer Running Windows XP
To prevent users from using Internet printing on a client computer running Windows XP, use Group Policy as described in the following procedure.
To Disable Internet Printing on a Computer Running Windows XP by Using Group Policy

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, click Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, click User Configuration. 3. Click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 4. In the details pane, double-click Turn off printing over HTTP, and then click Enabled. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management or in User Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key." During the process of Internet printing, print drivers might be downloaded to a client, as described in How Internet Printing Communicates with Sites on the Internet, earlier in this section. To prevent this type of download of print driver to computers running Windows XP with SP2, use Group Policy as described in the following procedure.
To Prevent the Downloading of Print Drivers over HTTP to Computers Running Windows XP by Using Group Policy
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, click Computer
68
Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, click User Configuration. 3. Click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 4. In the details pane, double-click Turn off downloading of print drivers over HTTP, and then click Enabled. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management or in User Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
Procedures for Disabling Internet Printing on a Computer Running IIS

We recommend that you prevent users from logging on as administrators, which will prevent them from installing IIS on computers not specifically designated as Internet servers. More details on how to achieve this can be found in "Internet Information Services in Windows XP with SP2" in this white paper. For those computers that are running IIS, you can disable Internet printing if this is appropriate for your installation. The following procedure describes how to do this through Group Policy.
To Disable Internet Printing Using Group Policy

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, and then click Printers. 3. In the details pane, double-click Web-based Printing. 4. Select Disabled.
Related Links
For general information about Group Policy, see Appendix B, "Learning About Group Policy and Updating Administrative Templates." To learn about specific Group Policy settings that can be applied to computers running Windows XP, see the Group Policy Settings Reference on the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=29911 For more information about the use of IIS in a controlled environment, see "Internet Information Services in Windows XP with SP2" in this white paper.
69
For more information about Internet printing, see the following sources: Article 323428, HOW TO: Configure Internet Printing in Windows Server 2003 in the Microsoft Knowledge Base at:
http://go.microsoft.com/fwlink/?LinkId=29209 Effectively Using IPP Printing on the Microsoft Windows Server 2003 Web site at:
70
Internet Protocol Version 6 (IPv6)

This section provides information about: An introduction to the IPv6 protocol The benefits of the IPv6 protocol How the IPv6 protocol can be used across the Internet How to control the IPv6 protocol to limit the flow of information to and from the Internet How to monitor and troubleshoot the IPv6 protocol after configuration is complete
An Introduction to the IPv6 Protocol

The current version of the Internet Protocol (known as IP version 4 or IPv4) has not been substantially changed since 1981, when the Internet Engineering Task Force (IETF) published the definitive specification of IP (RFC 791). IPv4 has proven to be robust, easily implemented, and interoperable. It has stood the test of scaling an internetwork to a global utility the size of today's Internet, which is a tribute to the protocols initial design. The initial design, however, did not anticipate the exponential growth of the Internet and the exhaustion of the IPv4 address space, or the effort required to maintain routing information. Because of the way in which IPv4 network IDs are allocated, there are routinely over 70,000 routes in the routing tables of Internet backbone routers. Most current IPv4 implementations are configured either manually or through a stateful address configuration protocol such as the Dynamic Host Configuration Protocol (DHCP). With more computers and devices using IP, there is a need for a simpler and more automatic configuration of addresses and other configuration settings that do not rely on the administration of a DHCP infrastructure. Another factor driving the development of IPv6 is the need for improved security. Private communication over a public medium like the Internet requires encryption services that protect the data sent from being viewed or modified in transit. There is a standard for providing security for IPv4 packets (known as Internet Protocol security or IPSec). In IPv4, however, this standard is optional and proprietary solutions are prevalent. In IPv6, IPSec support is required. To address these concerns, the IETF has developed a suite of protocols and standards known as IP version 6 (IPv6). This new version incorporates the concepts of many proposed methods for updating the IPv4 protocol. For the latest set of RFCs and Internet drafts describing IPv6 and IPv4 coexistence and migration technologies, see the Internet Engineering Task Force (IETF) Web site at: http://go.microsoft.com/fwlink/?LinkId=29136 (Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.)
71
Benefits and Purposes of the IPv6 Protocol

An IPv6 address is four times as large as an IPv4 address. The global addresses used on the IPv6 portion of the Internet are designed to create an efficient, hierarchical, and summarized routing infrastructure that addresses the common occurrence of multiple levels of Internet service providers. On the IPv6 Internet, the backbone routers have an efficient and hierarchical addressing and routing infrastructure that uses smaller routing tables. IPv6 supports both stateful address configuration (such as address configuration in the presence of a DHCP server) and stateless address configuration (address configuration in the absence of a DHCP server). The support for IPSec is an IPv6 protocol suite requirement. This requirement provides a standards-based solution for network security needs and promotes interoperability between different IPv6 implementations. The new format of the IPv6 header is designed to minimize header validation and processing. In addition, a new field in the IPv6 header helps to define how traffic is handled and identified for quality of service delivery. IPv6 can be extended for new features by adding extension headers after the IPv6 header. Unlike the IPv4 header, which can only support 40 bytes of options, the size of IPv6 extension headers is only constrained by the size of the IPv6 packet. The new Neighbor Discovery protocol in IPv6 is a series of Internet Control Message Protocol for IPv6 (ICMPv6) messages that manage the interaction of neighboring nodes. Neighbor Discovery replaces Address Resolution Protocol (ARP), ICMPv4 Router Discovery, and ICMPv4 Redirect messages with efficient multicast and unicast messages. The following table compares the key features of the IPv4 and IPv6 protocols. Comparison of Features in IPv4 and IPv6
IPv4 Source and destination addresses are 32 bits (4 bytes) in length. IPSec support is optional. No identification of packet flow for Quality of Service (QoS) handling by routers is present within the IPv4 header. Fragmentation is done by both routers and the sending host. Header includes a checksum. Header includes options. Address Resolution Protocol (ARP) uses broadcast ARP Request frames to resolve an IPv4 address to a link layer address. Internet Group Management Protocol (IGMP) is used to manage local subnet group membership. ICMP Router Discovery is used to determine the IPv4 address of the best default gateway and is optional. IPv6 Source and destination addresses are 128 bits (16 bytes) in length. IPSec support is required. Packet flow identification for QoS handling by routers is included in the IPv6 header using the Flow Label field. Fragmentation is not done by routers, only by the sending host. Header does not include a checksum. All optional data is moved to IPv6 extension headers. ARP Request frames are replaced with multicast Neighbor Solicitation messages. IGMP is replaced with Multicast Listener Discovery (MLD) messages. ICMP Router Discovery is replaced with ICMPv6 Router Solicitation and Router Advertisement messages and is required.
72
Broadcast addresses are used to send traffic to all nodes on a subnet. Must be configured either manually or through DHCP. Uses host address (A) resource records in the Domain Name System (DNS) to map host names to IPv4 addresses. Uses pointer (PTR) resource records in the IN-ADDR.ARPA DNS domain to map IPv4 addresses to host names.
There are no IPv6 broadcast addresses. Instead, a link-local scope all-nodes multicast address is used. Does not require manual configuration or DHCP. Uses host address (AAAA) resource records in the Domain Name System (DNS) to map host names to IPv6 addresses. Uses pointer (PTR) resource records in the IP6.ARPA DNS domain to map IPv6 addresses to host names.
For more information about Internet Protocol version 6, see the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=29519
Using the IPv6 Protocol Across the IPv4 Internet

On networks that do not have native support for IPv6 traffic, the IPv6 traffic is transmitted on the network by encapsulating the IPv6 packets with an IPv4 header, a technique known as IPv6 tunneling. One IPv6 tunneling technology that provides IPv6 connectivity across the IPv4 Internet is 6to4. For more information about 6to4, see "Connection of IPv6 Domains via IPv4 Clouds," in RFC 3056 on the IETF Web site at: http://go.microsoft.com/fwlink/?LinkId=29898 (Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.) If native IPv6 connectivity does not exist, a 6to4-capable computer makes a Domain Name System (DNS) query for 6to4 relay routers. By default, this DNS query is presently set to "6to4.ipv6.microsoft.com" and the response contains a well-known IPv4 anycast address. (An anycast address is one that identifies multiple nodes and interfaces.) As more 6to4 relay routers are added in the future, this address will be assigned to more computers that are owned by various Internet service providers (ISPs). If the DNS query provides multiple addresses, the host selects an appropriate 6to4 relay router by sending an IPv6 packet to each one and choosing the one that responds first. Note 6to4 tunneling is enabled when IPv6 services are not native to your network and there is an assigned public IPv4 Internet address. The use of IPv6 in Microsoft Windows XP Professional with Service Pack 2 (SP2) is currently supported only when IPv4 is also installed.
Controlling IPv6 Protocol Traffic

You can stop the ingress or egress of IPv6 traffic on your network by configuring your network firewalls to block all IPv6 packets. For 6to4 traffic, you can configure your firewalls to block all
73
IPv4 packets that include the IPv6 protocol designation of 41 in the Protocol field of the IPv4 packet header.
Preventing Users from Installing IPv6

The default settings for a member of the Users group do not permit those users to install networking protocols. You should limit who is allowed to install the IPv6 protocol stack on network computers by carefully limiting the number of users that have administrative logon credentials. You can use the Active Directory directory service and Group Policy to filter and control the users ability to add new networking protocols or modify existing networking configurations. For more information about these configuration methods, see "Group Policy" in the Windows Help index. For information about installing and uninstalling IPv6, see the list of procedures in the next subsection.
Procedures for Configuration of the IPv6 Protocol

Installing and uninstalling the IPv6 protocol stack can be done by using the Network Connections folder or the command prompt. The following procedures tell how to find information about security in relation to IPv6 and describe installing and uninstalling the IPv6 protocol stack by using the Network Connections folder.
To Find Information About Security in Relation to IPv6

1. On a computer running Windows Server 2003, click Start, and then click Help and Support. As an alternative, you can view product documentation for Windows Server 2003 products on the Web at: http://go.microsoft.com/fwlink/?linkid=29881 2. In Help Contents, navigate as follows: Network Services\Managing Core Network Services\IP Version 6\Concepts\IPv6 Overview 3. View topics below IPv6 Overview, especially Security information for IPv6.
To Install IPv6 Using the Network Connections Folder

1. Click Start. 2. Either click Control Panel and then double-click Network Connections, or point to Settings, click Control Panel, and then double-click Network Connections. 3. Right-click any local area connection, and then click Properties. 4. Click Install. 5. In the Select Network Component Type dialog box, click Protocol, and then click Add. 6. In the Select Network Protocol dialog box, click Microsoft TCP/IP version 6.
74
To Uninstall IPv6 Using the Network Connections Folder

1. Click Start. 2. Either click Control Panel and then double-click Network Connections, or point to Settings, click Control Panel, and then double-click Network Connections. 3. Right-click any local area connection, and then click Properties. 4. Click Microsoft TCP/IP version 6 in the list of installed components, and then click Uninstall. 5. Restart the computer. The following two procedures describe installing and uninstalling the IPv6 protocol stack from the command prompt.
To Install IPv6 on a Computer from the Command Prompt

1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type netsh interface ipv6 install, and then press ENTER.
To Uninstall IPv6 from a Computer from the Command Prompt

1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type netsh interface ipv6 uninstall, and then press ENTER. 3. Restart the computer. Note The IPv6 configuration procedures require that you have administrative credentials on the computer.
Monitoring and Troubleshooting the IPv6 Protocol

The following procedures describe ways to view TCP/IP configurations.
To Display the Complete List of TCP/IP Interface Configurations for a Computer from the Command Prompt
1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type ipconfig /all, and then press ENTER.
To Display the TCP/IP Routing Table from the Command Prompt

1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type route print, and then press ENTER.
75
Troubleshooting a Command-line Installation Error

The installation of the IPv6 protocol stack requires that you have administrative credentials. If you attempt to install the IPv6 protocol from the command line without having the required account credentials, the result is an "Access is denied" error (0x800700005).
Related Links
Web Resources
For more information about 6to4, see "Connection of IPv6 Domains via IPv4 Clouds," in RFC 3056 on the IETF Web site at:
http://go.microsoft.com/fwlink/?LinkId=29898 For more information about IP version 6, see the Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=29519 For information about security in relation to IPv6, see To Find Information About Security in Relation to IPv6, earlier in this white paper. For more information about IPv6 addressing, see "Internet Protocol Version 6 (IPv6) Addressing Architecture" in RFC 3513 on the IETF Web site at:
http://go.microsoft.com/fwlink/?LinkId=29135 For the latest set of RFCs and Internet drafts describing IPv6 standards, see IP Version 6 Working Group (ipv6) at the IETF Web site at:
http://go.microsoft.com/fwlink/?LinkId=29136 For the latest set of RFCs and Internet drafts describing IPv6 transition technologies, see Next Generation Transition (ngtrans) at the IETF Web site at:
http://go.microsoft.com/fwlink/?LinkId=29215 (Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.)
Printed References
For more information about the IPv6 protocol suite, you can consult the following references. Davies, J. Understanding IPv6. Redmond, WA: Microsoft Press, 2002. Hagen, S. IPv6 Essentials. Sebastopol, CA: O'Reilly and Associates, Inc., 2002.
76
MSN Explorer
This section provides information about: The benefits of MSN Explorer How MSN Explorer communicates with sites on the Internet How to control MSN Explorer to limit the flow of information to and from the Internet
Benefits and Purposes of MSN Explorer

MSN Explorer is the software used by subscribers to MSN Plus, MSN Premium, or MSN 9 Dial-Up. It can be used to browse the Web, read and send e-mail, and access a variety of MSN services. When a user first starts MSN Explorer, it connects the user to the free non-subscriber section of the MSN.com Web site. From this default site, the user has access to all of the MSN services. The MSN.com Web site is an Internet connectivity service that provides access to a variety of personal-interest information and services, as well as providing a portal to the World Wide Web.
Overview: Using MSN Explorer in a Managed Environment

MSN Explorer is installed optionally with Microsoft Windows XP Professional with Service Pack 2 (SP2). MSN Explorer is available to users after they complete a sign-up and setup procedure using the MSN Installation Wizard. Once users have established an account with MSN.com, they have access to personal e-mail, online contacts, online music and video, and the Internet. MSN Explorer delivers the benefits of popular Internet technologies such as Hotmail, Microsoft Internet Explorer, Windows Messenger, and Windows Media Player, all in one program that works with the existing Internet connections. In a managed environment, however, unlimited access to these available Web sites may pose security risks. You can therefore remove MSN Explorer from the Windows components to be installed, as described later in this section.
How MSN Explorer Communicates with Sites on the Internet

The MSN Explorer component is a Web browser that can create an Internet connection, search the Web, communicate through instant messaging and e-mail, play music, and manage the users schedules and finances online. To access MSN Explorer for the first time, users must click Start and then click MSN. This starts the MSN Installation Wizard, which takes the user through a sign-up process. The user has the option of signing up for an MSN 9 Dial-up subscription (which includes Internet access) or an MSN Plus or MSN Premium subscription (both of which use an existing Internet account). Note that the user can also access an MSN subscription using a local area network (LAN). The user then has the option of using an existing Hotmail or MSN e-mail account or creating a new account. If a user creates a new e-mail account, the wizard requests personal information such as date of birth and occupation. The user then sets a password and is given a user name. Subsequent access to MSN Explorer will take the user directly to MSN.com.
77
This section describes various aspects of the data that is sent to and from the Internet, and how the exchange of information takes place. Specific information sent or received: MSN collects personal information such as e-mail address, name, home or work address, and telephone number. MSN also collects demographic information, such as ZIP Code, age, preferences, interests, and favorites. Information about the computer hardware and software is also collected. This information may include IP address, browser type, domain names, access times, and referring Web site addresses. MSN uses .NET Passport to provide registration and sign-in services. All of the registration information provided is stored by MSN, and some or all of that information will also be stored by .NET Passport. Default target: MSN.com is the default target Internet Web site. With the version of MSN Explorer in Windows XP with SP2, users can change the target Web site. Triggers: If MSN Explorer is not set up yet, when a user clicks Start and then clicks MSN, the MSN Installation Wizard starts. The MSN Installation Wizard takes the user through a sign-up process. After this, the user starts MSN Explorer by clicking MSN on the desktop. Logging: The information collected is logged and stored by MSN, .NET Passport, or both. Access: MSN and its operational service partners collect and use the personal information collected to operate MSN effectively and to deliver the services that the user has requested. Some information is also sent to MSN servers for service quality monitoring and the AutoUpdate service. For more information about how the information that is collected is used, see the MSN privacy statement at:
http://privacy.msn.com/ Privacy: The MSN Web site has a privacy statement that applies to the Microsoft MSN family of Web sites and governs data collection and usage at all MSN sites and services. This privacy statement is available at:
http://privacy.msn.com/ Transmission protocol and port: The MSN Installation Wizard uses HTTPS over port 443. Otherwise, the transmission protocol is HTTP and the port is 80. Ability to disable: MSN Explorer can be removed during installation, or Group Policy can be used to block users from running MSN Explorer. For more information, see "Procedures for Configuration of MSN Explorer," later in this section.
Controlling MSN Explorer to Limit the Flow of Information to and from the Internet
The MSN Explorer component can be excluded from installation by performing unattended installation with an answer file. As an administrator, you also have the option of using Group Policy to block users from running MSN Explorer if it is already installed. You do this by adding Msn.exe to the list of applications that users are excluded from using. Firewalls and proxy servers can also be used to block direct access to the MSN.com Web site as determined by your organizations Internet use policies. The following subsection provides procedures for excluding MSN Explorer during unattended installation or controlling MSN Explorer through Group Policy.
78
Procedures for Configuration of MSN Explorer

The following procedures explain how to: Exclude the MSN Explorer component during unattended installation of Windows XP with SP2 by using an answer file. Use Group Policy to prevent users from running MSN Explorer if the component is already installed.
To Exclude the MSN Explorer Component During Unattended Installation by Using an Answer File
1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning about Automated Installation and Deployment." Also be sure to review the information in the Deploy.chm file (whose location is provided in that appendix). Do not perform this procedure, however, if you are using Winbom.ini or Unattend.txt for your answer file. 2. In the [Components] section of the answer file, include the following entry. Msnexplr = Off Note You can also check a registry key (manually or with a script) on a computer running Windows XP with SP2 to see whether the MSN Explorer component is installed. Do not, however, change this registry key. A registry key value of 0x00000000 means the component is not installed, and a value of 0x00000001 means the component is installed. The key is as follows: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup \Oc Manager\Subcomponents\msnexplr
To Use Group Policy to Block Access to MSN Explorer

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click User Configuration, click Administrative Templates, and then click System. 3. In the details pane, double-click Dont run specified Windows applications. 4. Click Enabled, click Show, click Add, and then type: Msn.exe 5. Click OK, click Add, and then type: Msn6.exe 6. Click OK, click Add, and then type: Msnsusii.exe
79
Msn.exe is the executable for MSN Explorer, Msnusii.exe is the executable for the MSN Installer Wizard, and Msn6.exe is a previous version of the software and exists only on computers on which an upgrade (not a clean installation) was performed.
80
NetMeeting
This section provides information about: The benefits of NetMeeting conferencing software Using NetMeeting in a managed environment How NetMeeting communicates with sites on the Internet How to control NetMeeting to limit the flow of information to and from the Internet
Benefits and Purposes of NetMeeting

NetMeeting conferencing software is a feature of Windows XP Professional with Service Pack 2 (SP2) that enables real-time communication and collaboration over the Internet or an intranet. From a computer running the Windows 95, Windows 98, Windows NT 4.0, Windows 2000, or Windows XP operating system, users can communicate over a network with real-time voice and video technology. Users can work together on virtually any Windows application, exchange or mark up graphics on an electronic whiteboard, transfer files, or use the text-based chat program. NetMeeting helps small and large organizations take full advantage of their corporate intranet for real-time communication and collaboration. On the Internet, connecting to other NetMeeting users is made easy with Internet Locator Service (ILS), enabling participants to call each other from a dynamic directory within NetMeeting or from a Web page. Features include remote desktop sharing, virtual conferencing using Microsoft Outlook, security features, and the ability to embed the NetMeeting user interface in an organizations intranet Web pages. To learn more about the NetMeeting features, see Microsoft NetMeeting 3 Features on the Microsoft TechNet Web site at: http://go.microsoft.com/fwlink/?LinkId=29175
Overview: Using NetMeeting in a Managed Environment

NetMeeting supports communication standards for audio, video, and data conferencing. NetMeeting users can communicate and collaborate with users of other standards-based, compatible products. They can connect by modem, Integrated Services Digital Network (ISDN), or local area network (LAN) using Transmission Control Protocol/Internet Protocol (TCP/IP). In addition, support for Group Policy in NetMeeting makes it easy for administrators to centrally control and manage the NetMeeting work environment. You can use Active Directory directory service and Group Policy to configure NetMeeting to help meet your security requirements. You can also control the configuration of NetMeeting by using the NetMeeting Resource Kit. For more information about the NetMeeting Resource Kit, see "Alternate Methods for Controlling NetMeeting," later in this section. NetMeeting components and features require that several ports be open from the firewall. For more information, see "NetMeeting and Firewalls," later in this section.
81
How NetMeeting Communicates with Sites on the Internet

NetMeeting provides an infrastructure for communication between network applications and services. In this infrastructure, NetMeeting is both an application and a platform for other applications or services. The components and services in NetMeeting provide real-time communication and collaboration over the Internet or an organizations intranet. NetMeeting audio and video conferencing features are based on the H.323 standard infrastructure, which enables NetMeeting to interoperate with other H.323 standards-based products. (H.323 is a standard approved by the International Telecommunication Union [ITU] that defines how audiovisual conferencing data is transmitted across networks.) NetMeeting data conferencing features are based on the T.120 infrastructure, enabling NetMeeting to interoperate with other T.120 standards-based products. (The T.120 standard is a suite of communication and application protocols developed for real-time, multipoint data connections and conferencing.) Detailed information about the H.323 and T.120 standards is beyond the scope of this white paper. Further information can be found on the following sites. For more information about the H.323 standard and NetMeeting, see Part 3, Chapter 11, "Understanding the H.323 Standard," in the NetMeeting 3.0 Resource Kit at:
http://go.microsoft.com/fwlink/?LinkId=29185 For more information about the H.323 specification, see the Web sites of the International Telecommunication Union (ITU) and the International Multimedia Telecommunications Consortium (IMTC) at:
http://go.microsoft.com/fwlink/?LinkId=29510 http://www.imtc.org/ To learn more about the T.120 standard and NetMeeting, see Part 3, Chapter 10, "Understanding the T.120 Standard," in the NetMeeting 3.0 Resource Kit at:
http://go.microsoft.com/fwlink/?LinkId=29180 For more information about the T.120 architecture, see the International Multimedia Teleconferencing Consortium (IMTC) Web site at:
http://www.imtc.org/ (Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.)
NetMeeting Port Assignments

When you use NetMeeting to call other users over the Internet, several IP ports are required to establish the outbound connection. The following table describes the port numbers, their functions, and the resulting connection.
82
Port Assignments for NetMeeting

Port 389 522 1503 1720 1731 1024 through 65535 (dynamic) 1024 through 65535 (dynamic) Function Internet Locator Service (ILS) User Location Service (ULS) T.120 H.323 call setup Audio call control H.323 call control H.323 streaming Outbound Connection TCP TCP TCP TCP TCP TCP Real-Time Transfer Protocol (RTP) over User Datagram Protocol (UDP)
For more information about NetMeeting communication ports and firewall configuration topics, see Part 2, Chapter 4, "Firewall Configuration" in the NetMeeting 3.0 Resource Kit at: http://go.microsoft.com/fwlink/?LinkId=29199
Controlling NetMeeting to Limit the Flow of Information to and from the Internet
You can configure NetMeeting by using Group Policy objects (GPOs) on servers running Windows Server 2003. (You can also control the configuration of NetMeeting by using the NetMeeting Resource Kit. For more information, see "Alternate Methods for Controlling NetMeeting," later in this section.) This subsection includes information about the following topics: NetMeeting and Group Policy NetMeeting security NetMeeting and firewalls Establishing a NetMeeting connection with a firewall Firewall limitations for NetMeeting
NetMeeting and Group Policy

Group Policy can be used to define the default NetMeeting configuration settings that will be automatically applied to users and computers. These settings determine which NetMeeting features and capabilities are available to a particular group of users. The Group Policy configuration settings that are specific to NetMeeting are grouped into two different categories. These category groupings enable you to independently manage NetMeeting configuration settings for computers and users within your organization. Through the use of Group Policy you can enable, disable, or set configuration options for NetMeeting features or capabilities. For additional information about Group Policy, see Appendix B, "Learning About Group Policy and Updating Administrative Templates."
83
You can use Group Policy to manage the following NetMeeting configuration options for users in your organization: NetMeeting Group Policy settings for computers NetMeeting Group Policy settings for users
Configuring NetMeeting Settings for Computers Through Group Policy

You can use Group Policy to set the NetMeeting features and capabilities that are available to all users of the computers that are affected by the application of the NetMeeting Group Policy settings. For details about locating the Group Policy objects (GPOs) for NetMeeting, see "Procedures for Configuration of NetMeeting," later in this section. The NetMeeting policy setting that is specific to computers is as follows: Disable remote Desktop Sharing: You can use Group Policy to set remote desktop sharing choices in NetMeeting for all the users who are affected by the application of this policy setting.
For more information about how to use Group Policy to manage the NetMeeting computer settings, see "To Disable the NetMeeting Remote Desktop Sharing Feature Through Group Policy," later in this section. Note Computer-related Group Policy settings are applied when the operating system starts and during the periodic refresh cycle.
Configuring NetMeeting Settings Through Group Policy

You can use Group Policy to determine the NetMeeting features and capabilities that are available for a user or a group of users that are affected by the application of the NetMeeting Group Policy settings. These Group Policy configuration options include the policy settings for NetMeeting, application sharing, audio and video, and the options page. For more information about how to use Group Policy to manage the NetMeeting user settings, see Procedures for Configuration of NetMeeting," later in this section.
Configuring NetMeeting Settings for Users Through Group Policy

For details about locating the Group Policy objects for NetMeeting, see "Procedures for Configuration of NetMeeting," later in this section. You can use Group Policy to set configuration settings for the following NetMeeting features. Enable Automatic Configuration: Configures NetMeeting to download settings for users each time it starts. Disable Directory services: Disables the directory featureusers will not log on to a directory server when NetMeeting starts. Users will not be able to view or make calls using the NetMeeting directory.
84
Prevent adding Directory servers: Prevents the user from adding directory servers to the list of available directory servers they can use for placing calls. Prevent viewing Web directory: Prevents the user from viewing directories as Web pages in a browser. Set the intranet support Web page: Sets the Web address that NetMeeting will display when users choose the Online Support command from the NetMeeting Help menu. Set Call Security options: Sets the level of security for outgoing and incoming NetMeeting calls. Prevent changing Call placement method: Prevents the user from changing the way calls are placed, either directly or by means of a gatekeeper server. Prevent automatic acceptance of Calls: Prevents the user from turning on automatic acceptance of incoming calls. Allow persisting automatic acceptance of Calls: Sets automatic acceptance of incoming calls to be persistent. Prevent sending files: Prevents users from sending files to others in a conference. Prevent receiving files: Prevents users from receiving files from others in a conference. Limit the size of sent files: Sets the maximum file size that can be sent to others in a conference. Disable Chat: Disables the chat feature of NetMeeting. Disable NetMeeting 2.x Whiteboard: Disables the NetMeeting 2.x Whiteboard feature. (The 2.x feature provides compatibility with earlier versions of NetMeeting only.) Disable Whiteboard: Disables the whiteboard feature of NetMeeting.
Configuring NetMeeting Application Sharing Settings Through Group Policy

For details about locating the Group Policy objects (GPOs) for NetMeeting, see "Procedures for Configuration of NetMeeting," later in this section. You can use Group Policy to set configuration settings for the following elements of the NetMeeting Application Sharing feature. Disable application Sharing: Disables the NetMeeting application sharing feature completely. Users will not be able to host or view shared applications. Prevent Sharing: Prevents users from sharing anything themselves. They will still be able to view shared applications or desktops from others. Prevent Desktop Sharing: Prevents users from sharing their Windows desktop. They will still be able to share individual applications. Prevent Sharing Command Prompts: Prevents the user from sharing command prompts. Enabling this prevents the user from inadvertently sharing applications, since command prompts can be used to start other applications. Prevent Sharing Explorer windows: Prevents the user from sharing Windows Explorer windows. Enabling this prevents the user from inadvertently sharing
85
applications, since Windows Explorer windows can be used to start other applications. Prevent Control: Prevents users from allowing others in a conference to control what they have shared. Enabling this enforces a read-only mode whereby the other participants cannot change the data in the shared application. Prevent Application Sharing in true color: Prevents users from sharing applications in true color, which uses more bandwidth.
Configuring NetMeeting Audio and Video Settings Through Group Policy

For details about locating the Group Policy objects (GPOs) for NetMeeting, see "Procedures for Configuration of NetMeeting," later in this section. You can use Group Policy to set configuration settings for the following audio and video elements in NetMeeting. Limit the bandwidth of Audio and Video: Configures the maximum bandwidth, specified in kilobytes per second, to be used for audio and video. Disable Audio: Disables the audio feature of NetMeeting. Users will not be able to send or receive audio. Disable full duplex Audio: Disables the full duplex audio mode. Users will not be able to listen to incoming audio while speaking into the microphone. Older audio hardware may not perform well when full duplex audio is enabled. Prevent changing DirectSound Audio setting: Prevents the user from changing the DirectSound audio setting. DirectSound has better audio quality, but earlier audio hardware may not support DirectSound. Prevent sending Video: Prevents the user from sending video. Setting this option does not prevent the user from receiving video. Prevent receiving Video: Prevents the user from receiving video. Setting this option does not prevent the user from sending video.
Configuring NetMeeting Options Settings Through Group Policy

For details about locating the Group Policy objects (GPOs) for NetMeeting, see "Procedures for Configuration of NetMeeting," later in this section. You can use Group Policy to set configuration settings for the following elements of the NetMeeting Options page. To view this page, in NetMeeting, click Tools and then click Options. Hide the General page: Removes the General tab on the NetMeeting Options page. Disable the Advanced Calling button: Disables the Advanced Calling button from the General page. Hide the Security page: Removes the Security tab on the NetMeeting Options page. Hide the Audio page: Removes the Audio tab on the NetMeeting Options page. Hide the Video page: Removes the Video tab on the NetMeeting Options page.
86
Note User-related Group Policy settings are applied when a user logs on to the computer and during the periodic refresh cycle.
To learn about specific Group Policy settings that can be applied to computers running Windows XP, see the Group Policy Settings Reference on the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=29911
NetMeeting Security
The NetMeeting security architecture for data conferencing takes advantage of the existing, standards-compliant security features of Windows XP with SP2 and Microsoft Internet Explorer. The NetMeeting security architecture utilizes a 40-bit encryption technology and has the following security features. Password protection: This feature enables the user to create or participate in a meeting that requires a password to join. Password protection helps to ensure that only authorized users participate in a password-protected meeting. A password is also required to use the remote desktop sharing feature. User authentication: This feature provides a way to verify the identity of a caller or meeting participant using a certificate. Data encryption: This feature helps to protect data exchanged during a meeting so that it is not easily read by any unauthorized parties that may intercept the data. The 40-bit data encryption applies to the whiteboard and chat features, shared applications, and transferred files. Audio and video communications are not encrypted.
NetMeeting security features integrate with security in Windows XP with SP2 and Internet Explorer in a variety of ways, including the following: NetMeeting uses the NetMeeting private certificate store to provide personal certificates for user authentication and data encryption. NetMeeting uses the Windows certificate store to maintain NetMeeting certificates. NetMeeting uses Security Support Provider Interface (SSPI) functions to generate and process security tokens.
These security features can be implemented by an administrator or a NetMeeting user. Using the NetMeeting Resource Kit Wizard or Group Policy in NetMeeting, the administrator can enforce security settings that apply to all users. If allowed by the administrator, NetMeeting users can also select their own security settings in the NetMeeting user interface (UI) and change security settings for individual calls. You can use the following sources to learn more about NetMeeting configuration and security topics. For more information about the NetMeeting Resource Kit Wizard, see Part 2, Chapter 2, "Resource Kit Wizard" in the NetMeeting 3.0 Resource Kit at:
87
For more information about the security features available in NetMeeting, see Part 2, Chapter 5, NetMeeting Security in the NetMeeting 3.0 Resource Kit at:
NetMeeting and Firewalls

You can configure firewall components in a variety of ways, depending on your organization's specific security policies and overall operations. While most firewalls are capable of allowing primary (initial) and secondary (subsequent) Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections, it is possible that they are configured to support only specific connections based on security considerations. For example, some firewalls support only primary TCP connections, which some professionals view as the most reliable. For NetMeeting multipoint data conferencingprogram sharing, whiteboard, chat, file transfer, and directory accessyour firewall only needs to pass through primary TCP connections on assigned ports. NetMeeting audio and video features require secondary TCP and UDP connections on dynamically assigned ports. Note NetMeeting audio and video features require secondary TCP and UDP connections. Therefore, when you establish connections through firewalls that accept only primary TCP connections, you are not able to use the audio or video features of NetMeeting. Detailed firewall configuration procedures for NetMeeting are beyond the scope of this white paper. For more information about NetMeeting firewall connections, see Part 2, Chapter 4, "Firewall Configuration" in the NetMeeting 3.0 Resource Kit, particularly the section titled, "Establishing a NetMeeting Connection with a Firewall" at: http://go.microsoft.com/fwlink/?LinkId=29199 Microsoft NetMeeting can be configured to work with an organizations existing firewall security. Because of limitations in most firewall technology, however, few products are available that enable you to securely transport inbound and outbound NetMeeting calls containing audio, video, and data across a firewall. You should consider carefully the relative security risks of enabling different parts of a NetMeeting call in your firewall product. You must especially consider the security risks involved when modifying your firewall configuration to enable any component of an inbound NetMeeting call. Some organizations have security or policy concerns that require them to limit how fully they support NetMeeting in their firewall configuration. These concerns are based on network capacity planning or weaknesses in the firewall technology being used. For example, security concerns might prohibit an organization from accepting any inbound or outbound flow of UDP data through the firewall. Because these UDP connections are required for NetMeeting audio and video features, disabling this function excludes audio and video features in NetMeeting for calls through the firewall. The organization can still use NetMeeting data conferencing features such as program sharing, file transfer, whiteboard, and chat for calls through the firewall by allowing only TCP connections on ports 522 and 1503. For more information about NetMeeting firewall security, see the section titled "Security and Policy Concerns," in the chapter of the NetMeeting Resource Kit from the previous link (scroll through the chapter until you find the section).
88
Establishing a NetMeeting Connection with a Firewall

When you use NetMeeting to call other users over the Internet, several IP ports are required to establish the outbound connection. If you use a firewall to connect to the Internet, it must be configured so that the following IP ports are not blocked: TCP ports 389, 522, 1503, 1720, and 1731 TCP and UDP ports (1024 through 65535)
To establish outbound NetMeeting connections through a firewall, the firewall must be configured to do the following: Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731. Pass through secondary TCP and UDP connections on dynamically assigned ports (1024 through 65535).
The H.323 call setup protocol dynamically negotiates a TCP port for use by the H.323 call control protocol. Also, both the audio call control protocol and the H.323 call setup protocol dynamically negotiate UDP ports for use by the H.323 streaming protocol, the Real-Time Transfer Protocol (RTP). In NetMeeting, two UDP ports are designated on each side of the firewall for audio and video streaming, for a total of four ports for inbound and outbound audio and video. These dynamically negotiated ports are selected arbitrarily from all ports that can be assigned dynamically. NetMeeting directory services require either port 389 or port 522, depending on the type of server you are using. The Microsoft Internet Locator Service (ILS), which supports LDAP for NetMeeting, requires port 389. The Microsoft User Location Service (ULS), developed for NetMeeting 1.0, requires port 522.
Firewall Limitations for NetMeeting

Some firewalls cannot support an arbitrary number of virtual internal IP addresses, or cannot do so dynamically. With these firewalls, you can establish outbound NetMeeting connections from computers inside the firewall to computers outside the firewall, and you can use the audio and video features of NetMeeting. Users outside the organization cannot, however, establish inbound connections from outside the firewall to computers inside the firewall. Typically, this restriction is due to limitations in the network implementation of the firewall. Note Some firewalls are capable of accepting only certain protocols and cannot handle TCP connections. For example, if your firewall is a Web proxy server with no generic connection-handling mechanism, you will not be able to use NetMeeting through the firewall. You can use the following sources to learn more about NetMeeting configuration and firewall topics. For more information about NetMeeting firewall connections, see Part 2, Chapter 4, "Firewall Configuration" in the NetMeeting 3.0 Resource Kit, particularly the section titled "Establishing a NetMeeting Connection with a Firewall" at:
89
For more information about using NetMeeting and your firewall, see article 158623, "How to Establish NetMeeting Connections through a Firewall" in the Microsoft Knowledge Base at:
Alternate Methods for Controlling NetMeeting

You can create customized installation options for specific users or groups within your organization by using the NetMeeting Resource Kit Wizard. Additionally, you can use the NetMeeting Resource Kit Wizard to control user and computer access rights by creating custom configurations of client settings and specific features that you have selected to restrict or allow. For example, you can control audio and video access, set data throughput limits and network speeds, and choose to display online support. The Resource Kit Wizard can also help you set up various configurations of NetMeeting for different types of users and different levels of security. It can help you save network bandwidth by restricting specific features. You can also use the Resource Kit Wizard both to change registry settings for all NetMeeting users and to implement such changes globally. Note By selecting certain options in the Resource Kit Wizard, be aware that you may be changing the NetMeeting user interface. For example, if you click Restrict the Use of Video, the Video tab does not appear in the NetMeeting user's Options dialog box. Part 4 of the Resource Kit for NetMeeting has an appendix that provides detailed information about responding to NetMeeting problems, including problem descriptions, causes, and resolutions. For more information about the NetMeeting 3.0 Resource Kit, see the Microsoft TechNet Web site at: http://go.microsoft.com/fwlink/?LinkId=29204
Procedures for Configuration of NetMeeting

NetMeeting is designed to enhance the enterprise environment and enable users to communicate internally and externally with other NetMeeting users. You can use Group Policy to develop a NetMeeting feature management policy to support the specific business rules or communication policies that exist within your organization. For example, your organization may not want users to be able to access or use the NetMeeting chat feature from their computers. By using Active Directory and Group Policy, you can disable the chat feature from any or all computers that are affected by the application of the Group Policy configuration settings. For lists of Group Policy settings that you can use to manage NetMeeting configuration options, see "NetMeeting and Group Policy," earlier in this section.
Procedures for Managing NetMeeting Features Through Group Policy

This subsection provides procedures for the following configuration methods: Locating the Group Policy objects (GPOs) for NetMeeting configuration settings. These are the settings listed in "NetMeeting and Group Policy," earlier in this section.
90
Disabling the NetMeeting remote desktop sharing feature. This prevents users from using this feature. Disabling the NetMeeting advanced calling feature. Disabling the NetMeeting chat feature.
To Locate the Group Policy Objects (GPOs) for NetMeeting User Configuration Settings
1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click User Configuration, click Administrative Templates, click Windows Components, and then click NetMeeting. 3. View the Group Policy objects that are available. For more information about these objects, see "NetMeeting and Group Policy," earlier in this section.
To Disable the NetMeeting Remote Desktop Sharing Feature Through Group Policy
Use the following steps to configure the Group Policy setting to prevent users from using the NetMeeting remote desktop sharing feature. 1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click NetMeeting. 3. In the details pane, double-click Disable remote Desktop Sharing. 4. Click Enabled. Note Computer-related Group Policy settings are applied when the operating system is initialized and during the periodic refresh cycle.
To Disable the NetMeeting Advanced Calling Feature Through Group Policy

Use the following steps to configure the Group Policy setting to disable the advanced calling feature on the NetMeeting options page. 1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click User Configuration, click Administrative Templates, click Windows Components, click NetMeeting, and then click Options Page. 3. In the details pane, double-click Disable the Advanced Calling button, and then click Enabled.
To Disable the NetMeeting Chat Feature Through Group Policy
91
Use the following steps to configure the Group Policy setting to prevent the use of the NetMeeting Chat feature. 1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click User Configuration, click Administrative Templates, click Windows Components, and then click NetMeeting. 3. In the details pane, double-click Disable Chat, and then click Enabled.
Related Links
Web Resources
For more information about using NetMeeting and your firewall, see article 158623, "How to Establish NetMeeting Connections through a Firewall," in the Microsoft Knowledge Base at:
http://go.microsoft.com/fwlink/?LinkId=29206 For more information about NetMeeting, see Windows NetMeeting on the Microsoft Web site at:
http://www.microsoft.com/windows/NetMeeting/ For more information about configuring NetMeeting, see the Windows NetMeeting Resource Kit on the Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=29515 To learn more about NetMeeting features, see the Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=29175 To view articles that explain how to use some of the features in NetMeeting, see the Microsoft NetMeeting How-to Guide on Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=29207 For more information about the H.323 specification, search for H.323 on the ITU-T Web site at:
http://go.microsoft.com/fwlink/?LinkId=29510 For more information about the T.120 architecture, see the International Multimedia Teleconferencing Consortium (IMTC) Web site at:
http://www.imtc.org/ (Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.)
Printed References
For more information about firewall design, policy, and security considerations for firewall design in general, you can consult the following reference.
92
Chapman, D. Brent and Elizabeth D. Zwicky. Building Internet Firewalls. O'Reilly & Associates, Inc., 1995.
93
Outlook Express 6
This section provides: A description of Microsoft Outlook Express 6 in Windows XP Professional with Service Pack 2 (SP2). This section also provides a comparison of Outlook and Outlook Express. Descriptions of new security-related features in Outlook Express 6 in Windows XP Professional with SP2 (as compared to Outlook Express 5), with information about how these new features are configured at the desktop. Information about removing all visible entry points to Outlook Express in Windows XP with SP2, for situations where you want users to use another e-mail client exclusively. There are several ways to do this: During unattended installation, with an answer file. After installation, by using the Sysocmgr command with an answer file. Through Add or Remove Programs in Control Panel. With Set Program Access and Defaults, which is available from the Start menu. With this dialog box, the administrator of a computer running Windows XP Professional with SP2 can specify which e-mail program is shown on the Start menu, desktop, and other locations. Information about controlling Outlook Express 6 through Group Policy to limit the risk associated with e-mail attachments. The Group Policy setting that you use for this is Block attachments that could contain a virus.
Notes This section of the white paper describes Outlook Express 6 in Windows XP Professional with SP2, but does not describe related components such as Internet Explorer 6, the New Connection Wizard, or the tool that can report errors that occur in Outlook Express. For information about these components, see the respective sections of this white paper (the error reporting tool is described in "Windows Error Reporting"). Also note that the New Connection Wizard replaces the Network Connection Wizard and the Internet Connection Wizard in Windows 2000. It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users send and receive e-mail messages, open attachments in e-mail messages, and perform similar actions. This section, however, provides information about features and configuration methods in Outlook Express 6 that can reduce the inherent risks associated with sending and receiving e-mail messages. For more information about Outlook Express, see the following resources: Help for Outlook Express (which can be accessed in Outlook Express by clicking the Help menu and then selecting an appropriate option). The section about Internet Explorer 6 in this white paper, which describes security zones in Internet Explorer 6. These security zones are also used in Outlook Express 6. The Internet Explorer page on the Microsoft Web site at:
94
http://www.microsoft.com/windows/ie/ The Resource Kit for Internet Explorer (specifically, the chapter describing whats new in Internet Explorer 6). To learn about this and other Resource Kits, see the Microsoft TechNet Web site at:
Benefits and Purposes of Outlook Express 6

Outlook Express 6 is designed to make it easy to send or receive e-mail messages and to browse or participate in newsgroups. It differs from many of the other components described in this white paper in that its main function is to communicate through the Internet or an intranet (in contrast to components that communicate with the Internet in the process of supporting some other activity). Outlook Express is part of Windows XP, in contrast to Microsoft Outlook, which is an application included in Microsoft Office. Outlook provides comprehensive e-mail capabilities, including information management and collaboration capabilities, useful to a wide spectrum of users from home to small business to large enterprise. Outlook Express, part of Windows XP, offers standard Internet e-mail and news access, useful to many home and small-business users. Outlook Express supports Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), and Network News Transfer Protocol (NNTP). Outlook Express 6 offers more security-related options and settings than were available in Outlook Express 5. The following subsections describe the new options and ways of configuring them, as well as outlining methods for removing all visible entry points to Outlook Express in Windows XP with SP2 (for situations where you want users to use another e-mail client exclusively).
New Security-Related Features in Outlook Express 6

The version of Outlook Express 6 in Windows XP Professional with SP2 includes additional security-related features as compared to earlier versions of Outlook Express including Outlook Express 5. The following list describes these features. The table that follows this list shows how each option is configured in Outlook Express. Warning about harmful e-mail. To prevent e-mail messages from being sent without a users knowledge, Outlook Express warns the user when other programs, such as viruses or harmful attachments, attempt to send messages from the users computer. This warning appears only if Outlook Express is configured as the default simple MAPI client, and another program attempts to use simple MAPI to programmatically send e-mail messages without presenting a visible user interface on the computer. Blocking of potentially harmful attachments. If this option is enabled, Outlook Express 6 blocks the opening or saving of specific e-mail attachments that are considered "unsafe." To determine whether an attachment is unsafe, Outlook Express 6 uses a new service in Windows XP with SP2, the Attachment Manager. The Attachment Manager gives each attachment a risk rating based on the extension, content type, registered handlers, and other heuristics. By using Group Policy, you can customize some aspects of Attachment Manager, such as the lists of high, medium, and low risk files.
95
In addition, the prompts that are used for mail attachments, file downloads, shell process execution, and program installation have been modified to be both more consistent and clearer than they were in Windows XP Service Pack 1 (SP1). Blocking of potentially harmful attachments can be enabled or disabled through Group Policy as well as at the local computer. For more information about using this setting, see the table that follows and "To Locate the Group Policy Object (GPO) for Blocking E-mail Attachments in Outlook Express 6," later in this section. For more information about Attachment Manager and other changes that make the version of Outlook Express in Windows XP with SP2 more resistant than previous versions, see Changes to Functionality in Microsoft Windows XP Service Pack 2 on the Microsoft TechNet Web site at: http://go.microsoft.com/fwlink/?LinkId=30566 To learn about Group Policy settings with which you can adjust Attachment Manager, in Group Policy, go to User Configuration\Administrative Templates\Windows Components\Attachment Manager. For a detailed explanation of a setting, select the setting and click the Extended tab, or open the setting and click the Explain tab. Plain text format option for reading of e-mail. Starting with Outlook Express 6.0 in Windows XP with Service Pack 1, Outlook Express can be configured to read all e-mail messages in plain text format. Some HTML e-mail messages may not appear correctly in plain text, but no active content in the e-mail message is run when this setting is enabled. Blocking of downloads of external content (to help limit spam). If this option is enabled, Outlook Express 6 will not contact an external Web server when an e-mail contains a reference to an image that resides on that external Web server. Businesses that use spam sometimes incorporate such external references for the purpose of validating e-mail addresses that they use, after which they send repeated e-mails to the validated addresses. The image involved might be a single pixel image that is not visible to the e-mail recipient, who is unaware that his or her e-mail address has been validated. This option can be enabled or disabled at the local computer. For more information about using this setting, see the table that follows and "To Start Outlook Express 6 and View or Configure Security Settings," later in this section.
This option is new in the version of Outlook Express in Windows XP with SP2. For more details about other changes that make this version of Outlook Express more resistant than previous versions, see the Changes to Functionality in Microsoft Windows XP Service Pack 2 on the Microsoft TechNet Web site at: http://go.microsoft.com/fwlink/?LinkId=30566 The following table shows how each option is configured in Outlook Express 6. Options for Configuring Outlook Express 6
Option to Configure in Outlook Express 6 Warning about harmful e-mail Blocking of potentially harmful attachments (also configurable through Group Policy) Blocking of the downloading of images and other external content in HTML e-mail (this helps limit spam) Menu to Click Tools Tools Menu Item to Click Options Options
Tab to Click Security Security
Tools
Options
Security
96
Plain text format option for reading of all e-mail
Tools
Options
Read (in Outlook Express 6 in Windows XP with SP1 and later service packs only)
Overview: Using Outlook Express 6 in a Managed Environment

Although there are inherent risks associated with sending and receiving e-mail (and e-mail attachments), you can use several different features and configuration methods in Outlook Express 6 to reduce the risks: You can use the graphical user interface to configure the security-related features in Outlook Express 6. For more information, see "New Security-Related Features in Outlook Express 6," earlier in this section and "To Start Outlook Express 6 and View or Configure Security Settings," later in this section. You can ensure that all visible entry points to Outlook Express in Windows XP with SP2 are removed (for situations where you want users to use another e-mail client exclusively). For more information, see "Removing Visible Entry Points to Outlook Express During or After Deployment" and "Procedures for Working with Outlook Express 6," later in this section. You can use a Group Policy setting, Block attachments that could contain a virus, to limit the risk associated with e-mail attachments in Outlook Express 6. For more information, see "To Locate the Group Policy Object (GPO) for Blocking E-mail Attachments in Outlook Express 6," later in this section.
Removing Visible Entry Points to Outlook Express During or After Deployment

For situations where you want users to always use an e-mail client other than Outlook Express 6, you can remove all visible entry points to Outlook Express in Windows XP with SP2. One way to do this is during workstation deployment by using standard methods for unattended installations or remote installations. If you are using an answer file, the entry is as follows: [Components] OEAccess = Off You can also use a command line to remove all visible entry points to Outlook Express from a workstation after deployment. To do this, use the Sysocmgr command with Sysoc.inf (included in the operating system), along with an answer file containing the preceding entries. For more information about Sysocmgr, see the following pages on the Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=31023 http://go.microsoft.com/fwlink/?LinkId=31120 For complete details about how the OEAccess entry works, see the resources listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).
97
For information about using Set Program Access and Defaults to specify which e-mail program is shown on the Start menu, desktop, and other locations, and about using Control Panel to remove all visible entry points to Outlook Express on an individual computer, see the next section, Procedures for Working with Outlook Express 6.
Procedures for Working with Outlook Express 6

This subsection provides procedures for the following: Opening the dialog box from which you can configure security settings for Outlook Express 6. Locating the Group Policy setting, Block attachments that could contain a virus.
You can use this Group Policy setting in situations where you want Outlook Express 6 to be available for users but where you want to limit the risk associated with e-mail attachments. For more information about this policy setting, see "New Security-Related Features in Outlook Express 6," earlier in this section. Specifying which e-mail program is shown on the Start menu, desktop, and other locations on a computer running Windows XP with SP2. You can do this through Set Program Access and Defaults on the Start menu. Removing visible entry points to Outlook Express on an individual computer running Windows XP with SP2 by using Control Panel. Removing visible entry points to Outlook Express during or after deployment of Windows XP with SP2 by using an answer file.
To Start Outlook Express 6 and View or Configure Security Settings

1. Click Start, point to All Programs or Programs, and then click Outlook Express. 2. On the Tools menu, click Options. 3. Click the Security tab and view or configure the settings, including the check boxes for the following options: Warn me when other applications try to send mail as me. Do not allow attachments to be saved or opened that could potentially be a virus. Block images and other external content in HTML e-mail.
You can also view or configure the security zones setting. Outlook Express 6 uses two of the same security zones that you configure in Internet Explorer 6. For more information about security zones, see the section about Internet Explorer 6 in this white paper. 4. Click the Read tab, and view or configure the settings, including the check box for Read all messages in plain text..
To Locate the Group Policy Setting for Blocking E-mail Attachments in Outlook Express 6
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.
98
2. Click User Configuration, click Administrative Templates, click Windows Components, and then click Internet Explorer. 3. In the details pane, double-click Configure Outlook Express. 4. If you enable this policy, you can select or clear the check box for Block attachments that could contain a virus.
To Specify Which E-mail Program is Shown on the Start Menu, Desktop, and Other Locations on a Computer Running Windows XP with SP2
To perform the following procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. 1. Click Start and then click Set Program Access and Defaults. 2. Click the Custom button. Note Alternatively, you can click the Non-Microsoft button, which will not only remove visible entry points to Outlook Express, but also to Internet Explorer, Windows Media Player, and Windows Messenger. If you do this, skip the remaining steps of this procedure. 3. To disable access to Outlook Express on this computer, to the right of Outlook Express, clear the check box for Enable access to this program. 4. If you want a different default e-mail program to be available to users of this computer, select the e-mail program from the options available. Note For the last step, if your program does not appear by name, contact the vendor of that program for information about how to configure it as the default. Also, for related information about registry entries that are used to designate that a program is a browser, e-mail, media playback, or instant messaging program, see Registering Programs with Client Types on the MSDN Web site at: http://go.microsoft.com/fwlink/?LinkId=29306 For more information about Set Program Access and Defaults, see article 328326, How to Use the Set Program Access and Defaults Feature in Windows XP Service Pack 1, in the Microsoft Knowledge Base at: http://go.microsoft.com/fwlink/?LinkId=29309
To Remove Visible Entry Points to Outlook Express on an Individual Computer by Using Control Panel
1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click Add or Remove Programs. 3. Click Add/Remove Windows Components (on the left). 4. Scroll down the list of components to Outlook Express, and make sure the check box for that component is cleared.
99
5. Follow the instructions to complete the Windows Components Wizard.
To Remove Visible Entry Points to Outlook Express During or After Deployment by Using an Answer File
1. Using the methods you prefer for unattended installation, remote installation, or the Sysocmgr command, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning about Automated Installation and Deployment." For more information about Sysocmgr, see the following pages on the Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=31023 http://go.microsoft.com/fwlink/?LinkId=31120 2. In the [Components] section of the answer file, include the following entry: OEAccess = Off For complete details about how the OEAccess entry works, see the resources listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).
Related Links
For more details about changes in the version of Outlook Express in Windows XP with SP2, see Changes to Functionality in Microsoft Windows XP Service Pack 2 on the Microsoft TechNet Web site at:
http://go.microsoft.com/fwlink/?LinkId=30566 For more information about security zones in Internet Explorer 6 (zones also used in Outlook Express 6), see the section about Internet Explorer 6 in this white paper. For information about registry entries that are used to designate that a program is a browser, e-mail, media playback, or instant messaging program, see Registering Programs with Client Types on the MSDN Web site at:
http://go.microsoft.com/fwlink/?LinkId=29306 For more information about Set Program Access and Defaults, see article 328326 How To Use the Set Program Access and Defaults Feature in Windows XP Service Pack 1, in the Microsoft Knowledge Base at:
100
Plug and Play

This section provides information about: The benefits of Plug and Play How Plug and Play communicates with sites on the Internet How to control Plug and Play to prevent the flow of information to and from the Internet
Benefits and Purposes of Plug and Play

Windows Plug and Play provides ease of support for installing devices on computers in your network. You can simply plug in a Plug and Play device and Windows does the rest by searching locally for the driver and prompting to find out whether to also search Windows Update, installing the driver, updating the system, and allocating resources. After you install a Plug and Play device, the driver is configured and loaded dynamically, typically without requiring user input. Plug and Play in Microsoft Windows XP Professional with Service Pack 2 (SP2) provides the following functionality: Detects a Plug and Play device and determines its hardware resource requirements and device identification number (Plug and Play ID). Locates an appropriate device driver for newly installed devices. Allocates hardware resources. Dynamically loads, initializes, and unloads drivers. Notifies other drivers and applications when a new device is available. In conjunction with power management, handles stop and start processes for devices during hibernation, standby, and startup and shutdown operations. Supports a wide range of device types.
In order to install devices using the hardware wizards, you must be logged on as an administrator or a member of the Administrators group. You can then use the hardware wizards, such as the Hardware Update Wizard, to search the Windows Update site for device drivers. All drivers obtained through Windows Update are signed by Windows Hardware Quality Labs (WHQL). The WHQL provides compatibility testing services to test hardware and drivers for Windows operating systems. Note Some buses, such as Peripheral Component Interconnect (PCI) and universal serial bus (USB), take full advantage of Plug and Play. Older buses, such as Industry Standard Architecture (ISA), do not take full advantage of Plug and Play, and require more user interaction to ensure that devices are correctly installed. The Windows Update site is located at: http://windowsupdate.microsoft.com/
101
Overview: Using Plug and Play in a Managed Environment

The Plug and Play feature is built into Windows XP and is always available. When a person who is logged on as an administrator installs a Plug and Play device, Windows XP first searches locally for an appropriate device driver. If the computer is connected to the Internet, Windows XP with SP2 prompts the person to find out whether to also search Windows Update for the latest device driver. As an IT administrator in a highly managed network environment, you may want to control whether Windows XP with SP2 will search the Windows Update Web site for the latest device driver, and if so, whether the person installing or updating the device will be prompted before the Internet search begins. You can control these things through Group Policy. There are also policy settings you can use to disable any access to Windows Update. If you do prevent access to Windows Update, there is the option for manually downloading the updates from the Windows Update Catalog, whereby they can be distributed on your organization's network as needed. Using Group Policy to disable access to Windows Update, and to configure driver search locations, is described in "Controlling Automatic Device Updating to Prevent the Flow of Information to and from the Internet, later in this section.
How Plug and Play Communicates with Sites on the Internet

When a person logged on as an administrator installs new hardware, or updates the driver for existing hardware, Windows XP with SP2 will by default display a prompt to find out whether to search Windows Update for the latest device driver. If the person installing or updating the device consents to the Internet search, the interaction takes place as follows: Specific information sent or received: The Code Download Manager (CDM) calls Windows Update to find and download device drivers. The CDM also calls Help and Support Center, which logs Plug and Play IDs for devices that Microsoft does not have drivers for. Neither of these communications is under the direct control of Plug and Play. The CDM handles all of the communication between the computer and Windows Update. None of the communication between the computer and the Internet uniquely identifies the user. Default setting: Plug and Play is always available, and by default will prompt the person installing a device to find out whether to search the Windows Update Web site for the latest device driver. Trigger and user notification: When an administrator adds hardware or updates a driver on a computer, and the computer is connected to the Internet, by default, Windows XP with SP2 prompts to find out whether to search Windows Update for driver updates. The search is conducted if the administrator consents. Logging: If you use a Plug and Play driver with a device that is not Plug and Play, any associated issues or problems are recorded in the event log. Encryption: Data transfer is based on interaction with Windows Update. The data is transferred using HTTPS. Transmission protocol and ports: The transmission protocols and ports are HTTP 80 and HTTPS 443.
102
Ability to disable: Plug and Play cannot be disabled, because system instability would result. You can disable access to Windows Update using Group Policy.
Controlling Automatic Device Updating to Prevent the Flow of Information to and from the Internet
Windows will automatically update device drivers using Plug and Play, and it will even search for compatible drivers for devices that are not Plug and Play. You therefore may want to exercise various levels of control over the ability of someone who logs on to a client computer as an administrator to install new hardware and to update hardware devices and drivers. You can use Group Policy to: Control whether Windows Update is included when Plug and Play searches for a device driver.
This procedure is presented in the next subsection. Suppress the prompt that by default is displayed before Plug and Play begins searching the Windows Update Web site for a device driver. This setting only has an effect if you also use a setting to specify that Plug and Play will search the Windows Update Web site for device drivers.
This procedure is presented in the next subsection. Turn off all access to Windows Update.
If you turn off all access to Windows Update, it also means Plug and Play cannot search Windows Update. For more information about controlling access to Windows Update and for alternative approaches to updating such as Software Update Services, see the Windows Update and Automatic Updates section in this white paper.
Procedure for Controlling where Plug and Play Searches for Drivers
When you install new hardware, Windows XP can potentially search four different locations for drivers in the following order: the hard drive, the floppy drive, the CD drive, and Windows Update. The default approach for Windows XP with SP2 is to search the first three locations, and then prompt you to find out whether to also search Windows Update. However, you can configure the driver search locations to remove selected locations. This subsection includes procedures for configuring the following Group Policy settings: A setting that controls where Plug and Play searches for device drivers. A setting that specifically controls whether Plug and Play searches Windows Update for drivers. This setting is one in a collection of settings that control how various components communicate with the Internet, A setting that suppresses the prompt that by default is displayed before Plug and Play begins searching the Windows Update Web site for a device driver. This setting only has an effect if you also use a setting to specify that Plug and Play will search the Windows Update Web site for device drivers.
103
For additional procedures to configure policy settings for Windows Update, see the section "Windows Update and Automatic Updates" in this white paper.
To Specify Driver Search Locations for Plug and Play Devices

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click User Configuration, click Administrative Templates, and then click System. 3. In the details pane, double-click Configure driver search locations, and then click Enabled. 4. Select or clear check boxes to prevent or allow searching of floppy disk drives, CD-ROM drives, or Windows Update.
To Disable Windows Update as a Driver Search Location

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 3. In the details pane, double-click Turn off Windows Update device driver searching, and then click Enabled. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
To Suppress the Prompt That is Displayed Before Windows Update is Searched for a Device Driver
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, click Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, click User Configuration. 3. Click Administrative Templates and then click System. 4. In the details pane, double-click Turn off Windows Update device driver search prompt, and then click Enabled. This setting only has an effect if you also use a setting to specify that Plug and Play will search the Windows Update Web site for device drivers.
104
Related Links
For more information about Windows Update, see the Windows Update Web site at: http://windowsupdate.microsoft.com/
105
Program Compatibility Wizard

This section provides information about: The benefits of the Program Compatibility Wizard. How the Program Compatibility Wizard communicates with sites on the Internet. How to control the Program Compatibility Wizard to prevent the flow of information to the Internet. How to obtain the Application Compatibility Toolkit. You can use the toolkit to improve the user experience with incompatible applications.
Benefits and Purposes of the Program Compatibility Wizard

There are some applications that work on earlier versions of Windows that might fail to function properly on Microsoft Windows XP Professional with Service Pack 2 (SP2). This can happen for several reasonsan application may expect older formats of Windows data, may expect user information to be in specific locations or formats, or may not be designed for the tighter security implemented in Windows XP SP2. In addition, applications written exclusively for Windows 95, Windows 98, or Windows Millennium Edition may use direct hardware access, which can greatly reduce operating system stability. Because of its Windows NT heritage, Windows XP with SP2 requires that hardware access be handled through the correct channels. To enable a better user experience, Microsoft has integrated technologies for application compatibility into Windows XP. These technologies are applied whenever an application is installed on the operating system, whether in the course of a system upgrade or during regular operations. Some of these technologies work automatically to apply compatibility fixes, while others can be selected by users or administrators. This section describes the Program Compatibility Wizard, which can be used to make setting adjustments for an incompatible application and run the application successfully. This section also provides a description of the Application Compatibility Toolkit, which you can use to locate and address compatibility problems. For example, with one of the tools, you can create custom messages that notify users of the problems with an incompatible application and redirect users to your intranet site.
Overview: Using the Program Compatibility Wizard in a Managed Environment

IT administrators who want to get an application to work quickly, without addressing compatibility for the application throughout the organization, may choose to use the Program Compatibility Wizard. You can use the wizard in situations where you want to determine quickly whether the prepackaged compatibility fixes can resolve problems you encounter, particularly if you are working on a computer where the Application Compatibility Toolkit is not installed. For more information about the Application Compatibility Toolkit, see Using the Application Compatibility Toolkit to Improve the User Experience with Incompatible Applications, later in this section.
106
One of the most difficult tasks in network administration is monitoring and controlling which applications users install on their computers. When users try to install an incompatible application, they may choose to run the Program Compatibility Wizard. In Windows XP, users can access the Program Compatibility Wizard by default through Start\Programs\Accessories or Start\All Programs\Accessories. The wizard asks users if they want to send files that contain "information about the settings you selected and whether the problems were fixed." Users can then choose to send this information to Microsoft. Note As an alternative to running the Program Compatibility Wizard, users can set the compatibility properties for an application manually through the Compatibility tab of a programs Properties sheet. To do this, right-click the program icon, click Properties, click Compatibility, and then change the compatibility settings for your application. You can use Group Policy to control where data collected by the Program Compatibility Wizard is sent. You can prevent data transfer to the Internet by using Group Policy settings related to error reporting and you can have data from the wizard sent to a server on your intranet instead of to Microsoft. For more information about these procedures, see the section of this white paper titled "Windows Error Reporting."
How the Program Compatibility Wizard Communicates with Sites on the Internet
Although you can control information sent by the Program Compatibility Wizard, it is designed to communicate over the Internet to expedite problem solving. This subsection lists details of the communication process: Specific information sent or received: The results of the Program Compatibility Wizard data, including settings and problems that were encountered with the application being installed, are sent to Microsoft. The user is not uniquely identified. Default and recommended settings: Use of the Program Compatibility Wizard is enabled by default. Recommended settings are discussed in the next subsection, "Controlling Program Compatibility Wizard Data to Prevent the Flow of Information to the Internet." Trigger and notification: In the last dialog box of the wizard, users are asked if they want to send information to Microsoft. Data is not sent automatically. Logging: There is no information related to the Program Compatibility Wizard entered into the event log. Encryption: HTTPS is used to perform the data transfer to Microsoft. Access: The Microsoft product group has access to the raw data only. Privacy: The privacy statement is the same as that associated with Windows Error Reporting (WER) data. A link to the privacy statement on the Web is provided in the wizard. This privacy statement is available at:
http://go.microsoft.com/fwlink/?LinkId=825 Transmission protocol and port: The transmission protocol used is HTTPS and the port is 443. Ability to disable: You cannot disable the Program Compatibility Wizard. Using Group Policy, you can prevent data from being sent to the Internet.
107
For more information about the type of information that is sent to Microsoft, how the data is used, encryption, and the privacy statement, see the section of this white paper titled "Windows Error Reporting."
Controlling Program Compatibility Wizard Data to Prevent the Flow of Information to the Internet
Using Group Policy, you can configure the Configure Error Reporting policy setting to prevent data collected by the Program Compatibility Wizard from being sent to Microsoft. By using configuration options within error reporting you can have the data sent to a server on your intranet instead of to Microsoft. When you configure error reporting this way, you activate Corporate Error Reporting (CER). The Configure Error Reporting policy setting is located in Computer Configuration\Administrative Templates\System\Error Reporting. For more information and procedures for configuring error reporting, see the section of this white paper titled "Windows Error Reporting." If you use this approach for reporting errors, the user experience with the Program Compatibility Wizard does not change. The dialog box that presents the option of sending data to Microsoft is the same. If the user selects Yes, the data is sent to the designated server on your intranet.
Using the Application Compatibility Toolkit to Improve the User Experience with Incompatible Applications
When a user tries to run a low-level applicationsuch as an antivirus or disk-access utilitythat is known to be incompatible and compromise system integrity, Windows XP blocks the application and informs the user about it. To do this, Windows XP uses information in databases stored locally on the computer. Compatibility fixes are contained in a database file named SYSMAIN.SDB. The warning information used when an application cannot be run successfully is contained in a related database file, APPHELP.SDB. Before Windows XP Service Pack 2 (SP2), the operating system would also contact a Microsoft Web site for the latest information about incompatible applications. As of SP2, Windows XP only uses the information stored locally on the computer. You can customize the way Windows XP responds to programs that are known to compromise system integrity by using the Application Compatibility Toolkit. For example, you can use one of the tools in the toolkit, the Compatibility Administrator tool, to create custom messages that notify users of the problems with an incompatible application and redirect users to your intranet site. To do this, you need to first download the Application Compatibility Toolkit, and then use tools such as the Compatibility Administrator tool.
To Read About and Download the Application Compatibility Toolkit

1. Read about the toolkit and find links for downloading it from the Windows Web site at: http://go.microsoft.com/fwlink/?LinkId=29880
108
2. Follow the installation instructions. Once you have installed the toolkit, you can view the Windows Application Compatibility 3.0 Reference and you can run the Compatibility Administrator tool to make the changes you need.
To Create Custom Messages for Applications with Incompatibility Problems

1. Make sure that the Application Compatibility Toolkit is installed by using the previous procedure. 2. Click Start, point to Programs or All Programs, point to Microsoft Windows Application Compatibility Toolkit, and then click Compatibility Administrator Tool 3.0. 3. In the console tree, click Custom Databases, and then click New Database. 4. On the toolbar, click AppHelp. The Create a custom AppHelp message dialog box appears. 5. Enter information as prompted in the dialog box. 6. Save the new database file. Note When you have completed your entries and saved the file, you can deploy your changes to multiple computers running Windows XP. See "Deploying Compatibility Fixes," in Compatibility Administrator Help.
Event Logging for Events Related to the Blocking of Incompatible Applications

Events related to the blocking of incompatible applications are not logged by default. You can enable event logging in the Application log (Control Panel\Administrative Tools\Event Viewer) by using Group Policy.
To Enable Event Logging for Events Related to the Blocking of Incompatible Applications
1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Application Compatibility. 3. In the details pane, double-click Turn On Application Help Log Events, and then click Enabled.
Related Links
For more information about application compatibility resources, see Windows Application Compatibility at: http://go.microsoft.com/fwlink/?LinkId=29880
109
Remote Assistance
This section provides information about: The benefits of Remote Assistance How Remote Assistance communicates with sites on the Internet How to control Remote Assistance to prevent the flow of information to and from the Internet
Benefits and Purposes of Remote Assistance

With Microsoft Windows XP Professional with Service Pack 2 (SP2), a user or administrator can use Remote Assistance to get help from a member of the organization's support staff. Users or administrators can also collaborate in other ways through screen sharing. Remote Assistance is a convenient way for support professionals to connect to a computer from another computer running a compatible operating system, such as Windows XP, and to show the users or administrators a solution to their problem. Using Windows Messenger Service or an e-mail program, such as Microsoft Outlook or Outlook Express, you can provide support to users by connecting to their computer. After you are connected, you can view the users computer screen, communicate in real time about what you both see on the users computer, send files, use voice communication, and use your mouse and keyboard to work on the users computer.
Overview: Using Remote Assistance in a Managed Environment

Through Help and Support Center users can access Remote Assistance by default and have someone inside or outside your network connect to their computer. In Help and Support Center, users can click Invite a friend to connect to your computer with Remote Assistance or click Tools\Remote Assistance. Although a firewall on your organizations network will likely prevent outsiders from connecting directly to a computer on your intranet, it is possible for users to connect remotely to someone within your intranet or outside your network through Remote Assistance. As an administrator in a highly managed environment, you might want to prevent users from using this feature. You can do this during your deployment of Windows XP with SP2, or post-deployment using Group Policy. In a domain environment there is also the option of a support person or IT administrator offering unsolicited assistance. From Help and Support Center using Tools\Offer Remote Assistance, an administrator in the domain may offer assistance to users in the same domain or trusted domains without being asked. However, users can decline the invitation. This capability can be strictly controlled with Group Policy. Controlling the use of unsolicited as well as solicited Remote Assistance is described further in the subsection "Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet."
110
How Remote Assistance Communicates with Sites on the Internet

When a user (referred to as the "novice") initiates a request for assistance through either the e-mail option or the Save invitation as a file option in Remote Assistance, Windows XP starts Help and Support Center. Help and Support Center then passes the information to Remote Assistance. When the person who is being contacted (the "expert") accepts the invitation from the novice, Remote Assistance calls Help and Support Center application programming interfaces (APIs) to initiate the session. Help and Support Center relies on Terminal Services to negotiate the session. Help and Support Center passes the Remote Assistance invitation (the "ticket") file to Terminal Services. The Remote Assistance session is established using RDP (Remote Desktop Protocol), and uses port 3389 through Terminal Services on the novice computer. There are safeguards built into the Remote Assistance feature. All sessions are encrypted and can be password-protected. The novice (user soliciting the assistance) sets the maximum time for the duration of the ticket. Also, firewalls on your organizations network can be configured to prevent communication associated with Remote Assistance, for example, Remote Assistance connections that are inbound to computers behind the firewall. Note that Windows XP with SP2 includes enhancements to the firewall component, now called Windows Firewall. For information about how Windows Firewall interacts with Remote Assistance, see the link to Deploying Windows Firewall Settings for Windows XP SP2 on the Microsoft TechNet Web site at: http://go.microsoft.com/fwlink/?LinkId=23354 The following information presents additional details on how information transfer over the Internet takes place when a connection is made: Specific information sent or received: Information that is transmitted in a Remote Assistance ticket includes user name, IP address, and computer name. Information necessary to provide functionality for Remote Assistance (for example, screen sharing, file transfer, and voice) is sent in real time using point-to-point connections. Default and recommended settings: Anyone with access to Help and Support Center can access the Remote Assistance feature. Users can prevent someone from connecting to their computer by declining an invitation. You can also prevent someone from remotely controlling a computer running Windows XP with SP2 by using Control Panel settings or Group Policy. Triggers: A user establishes contact with the expert by sending an invitation through e-mail, instant messaging, or by saving an invitation as a file and transferring it manually, such as on a floppy disk, to the expert. Or, an expert offers unsolicited assistance to a user. User notification: Whether assistance is solicited or unsolicited, the novice is notified of the offer of assistance from the expert. The novice must accept the connection before Remote Assistance begins. Logging: Events such as a user initiating a connection or a user accepting or rejecting an invitation are recorded in the event logs. Windows XP Service Pack 2 (SP2) records more details than were recorded in the previous service pack, including events such as taking and releasing control. sending and accepting files, and ticket creation and deletion. SP2 also records details such as whether assistance is solicited or unsolicited as well as more detailed user name and IP address information.
111
Encryption: The RDP (Remote Desktop Protocol) encryption algorithm for the main Remote Assistance communication and the RTC (Real-Time Communication) encryption algorithm for voice are used. The RDP encryption algorithm is RC4 128-bit. Access: No information is stored at Microsoft. Transmission protocol and port: The port is 3389 and the transmission protocols are RDP and RTC. For Offer Remote Assistance, Distributed Component Object Model (DCOM) is also used. Ability to disable: This component can be disabled by using Group Policy or locally through Control Panel. Firewall protection: Any firewall that blocks port 3389 will not allow a Remote Assistance connection to users outside the firewall. This does not prevent users from within the network protected by the firewall from connecting to each other. If you close port 3389, you will block all Remote Desktop and Terminal Services events through it as well. If you want to allow these services but want to limit Remote Assistance requests, use Group Policy. If the port is opened only for outbound traffic, a user can request Remote Assistance by using Windows Messenger.
For more information about the Remote Assistance connection process, see article 300692, "Description of the Remote Assistance Connection Process" in the Microsoft Knowledge Base at: http://go.microsoft.com/fwlink/?LinkId=29212
Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet
Administrators can control the use of Remote Assistance in the following ways: Group Policy to prevent Remote Assistance from being solicited from this computer Group Policy to prevent unsolicited Remote Assistance from being offered to this computer Local control of Remote Assistance through Control Panel
Group Policy settings are described in detail in this subsection. Procedures for disabling Remote Assistance are presented in the next subsection.
Using Group Policy

There are two Group Policy settings you can configure to control the use of Remote Assistance: Solicited Remote Assistance
Use this policy setting to determine whether Remote Assistance can be solicited from a given computer. In Solicited Remote Assistance the user of a computer explicitly requests help from another party. Offer Remote Assistance
112
Use this policy setting to determine whether a support person or IT administrator (expert) can offer remote assistance to a computer without a user explicitly requesting it first through e-mail, a file, or instant messaging. These policy settings are located in Computer Configuration\Administrative Templates\System\Remote Assistance. Configuration options for these policy settings are described in the following table. Group Policy Settings for Controlling Remote Assistance
Policy Setting Solicited Remote Assistance (enabled) Description When this policy setting is enabled, a user can create a Remote Assistance invitation that a person (expert) can use at another computer to connect to the users computer. If given permission, the expert can view the users screen, mouse, and keyboard activity in real time. Additional configuration options are available when you enable this policy setting. Solicited Remote Assistance (disabled) Solicited Remote Assistance (not configured) Offer Remote Assistance (enabled) If the status is set to Disabled, users cannot request Remote Assistance and this computer cannot be controlled from another computer. If the status is set to Not Configured, the configuration of solicited Remote Assistance is determined by the Control Panel settings. When this policy setting is enabled, a remote user or administrator can offer Remote Assistance to the computer. When you configure this policy setting, you have two choices: you can select either Allow helpers to only view the computer or Allow helpers to remotely control the computer. In addition to making this selection, when you configure this policy setting, you also specify the list of users or user groups that will be allowed to offer remote assistance. Administrators of this computer can offer remote assistance to it by default. They do not need to be added to the list. If you disable or do not configure this policy setting, users or groups cannot offer unsolicited remote assistance to this computer.
Offer Remote Assistance (disabled or not configured)
For additional configuration options, see the Remote Assistance policy settings in Group Policy. To find more information about editing Group Policy, see Appendix B, "Learning About Group Policy and Updating Administrative Templates."
Procedures for Disabling Remote Assistance

This section presents procedures administrators can use for disabling Remote Assistance through Group Policy or Control Panel.
To Disable the Use of Remote Assistance Using Group Policy

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO.v 2. Click Computer Configuration, click Administrative Templates, click System, and then click Remote Assistance.
113
3. In the details pane, double-click Solicited Remote Assistance, click Disabled, and then click OK. 4. In the details pane, double-click Offer Remote Assistance, click Disabled, and then click OK.
To Disable the Use of Remote Assistance Through Control Panel

1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click System. 3. In System Properties, click the Remote tab. 4. Under Remote Assistance, clear the check box labeled Allow Remote Assistance invitations to be sent from this computer.
114
Search Companion
This section provides information about: The benefits of Search Companion How Search Companion communicates with sites on the Internet How to control Search Companion to prevent the flow of information to and from the Internet
Benefits and Purposes of Search Companion

The Microsoft Search Companion Web service enables users to search for files and folders on their desktop computers, to search for files, people, and other computers on their internal networks, and to search for information on the Internet. Search Companion uses Indexing Service to maintain an index of all the files on users' computers, making searches faster. When employing Search Companion, users can specify several search criteria. For example, they can search for files and folders by name, type, or size. They can find files based on when they were last modified, or search for files containing specific text. When searching for information on the Internet, Search Companion enables users to enter search queries in natural language (meaning informal, or conversational language). It then suggests the best way to conduct the search, and sends the query to Internet services that are most likely to yield positive results.
Overview: Using Search Companion in a Managed Environment

When the user searches the Internet using Search Companion, the following information is collected: The text of the Internet search query Grammatical information about the query The list of tasks (suggestions) that the Search Companion Web service recommends to refine the search Any tasks the user selected from the recommendation list
Search Companion does not collect: Personal information Demographic information
Microsoft does not use the information it collects to identify the user individually or associate such information with other data sources that may contain personal data. Microsoft does not collect information when the user searches on the local system, LAN, or intranet.
115
The Search Companion Web service is designed to upgrade automatically as new features become available. It therefore uses the Internet connection periodically to check for and replace necessary files. You can use Group Policy to prevent the Search Companion Web service from upgrading automatically from the Internet. If you want to disable the Search Companion Web service, you can do so by changing to Classic Search for the Internet. Microsoft Windows does not collect any query information when Classic Search is used. You can also disable Search Companion (change to Classic Search) by modifying the registry settings. The procedures for both of these methods are described later in this section of the white paper.
How Search Companion Communicates with Sites on the Internet

Search Companion in Microsoft Windows XP Professional with Service Pack 2 (SP2) improves the search process by consolidating search tasks, optimizing searches for the most common scenarios, and offering suggestions for refining the search. The form the user creates to collect search criteria will post information to an ASP page that displays the search results. The search pages use a combination of XML and Microsoft Visual Basic development system, Scripting Edition (VBScript) and Microsoft JScript development software for accessing the search objects. Because the script is run on the server, users can view the search pages from any browser. Search Companion uses XML files to define both the user interface and some functional parameters of its tasks (for example, what list of file extensions constitutes the "Music" category of files). The first time in each Search Companion session that an XML file is referenced, by default, Search Companion checks to see if a later version of that XML file is available from sa.windows.com. The "check" is really a file download request, conditioned on the modified date of the file. If there is a later version of the XML file, Search Companion downloads it and replaces the earlier version. The XML files are located in a language-specific subfolder of systemroot\Srchasst\, and if the current user does not have administrative credentials, the old XML file cannot be overwritten. The downloading of these XML files can be prevented through Group Policy. This subsection describes various aspects of the data that is sent to and from the Internet through Search Companion, and how the exchange of information takes place: Specific information sent or received: When you search the Internet using Search Companion, the following information is collected regarding your use of the service: the text of your Internet search query, grammatical information about the query, the list of tasks that the Search Companion Web service recommends, and any tasks you select from the recommendation list. Default and recommended settings: Search Companion is enabled by default. Triggers: The user selects Start\Search and uses search options to search the Internet. The user can also start Internet Explorer and use a toolbar button, shortcut key, or menu to search the Internet. User notification: There is no provision in Search Companion for user review or notification of data sent.
116
Uniquely identify users: The user is not uniquely identified. Session-based cookies are used to maintain state information, but these randomly assigned GUIDs do not persist across browser sessions. Logging: No information is collected when you search your local system, LAN, or intranet. The only "storage" is the Internet Information Services (IIS) log of the file request on the server at Microsoft that provides the Search Companion Web service. Search Companion does not record your choice of Internet search engines, and it does not collect or request any personal or demographic information. Encryption: There is no encryption of data. Access: No user information is collected. The IIS logs (described in the "Logging" item, earlier in this list) are cycled annually, that is, logs are retained for twelve months, and discarded in the thirteenth month following collection. Privacy: The privacy statement is located at the following Web site:
http://sa.windows.com/privacy/ Transmission protocol and port: The transmission protocol is HTTP and the port is 80. Ability to disable: The feature can be disabled by changing to Classic Search.
Controlling Search Companion to Prevent the Flow of Information to and from the Internet
You can disable the Search Companion Web service by changing preferences to Classic Search for the Internet. You can also disable Search Companion by changing the registry settings manually. In addition, you can prevent Search Companion from checking for and downloading updated versions of the XML files that it uses. Procedures for all of these approaches are provided in the following subsection.
Procedures for Configuration of Search Companion

Search Companion can be configured in several ways as described previously.
To Change to Classic Search for the Internet Through the User Interface
1. Click Start, and then either click Search, or point to Search and click On the Internet. 2. Click Change preferences. 3. Click Change Internet search behavior. 4. Click With classic Internet search and click OK. 5. On the File menu, click Close. The next Internet search you perform will use the preference you specified.
To Change to Classic Search for the Internet Through the Registry Key
1. Close Internet Explorer (all instances).
117
2. Open Registry Editor by clicking Start, clicking Run, and then typing regedit. Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. 3. Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. 4. Look for an entry called Use Search Asst. If it exists, skip to step 7. 5. On the Edit menu, point to New, and then click String value. 6. Type Use Search Asst as the name for the new value (the type is REG_SZ), and then press ENTER. 7. Click Use Search Asst, and then on the Edit menu, click Modify. 8. For Value data, type: no Note Type the entry and value exactly as shown, including spaces and capitalization.
To Prevent Search Companion from Downloading Updated Versions of the XML Files That It Uses
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 3. In the details pane, double-click Turn off Search Companion content file updates, and then click Enabled. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
118
Windows Error Reporting

This section provides information about: The benefits of Windows Error Reporting How Windows Error Reporting communicates with sites on the Internet How to control Windows Error Reporting to prevent the flow of information to and from the Internet
Benefits and Purposes of Windows Error Reporting

The Windows Error Reporting feature in Windows XP Professional with Service Pack 2 (SP2) provides a service that allows Microsoft to track and address errors relating to the operating system, Windows components, and applications. This service, called the Error Reporting service, gives users the opportunity to send data about errors to Microsoft and to receive information about them. Microsoft developers can use the Error Reporting service as a problem-solving tool to address customer problems in a timely manner and to improve the quality of Microsoft products. When users send information to Microsoft, in some cases Microsoft may provide information to users, such as a way to work around a problem or a link to a Web site for updated drivers, patches, or Microsoft Knowledge Base articles.
Overview: Using Windows Error Reporting in a Managed Environment

In Windows XP with SP2, error reporting is enabled by default and users can choose to report errors to Microsoft. When an error occurs, a dialog box is displayed allowing the user to report the problem. When a user chooses to report the problem, technical information about the problem is collected and then sent to Microsoft over the Internet. No information is sent unless the user confirms that the error report is to be sent to Microsoft. A user who is logged on as an administrator can choose to report system and application errors. A user who is not logged on as an administrator can choose to report application errors. Users with administrative credentials can configure or disable error reporting through Control Panel\System\Advanced. They can configure error reporting to send specified information such as system errors (Stop errors) only, or errors for Windows components, such as Windows Explorer or Microsoft Internet Explorer. Users can also send information for applications, such as Microsoft Word. Since error reporting is a valuable service, we recommend that IT administrators not disable it, but that they control what information is reported and where it is sent. For an organization where privacy is a concern, we recommend that the IT department review and filter error reports before they are sent to Microsoft. Though it is not recommended, you can also completely disable error reporting on client computers by using Group Policy.
119
The best method to use to prevent the automatic flow of error reporting information to and from the Internet is to redirect error reports to a server on your intranet by using Group Policy and to set up Corporate Error Reporting (CER). If you have Software Assurance with your volume license, you can use the Corporate Error Reporting tool to manage error reports that have been redirected to a network server. You use the tool to review the redirected error reports and then filter the reports that are sent to Microsoft based on your policies and the data contained within the error report. The tool is also useful for determining the types of problems users are experiencing most often. If you have not yet deployed Windows XP with SP2, you can use unattended installation files to configure error reporting in the same way as in Group Policy. If it is necessary in your organization to completely disable Windows Error Reporting, you can do so with the unattended installation file or with Group Policy. For more information about these methods, see "Controlling Error Reporting to Prevent the Flow of Information to and from the Internet," later in this section.
How Windows Error Reporting Communicates with Sites on the Internet

The data that Microsoft collects is used strictly for the purpose of tracking down and solving problems that users are experiencing. The information is stored in a secure database to which access is limited. This subsection describes various aspects of the data that is sent to and from the Internet during error reporting, and how the exchange of information takes place. Specific information sent or received: For Windows XP with SP2, Microsoft collects various types of information related to two types of errors, user mode or application errors, and kernel mode or operating system failures. Some information that uniquely identifies the user might unintentionally be collected as part of the crash report. This information, if present, is never used to identify a user. The specific data collected is described later in this subsection. Also, Microsoft may send information about a problem, including links to Web sites. Default and recommended settings: Error reporting for application and system errors is enabled by default on clients running Windows XP with SP2. For more information about recommended settings, see "Controlling Error Reporting to Prevent the Flow of Information to and from the Internet," later in this section. Triggers: The opportunity to send an error report is triggered by application or system errors. User notification: A dialog box appears notifying users that an error has occurred and asks if they want to send an error report to Microsoft. Users can review the data that will be sent. Logging: Descriptions of system and application errors are recorded in the event log. Encryption: All data that could include personally identifiable information is encrypted (HTTPS) during transmission. The "crash signature," which includes such information as the application name and version, module name and version, and offset (location) is not encrypted. Access: Microsoft employees and contingent staff may access the error reports to maintain the Error Reporting service or improve Microsoft products, and may not use the reports for other purposes.
120
If the error report indicates that one or more non-Microsoft products were involved in causing the problem, Microsoft may send the report to the respective companies. Qualified software or hardware developers (employed by Microsoft or one of its partners) will analyze the fault data and try to identify and correct the problem. Privacy: The privacy statement for Microsoft Error Reporting is located at the following Web site:
http://go.microsoft.com/fwlink/?LinkId=825 Details related to privacy of data are presented in "Types of Data Collected," later in this section. Transmission protocol and port: The transmission protocol is HTTP and the ports are HTTP 80 and HTTPS 443. Ability to disable: The feature can be disabled through Group Policy or by users on their own computers.
Types of Errors Reported

In Windows XP with SP2 there are two types of errors that are reported, user mode and kernel mode.
User Mode Reporting

When a user mode error occurs, such as an application error, the Error Reporting service does the following: Displays an alert stating that Windows XP detected a problem.
Users can choose to report the problem or not. If they do report it, they will see that the information is being sent to Microsoft. Sends a problem report to Microsoft.
Users may then be queried for additional computer information (to complete the error report) and again may choose to send it or not. When more information is available, offers it to users.
Users might be offered the option of selecting More Information, which directs them to updated drivers, patches, or Microsoft Knowledge Base articles. If the error report indicates that one or more non-Microsoft products were involved in causing the problem, Microsoft may send the report to the respective companies. Qualified software or hardware developers (employed by Microsoft or one of its partners) will analyze the fault data and try to identify and correct the problem.
Kernel Mode Reporting

When a kernel-mode (system) error occurs, Windows XP with SP2 displays a Stop message and writes diagnostic information to a memory dump file. When a user restarts the computer by using normal mode or Safe Mode (with networking) and logs on to Windows XP as an administrator, the Error Reporting service gathers information about the problem and displays a dialog box that gives the user the option of sending a report to Microsoft.
121
Types of Data Collected

The Error Reporting service collects information about the computer configuration, what the software was doing when the problem occurred, and other information directly related to the problem. The Error Reporting service does not intentionally collect anyones name, address, e-mail address, computer name, or any other form of personally identifiable information. It is possible that such information may be captured in memory or in the data collected from open files, but Microsoft does not use it to identify users. The Error Reporting service collects Internet Protocol (IP) addresses, but the addresses are not used to identify users, and in many cases are the address of a Network Address Translation (NAT) computer or proxy server, not a specific client behind that NAT computer or proxy server. IP address information is used in aggregate by the operators who maintain the servers that receive error reports. The other use for IP address information is to locate error reports that come from computers inside Microsofterrors on those computers can be more thoroughly investigated as needed. In rare cases, such as problems that are especially difficult to solve, Microsoft may request additional data, including sections of memory (which may include memory shared by any or all applications running at the time the problem occurred), some registry settings, and one or more files from the users computer. When additional data is requested, the user can review the data and choose to send the information or not. In Windows XP with SP2 the specific types of data that are collected when application errors or kernel failures occur is as follows.
Application Errors
If an application error occurs for which Error Reporting is available and the user chooses to send the report, the information included is as follows: The Digital Product ID, which can be used to identify your license. Information regarding the condition of the computer and the application at the time when the error occurred. This includes data stored in memory and stacks, information about files in the application's directory, as well as the operating system version and the computer hardware in use. This information is packaged into a minidumpa small memory dump. The minidump contains the following: Exception information: This is information regarding the problem that occurred. It tells Microsoft what kind of instruction the application received that caused it to generate an error. System information: This is data about the kind of CPU (processor) you have and what operating system you are running. A list of all the modules that are currently loaded and their version information. A list of all the threads that are currently running. For each thread, the current context and the whole stack are collected. Global data.
The minidump data is shown as a hexadecimal representation that the user cannot read. Note For the exact specification of the minidump format, see the Microsoft Platform SDK, which is available on the MSDN Web site.
122
Windows Kernel Failures

Windows kernel fault reports contain information about what your operating system was doing when the problem occurred. These event reports contain the minimum information that can help to identify why the operating system stopped unexpectedly. If the user chooses to send the report, it includes: The operating system name (for example, Microsoft Windows XP). The operating system version (for example, 5.1.2600 0.0). The operating system language as represented by the locale identifier (LCID) (for example, 1033 for United States English). This is a standard international numeric abbreviation. The loaded and recently unloaded drivers. These identify the modules used by the kernel when the Stop error occurred, and the modules that were used recently. The list of drivers in the Drivers folder on your hard disk (systemroot\System32\Drivers). The file size, date created, version, manufacturer, and full product name for each driver. The number of available processors. The amount of random access memory (RAM). The time stamp that indicates when the Stop error occurred. The messages and parameters that describe the Stop error. The processor context for the process that stopped. This includes the processor, hardware state, performance counters, multiprocessor packet information, deferred procedure call information, and interrupts (requests from software or devices for processor attention). The process information and kernel context for the halted process. This includes the offset (location) of the directory table and the database that maintains the information about every physical page (block of memory) in the operating system. The process information and kernel context for the thread that stopped. This information identifies registers (data-storage blocks of memory in the processor) and interrupt request levels, and includes pointers to data structures for operating system data. The kernel-mode call stack for the interrupted thread. This is a data structure that consists of a series of memory locations and one or more pointers.
Controlling Error Reporting to Prevent the Flow of Information to and from the Internet
To prevent the automatic flow of information to and from the Internet when users report errors, you can configure error reporting in two ways: while deploying Windows XP with SP2 using answer files with unattended or remote installation, or after deployment using Group Policy. There may be some aspects of error reporting that you want to configure using answer files, and others you may want to configure using Group Policy. Review the tables in this subsection to determine the configuration options that will work best for your organization.
123
Using Unattended Installation

You can configure error reporting by using standard methods for unattended or remote installation. You use the [PCHealth] section of an answer file to make entries for this feature. The following table describes those entries. Entries for configuring error reporting in an answer file (for unattended installation)
Entry ER_Display_UI Description Specifies whether Setup notifies the user that an error has occurred and shows details about the error. When the entry is ER_Display_UI = 0, Setup does not notify the user that an error has occurred. ER_Enable_Applications = All Reports errors for all applications except for those listed in ER_Exclude_EXE(n). ER_Enable_Applications = Listed Reports errors only for those applications listed in ER_Include_EXE(n). You can automatically include Microsoft applications by using ER_Include_MSApps. ER_Enable_Applications = None Reports no application errors. Examples of entries that list included applications are: ER_Include_EXE1 = iexplore.exe ER_Include_EXE2 = explorer.exe Examples of entries that list excluded applications are: ER_Exclude_EXE1 = calc.exe ER_Exclude_EXE2 = notepad.exe ER_Enable_Kernel Errors Specifies whether Windows reports errors in the Windows kernel. When the entry is ER_Enable_Kernel Errors = 0, Windows does not report errors in the Windows kernel. Specifies whether Windows automatically reports errors. When the entry is ER_Enable_Reporting = 0, Windows does not report errors. Specifies whether to report errors in Windows components. When the entry is ER_Enable_Windows_Components = 0, Windows does not report errors in Windows components. To exclude individual Windows components, use ER_Exclude_EXE(n), as described earlier in this table. Specifies whether to send all reports in queue mode. When the entry is ER_Force_Queue_Mode = 0, Windows does not send reports in queue mode. Specifies whether to track and report errors in Microsoft applications. When the entry is ER_Include_MSApps = 0, errors in Microsoft applications are not tracked and are not reported. Specifies whether to report shutdown errors. When the entry is ER_Include_Shutdown_Errs = 0, shutdown errors are not reported.
ER_Enable_Applications ER_Include_EXE(n) and ER_Exclude_EXE(n)
ER_Enable_Reporting ER_Enable_Windows_ Components
ER_Force_Queue_Mode
ER_Include_MSApps
ER_Include_Shutdown_ Errs
For complete details about the entries for error reporting, see the resources listed in Appendix A, "Resources for Learning about Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).
124
Using Group Policy

You can use Group Policy to disable Windows Error Reporting, or you can use it to redirect error reports to a server on your intranet, after which you can enable Corporate Error Reporting. By controlling error reporting through Group Policy, you override actions users may take. This subsection includes a list of the settings in both the Error Reporting policy and the Advanced Error Reporting policy.
Error Reporting Policy Settings

The error reporting policy settings that you configure for Corporate Error Reporting are located at Computer Configuration\Administrative Templates\System\Error Reporting. The following list describes the policy settings. Configure Error Reporting, enabled: Errors are reported to Microsoft through the Internet or to a server on your intranet. Enabling Configure Error Reporting will override any error reporting settings made using Control Panel. Default values will be used for any error reporting settings that are not configured, even if settings were adjusted through Control Panel.
In Configure Error Reporting, you can select the following: Do not display links to any Microsoft provided "more information" web sites Do not collect additional files Do not collect additional machine data Force queue mode for application errors
In Configure Error Reporting, you can enter: Corporate upload file path Text with which to replace instances of the word "Microsoft" Configure Error Reporting, disabled: Users will not be given the option to report errors. If Display Error Notification is enabled, users will still get a message indicating that a problem occurred, but they will not have the option to report it. Configure Error Reporting, not configured: A person logged in as an administrator will be able to adjust the setting using Control Panel, which is set to "enable reporting" by default on Windows XP. Display Error Notification, enabled: This setting controls whether a user is given the choice to report an error. When enabled, the user will be notified that an error has occurred and will be given access to details about the error. Display Error Notification, disabled: The user is not given the choice of whether to report the error. If Configure Error Reporting is enabled, the error will be automatically reported, but the user will not be notified that an error has occurred. Display Error Notification, not configured: A person logged in as an administrator will be able to adjust the setting through Control Panel, which is set to enable notification by default.
125
Advanced Error Reporting Policy Settings

When you enable error reporting, you can choose to specify the types of errors that are reported. In a highly managed environment, administrators might want to do this based on the kinds of information included in the error report (see "Types of data collected," in the previous subsection). With Advanced Error Reporting settings you can configure the following policy settings: Default application reporting settings List of applications to always report errors for List of applications to never report errors for Report operating system errors Report unplanned shutdown events
These policy settings are located in Computer Configuration\Administrative Templates\System\Error Reporting. When you configure these policy settings, they will override any adjustments to error reporting that users might make through Control Panel. To find more information about editing Group Policy, see Appendix B, "Learning About Group Policy and Updating Administrative Templates."
How Controlling Error Reporting Can Affect Users

What users will see on their computers when an error occurs depends on how you have configured the Error Reporting policy settings. Depending on which policy settings you have enabled and which options you have configured, you can have users input varying amounts of information during error reporting, or none at all. You can choose not to have any user interface when a fault occurs, or, you can have a user notified that an error has occurred, but not allow for the opportunity to send a report. Another factor in how the user interface is affected is how you have configured the following policy settings: List of applications to always report errors for and List of applications to never report errors for. For more information about these policy settings, see "Procedures for Configuring Error Reporting" and "Related Links," later in this section. The following table presents two examples of what the user will see when an error occurs if you have enabled the Error Reporting policy settings and if you have entered a path to a server. The first option presents the recommended policy settings. How Sending Error Reports to an Intranet Server Affects the User Interface
Configuration Options Configure Error Reporting enabled; Corporate file path entered; Display Error Notification enabled User Interface
User is notified that an error occurred User might be asked for additional data Reports go to an intranet server No user interface Reports automatically go to an intranet
Configure Error Reporting enabled; Corporate file path entered; Display Error Notification not enabled
126
server
Procedures for Configuring Error Reporting

The following procedures explain how to: Use the Configure Error Reporting policy setting so error reports are sent to a server on your intranet instead of to Microsoft, so you can then use the Corporate Error Reporting tool to filter reports. Locate the Group Policy settings for configuring error reporting. Locate the Group Policy setting for disabling error reporting. Prevent error reporting by using an answer file for unattended installation.
To Enable Corporate Error Reporting

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, and then click Error Reporting. 3. In the details pane, double-click Display Error Notification, and then click Enabled. 4. Click Next Setting, and then under Configure Error Reporting, click Enabled. 5. In the Corporate upload file path box, enter a UNC (Universal Naming Convention) path (\\servername\sharename). Note Administrators can then filter the error reports using the CER tool described in the previous subsection, "Controlling Error Reporting to Prevent the Flow of Information to and from the Internet." Use the following two procedures to locate the Group Policy settings described in "Using Group Policy," earlier in this section.
To Locate Group Policy Settings for Configuring Error Reporting

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, and then click Error Reporting. 3. View the Group Policy settings that are available. For more information about these settings, see the table in "Using Error Reporting Policy Settings," earlier in this section. 4. Click Advanced Error Reporting settings. 5. View the advanced settings that are available. For more information about these settings, see the list in "Advanced Error Reporting Policy Settings," earlier in this section.
To Disable Windows Error Reporting by Using Group Policy
127
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 3. In the details pane, double-click Turn off Windows Error Reporting, and then click Enabled. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
To Prevent Error Reporting by Using an Answer File for Unattended Installation

1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For information about unattended installation, and for complete details about the entries for error reporting, see the resources listed in Appendix A, "Resources for Learning about Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix). 2. In the [PCHealth] section of the answer file, create entries according to the table in "Using Unattended Installation," earlier in this section. For example, to disable error reporting, the entry is: [PCHealth] ER_Enable_Reporting = 0
Related Links
For more information about Windows Error Reporting, see the article on the MSDN Web site at:
http://go.microsoft.com/fwlink/?LinkId=29903 To obtain the Corporate Error Reporting tool, see the Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=29517 To read the Microsoft privacy statement for error reporting, see the Microsoft Web site at:
128
Windows Media Player

This section provides information about the following: The benefits of Microsoft Windows Media Player How Windows Media Player communicates with sites on the Internet How to control Windows Media Player to limit the flow of information to and from the Internet
This section describes Windows Media Player 9 Series, the version of Windows Media Player that is included with Windows XP Professional with SP2. Other versions of Windows Media Player might differ from the version described in this section. For more information, see the Windows Media Web site at: http://www.microsoft.com/Windows/WindowsMedia/
Benefits and Purposes of Windows Media Player

Microsoft Windows Media Player (also called the Player) enables users to play and organize digital media files on their computers and on the Internet. Users can listen to radio stations, search for and organize digital media files, and (with the necessary hardware) play CDs and DVDs, create custom CDs, and copy files to a portable device. With the latest version of Windows Media Player and the Group Policy settings in the associated Administrative template (Wmplayer.adm) in Windows XP with SP2, you can configure the Player to control access to certain consumer features. The management and deployment features enable you to bring customized media functionality to your organizations employees to enhance productivity. It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users connect to sites on the Internet or download items from the Internet. This section, however, provides information about Windows Media Player that can help you to balance your organizations requirements for communication across the Internet with your organizations requirements for protection of networked assets. For more information about deploying and managing Windows Media Player in an enterprise environment, see links on the Windows Media Web site at: http://www.microsoft.com/Windows/WindowsMedia/ The Enterprise Deployment Pack (EDP) for Windows Media Player 9 Series is a downloadable packaging tool that you can use to centrally configure, deploy, and manage Windows Media Player 9 Series in your organization. To download the EDP, or to download a white paper that is part of the EDP, see the Windows Media Web site at: http://go.microsoft.com/fwlink/?LinkId=29521
129
Overview: Using Windows Media Player in a Managed Environment

Windows Media Player is an integral component of Windows XP. Windows Media Player is not an optional Windows component and cannot be uninstalled. You can, however, use an answer file to hide entry points to the user interface. You can also customize the Player to make certain aspects of it either available, for limited use, or unavailable to the user in accordance with policies in your organization. There are a variety of options available to you when considering how you want your users to interact with Windows Media Player. To help you assess what level of control to apply to your organization, the following table summarizes some of the configuration options. Options for Controlling Communication with the Internet Through Windows Media Player
Options No access to Windows Media Player: Control users ability to see Windows Media Player icons and start Wmplayer.exe. For more information, see "Procedures for Configuration of Windows Media Player," later in this section. Degree of Control Least access to media content (and no access to the Internet through Windows Media Player), but least flexible. With this option, users can be prevented from starting the Player.
Allow access only to specific Internet sites: Allow users to use Windows Media Player, but with access to only those Internet sites that are approved for access by an organizations policies. Use an inclusion list (through the firewall or proxy or both).
Restricted access to Internet, but requires knowledge of which external sites are trustworthy.
Allow Internet access only to selected users: By restricting Internet access to selected users, restrict communication between Windows Media Player and Internet sites. For example, place most users on a network with a firewall that blocks Internet access.
Access to Internet only available to users who need it most. Implies that training is provided to selected users, who are held accountable.
Limit the Windows Media Player features that can be used: Allow users to use Windows Media Player, but with access to only certain features. Use Group Policy settings to configure Windows Media Player on clients. To do this, you must update the appropriate Administrative template, Wmplayer.adm, to a version that contains the new settings for Windows XP with SP2. For more information, see "Controlling Windows Media Player to Limit the Flow of Information to and from the Internet" and "Procedures for Configuration of Windows Media Player," later in this section. Also, see Appendix B, Learning About Group Policy and Updating Administrative Templates.
Moderate control and moderate flexibility. With this option, the user has access to the Player, but you maintain control over which options they are able to use.
Free access: Allow free access for all.
Highest access to the Internet and media content.
130
The following subsections describe how Windows Media Player 9 Series communicates with the Internet and how to control the flow of information to and from the Internet. It also gives procedures for using Group Policy to control the user interface, playback, and networking for Windows Media Player.
How Windows Media Player Communicates with Sites on the Internet

The Windows Media Player interface opens locally when the user navigates through Start\Programs or Start\All Programs, or else clicks the shortcut on the desktop. When the user selects either Media Guide, Radio Tuner, Premium Services, or Skin Chooser/More Skins from the Player taskbar, Windows Media Player connects to www.WindowsMedia.com through either a local area network (LAN) or a modem connection.
Communication with the WindowsMedia.com Site

When a connection is made with the Internet, WindowsMedia.com provides the following key features. Metadata retrieval Metadata submission Media guide Radio tuner Premium services Codec download Player update Newsletter signup Downloadable skins Downloadable visualizations Downloadable plug-ins Downloadable device service providers (SPs) Customer experience improvement program Windows Media digital rights management (DRM) Internet access
Communication with Other Sites

WindowsMedia.com is a Web site operated by Microsoft and is tightly integrated into Windows Media Player. Media Guide and Radio Tuner are Web pages provided by WindowsMedia.com. All of the CD audio data, DVD data, radio presets, and information in the Info Center View pane of the Now Playing feature also come directly from WindowsMedia.com. Other services provided by WindowsMedia.com include the Player updates and download support for codecs, skins, and
131
visualizations. (A codeccompressor/decompressoris software that compresses or decompresses audio or video data.) To support the playback of secure content, Windows Media Player will also contact: Non-Microsoft DRM license servers Microsoft DRM upgrade service
The other common Internet connections that Windows Media Player makes are to media servers that are run by content providers.
Data Exchanged During Communication with the Internet

The following subsections describe various aspects of the data that is sent to and from the Internet through Windows Media Player, and how the exchange of information takes place: Information Sent or Received When Specific Features Are Used Default Settings and Triggers Logging, Encryption, Identification of User, and Privacy Transmission Protocols and Ports Enabling and Disabling Features
Important Group Policy settings such as Prevent CD and DVD Media Information Retrieval affect the way that Windows Media Player communicates with the Internet. For more information, see "Controlling Windows Media Player to Limit the Flow of Information to and from the Internet," later in this section.
Information Sent or Received When Specific Features Are Used

When a user uses one of the features of the Player listed previously, information is sent to or from the Internet as follows: Non-Microsoft digital rights management (DRM) license servers. When users try to play back content protected with Microsoft DRM technology, the Player will try to acquire a license for the content from a license server. The license acquisition process might also update the user's DRM revocation and exclusion lists. These lists are used to block compromised applications from accessing secure content. Microsoft DRM upgrade service. The upgrade service provides users with the option to upgrade their DRM components in case the secure content that they want to play requires an upgraded component that supports the higher level of security. Media servers run by content providers. To provide streaming media, it is necessary for Windows Media Player to communicate directly with a media server. These servers are typically operated by non-Microsoft content providers, and are not under Microsoft control. Metadata retrieval. When the user triggers a metadata request (see the bulleted item, "Triggers and user notifications" in Default Settings and Triggers, later in this section), a CD table of contents or DVD identification is sent from the user's computer, and then metadata is retrieved. The metadata can include album art, track names, lyrics, and even
132
artist biographical information. The metadata is stored in the user's media library for offline use. Metadata submission. This is a service that enables users to submit corrections to the WindowsMedia.com metadata database. A cookie on the client is accessed by WindowsMedia.com (unless the cookie is blocked). The CD table of contents or DVD identification and the user's corrected metadata are sent to WindowsMedia.com. Media guide. Media Guide is a set of Web pages, hosted within the Windows Media Player interface, that focuses on streaming media. A cookie on the client is accessed by WindowsMedia.com (unless the cookie is blocked) and WindowsMedia.com sends the Media Guide Web page. Radio tuner. Radio Tuner is a set of Web pages, hosted within the Windows Media Player interface, that focuses on Internet radio stations. A cookie on the client is accessed by WindowsMedia.com (unless the cookie is blocked) and WindowsMedia.com sends the Radio Tuner Web page, with presets (if the cookie is not blocked). Premium services. Premium Services is a set of Web pages, hosted within the Windows Media Player interface, that enables users to visit and subscribe to premium content service providers. A cookie on the client is accessed by WindowsMedia.com (unless the cookie is blocked) and WindowsMedia.com sends the Premium Services Web page, which displays a list of media content that can be played in the Player. Codec download. This service enables users to acquire certain codecs during playback if they are not resident on the user's system. A codec identifier is sent to codecs.microsoft.com. A codec is downloaded and installed if available. Player update. This service enables a user to learn about and acquire updated Windows Media Player components, but only if the user is logged on as an administrator. The version number and the language of the installed Player (for example, English) are sent to autoupdate.windowsmedia.com. Information about available updates is returned and the user can accept or decline the updates. Newsletter signup. The Media Guide provides a link to the Microsoft Network (MSN) newsletter service so that users can sign up for MSN Entertainment newsletters. A cookie on the client is accessed by the Microsoft Web site (unless the cookie is blocked). Any sign-up for MSN Entertainment newletters is done through newsletters.msn.com. Downloadable skins. In the Tools menu, under Download, Skins links to a Web page that contains extra downloadable skins. A cookie on the client is accessed by WindowsMedia.com (unless the cookie is blocked) and the Skins Web page is sent back in Internet Explorer. Downloadable visualizations. In the Tools menu, under Download, Visualizations links to a Web page that contains extra downloadable visualizations. A cookie on the client is accessed by WindowsMedia.com (unless the cookie is blocked) and the Downloadable Visualizations Web page is sent back in Internet Explorer. Media library. Media Library lists the users collection of audio and video files, as well as links to sources for audio and video. This information can be accessed by other software on the users computer and on the Internet. Downloadable plug-ins. In the Tools menu, under Download, Plug-ins links to a Web page that contains new features that can be added to Windows Media Player. A cookie on the client is accessed by the Microsoft Web site (unless the cookie is blocked) and the Plug-ins Web page is sent back in Internet Explorer.
133
Downloadable device service providers (SPs). In the Tools menu, under Download, Portable Device SPs links to the Cool Devices Web page, one of the Windows Media 9 Series Web pages on the Microsoft Web site. This Web page offers users information about a variety of portable media devices and gives users the option of purchasing these devices online. Users can also download media drivers for those devices. A cookie on the client is accessed by the Microsoft Web site (unless the cookie is blocked) and the Cool Devices Web page is sent back in Internet Explorer. Customer experience improvement program. This option, which is available through Tools\Options\Privacy, specifies whether to send anonymous Windows Media Player usage information to Microsoft. The anonymous information obtained from the user is used to improve the Player and related services. Cookies. Windows Media Player uses the Internet as a networking and information source. When accessing the Internet, cookies may be downloaded to the users computer or uploaded to a media service. Site logs. Servers that provide media content create two types of logs as follows: Raw IIS log. On servers that provide media content, a standard Internet Information Services (IIS) log records all requests to the server. This log includes the IP address of the client and a cookie. It is not encrypted. Tracking log. Servers that provide media content also have a tracking log that records all requests. It includes the IP address of the client and a cookie. The log is neither encrypted nor correlated with personally identifiable information.
The Player also generates a streaming media log and sends it to any media servers that exist on your network. For more information, see "Logging, Encryption, Identification of User, and Privacy," later in this section.
Default Settings and Triggers

The following list describes default settings in Windows Media Player as well as the triggers that might initiate communication between Windows Media Player and the Internet. Important Group Policy settings such as Prevent CD and DVD Media Information Retrieval affect the way that Windows Media Player communicates with the Internet. For more information, see "Controlling Windows Media Player to Limit the Flow of Information to and from the Internet," later in this section. Default settings: Some of the Windows Media Player features and options are enabled by default. One option not enabled by default is the globally unique identifier (GUID) that uniquely identifies the Player. Another option that is not enabled by default is metadata that is downloaded for files. Triggers and user notifications: The features that can initiate communication with the Internet are triggered individually by various user interactions as listed below. With some features, the user is presented with a Web page that is both a notification and a trigger, providing items for the user to click in order to complete a download. With other features, the user may or may not be notified at the time of the trigger, as described in this list. Metadata retrieval Notification. The user is not notified.
134
Trigger. When the user first inserts a CD or DVD, or when the user requests detailed information (for example, by using the Media Details button), information is retrieved automatically from WindowsMedia.com. Metadata submission Notification. The user is notified. Trigger. When the user submits corrected metadata for files, CDs, and DVDs, information is sent to WindowsMedia.com. Media guide Notification. The user is not notified. Trigger. The media guide is triggered automatically if the user selects the Start Player in Media Guide check box on the Player tab in the Options dialog box, or when the user selects Media Guide from the taskbar. Radio tuner Trigger and notification. When the user selects Radio Tuner from the taskbar, the Radio Station Selection Web page is triggered, and the user can select from the page. Premium services Trigger and notification. When the user selects Premium Services from the taskbar, the Premium Services Web page is triggered, and the user can select from the page. Codec download Notification. There is no Windows Media Player pop-up message. If the site from which a codec is being downloaded is not a trusted site, a security dialog box will pop up. The Windows Media Player status bar will indicate that a codec is being downloaded. Trigger. The trigger occurs when a user tries to play media content requiring a codec that is not on the user's computer. Player update Notifications. The user is notified. The user is prompted to download, but can decline to do so. Trigger. At a set frequency (for example, weekly), if the user is online and is logged on as an administrator, a check is made for updated Windows Media Player components. This can be disabled through Group Policy. Newsletter signup Trigger and notification. The user selects Subscribe to the Newsletter on the Media Guide. If a user fills in the Web page offering newsletter options and then clicks Subscribe, the user is signed up. Downloadable skins Trigger and notification. Users select More skins from the Skin Chooser menu, which brings up the Skins Web page. When users select a skin from this screen, they are prompted to accept or reject the download. If they accept, the skin is downloaded. Downloadable visualizations Trigger and notification. The user selects Download Visualizations from Tools\Download\ Visualizations, which brings up the Downloadable Visualization Web
135
page. When the user selects a visualization from this page, they are prompted to accept or reject the download. If the user accepts, the visualization is downloaded. Downloadable plug-ins Trigger and notification. Users select Download Plug-ins from Tools\Download\Plugins or from View\Plug-ins, or they select Look for Plug-ins on the Internet in Tools\Options\Plug-ins, which brings up the Plug-ins Web page. When users select a plug-in from this screen, they are prompted to accept or reject the download. If they accept, the plug-in is downloaded. Downloadable device SPs Trigger and notification. Users select Tools\Download\Portable Device SPs, or they select Supported portable devices and drivers from the Items on the Device dropdown list in the Copy to CD or Device window. When the user purchases a portable device or driver, the device or driver is downloaded. Customer experience improvement program Trigger and notification. Users select the following check box in Tools\Options\Privacy: I want to help make Microsoft software and services even better by sending the Player usage data to Microsoft. If they accept, Microsoft will collect anonymous information about their hardware configuration and how they use the software and services so that Microsoft can identify trends and usage patterns. If the user accepts, there is no notification at the time information is transferred. Media library Trigger and notification. The trigger occurs when the user adds purchased media to the library from WindowsMedia.com or another media vendor. Access can be turned off through the Media Library tab in Tools\Options. Cookies Notification. The way that Windows Media Player handles cookies sent from a Web site depends on privacy settings that affect Internet Explorer, Outlook Express, Windows Media Player, and any other programs that rely on these settings. These settings control whether cookies are allowed, cookies are blocked, or the user is prompted before a cookie is allowed. The settings are controlled through the Internet Explorer component, although you can also configure these settings through the Player. To do this, in the Player, on the Tools menu, click Options, click the Privacy tab, and then click the Cookies button. Trigger. The trigger occurs automatically when a Web site is accessed.
Logging, Encryption, Identification of User, and Privacy

The following list describes the way the Player sends logging information to a streaming media server, the encryption options available for the Player, the fact that the Player does not uniquely identify the user, and the privacy statements related to the Player. Logging: Logging occurs when information is sent from the Player to a streaming media server. Logging can also occur when information is sent from the Player to a program on a Web server, if the program is designed to create log entries. For more information about logging, refer to the white paper, "Logging Model for Windows Media Services 9 Series," on the Microsoft Web site at:
136
Logging informs the server of various pieces of information so that services can be improved. The information includes such details as connection time and the Internet protocol (IP) address of the computer that is connected to the servertypically a Network Address Translation (NAT) or proxy server. This information also includes the version, identification number (ID), date, and protocol of Windows Media Player. Most information is neither unique nor traceable to the users computer. For more detailed information about the exchange of information in Windows Media Player, see the following bulleted item, "Privacy. Encryption: Windows audio media can be encrypted using the Secure Audio Path feature in digital rights management (DRM). The Secure Audio Path feature maintains audio encryption beyond the Player application. Secure Audio Path is a feature of Microsoft Windows that maintains the security and protection of digital music that has been encrypted by using DRM technology. Secure Audio Path provides an infrastructure for maintaining copy protection on music.
The client can also progressively download content from a Web server using HTTPS. A client and server may also use Internet Protocol security (IPSec) to encrypt packets that traverse the network. Uniquely identify user: Windows Media Player at no time requests any personally identifiable information (such as name, address, or phone number). Privacy: Windows Media Player and WindowsMedia.com both have published privacy statements that detail their data collection and use practices. These documents are available to users at the following locations: The Windows Media Player 9 Series privacy statement at: http://go.microsoft.com/fwlink/?LinkId=29870 The WindowsMedia.com privacy statement at: http://go.microsoft.com/fwlink/?LinkId=29868
Transmission Protocols and Ports

The following list describes the transmission protocols and ports used by the Player. Transmission protocol: With Windows Media Player, you can specify that selected protocols are used while receiving streaming media from a media server using either Microsoft Media Server (MMS) or Real-Time Streaming Protocol (RTSP) protocols as follows.
Windows Media Player interprets the media stream coming from the media server and tries User Datagram Protocol (UDP). If the stream is from a server running Windows Media Player 9 Series, the Player will try RTSP/UDP. If the media stream is coming from a server running a previous version of the Player, the Player will try MMS/UDP. If the Player is unable to connect through UDP (for example, if the Player is behind a firewall that does not allow UDP), the Player tries the Transmission Control Protocol (TCP). If the Player is unable to connect through TCP on the desired port, the Player tries HTTP. This protocol rollover takes place by moving from the most efficient protocol (UDP) to the least efficient protocol (HTTP), because not all firewalls have the necessary ports open to play Windows Media streams. Multicast. Routers will not pass multicast streams across an intranet unless specifically configured to do so. UDP. UDP is used with port selection if required due to firewall or proxy issues. If the UDP check box is selected and the UDP ports box is blank, the Player uses default ports
137
when playing content from an MMS URL. If the UDP check box is not selected, the information in the UDP ports box is ignored. If using a network address translator (NAT), UDP will fail unless the NAT supports dynamic opening of ports through UPnP. TCP. TCP means either MMS over TCP or RTSP over TCP. HTTP. When the HTTP protocol is selected, the HTTP protocol is used to receive streaming media from an MMS or RTSP URL.
If none of the protocols is selected, content from an MMS or RTSP URL cannot be played. Port: The Windows Media Player client communicates across random ports as designated by the operating system. The server port is a "well-known port" as follows: Transmission protocol and port: The transmission protocol is HTTP and the port is 80. Real Time Streaming Protocol (RTSP) UDP or TCP: The port number is 554. Microsoft Media Server (MMS) UDP or TCP: The port number is 1755.
In a TCP connection, there is only one socket created. (A socket is an identifier for a particular service on a particular node on a network.) You therefore need only one port number on the client and one on the server. Commands (such as play, pause, and fast forward) and data (audio and video) are sent across the same socket connection. In UDP connections, however, the client makes a TCP connection to the server and sends commands over it. The server then opens a UDP socket to the client. It is over this second socket that the audio and video data is sent, and it is this second socket that firewalls and proxies typically block. The version of HTTP in use before July 1999 was HTTP/1.0, and the version in use since then is HTTP/1.1. In an HTTP streaming connection using HTTP/1.0, there is only one socket opened at a time. With HTTP/1.0, for each play, pause, stop, fast forward, or rewind operation, the original socket is closed, another socket is opened, and this second socket will more than likely use a different port number on the client. (There are other operations that use more than one socket.) If the enterprise network implements a firewall that prevents users from receiving streams that use the UDP or TCP protocols, Windows Media Player can be configured to work with firewalls as described in the next bulleted item. Windows Media and Firewalls Windows Media normally streams through UDP/IP on a wide range of ports (these port numbers are provided later in this list). Aware of the possible security issues that a range this size can cause, Microsoft has also enabled Windows Media to stream with TCP/IP through port 1755 or with RTSP through port 554. For those sites where opening a port that is not "well known" is a problem, Windows Media can also stream through HTTP on port 80. HTTP streaming from Windows Media Services is disabled by default. Some firewalls have a preconfigured NetShow Player (the former name for Windows Media Technologies) setting, which may work for Windows Media. There are five primary scenarios to consider when you set up a firewall to accommodate Windows Media: Using Windows Media Player behind a firewall to access content outside the firewall Using Windows Media Player outside a firewall to access content on a media server behind the firewall
138
Using Windows Media Encoder outside a firewall to communicate with a media server behind the firewall, or to communicate between two servers across a firewall Using Windows Media Administrator outside a firewall to manage a media server behind a firewall IP multicast
This section of the white paper describes only the first and last scenariosthat is, the case of the client behind the firewall and the case of IP multicast. In the examples below, the in port is the port that the server uses to get past the firewall. The out port is the port that Microsoft Windows Media Player or other clients use to communicate with the server. Client configuration behind a firewall
A firewall configuration that enables users with Windows Media Player behind a firewall to access media servers outside the firewall is as follows: Streaming ASF with UDP Out: TCP on port 1755 Out: UDP on ports 1755 and 5005 In: UDP between ports 1024 and 5000 (As a security measure, estimate the number of ports that you will need by determining how many clients you expect, and open only that number of ports.) In: RTSP on port 554 Streaming ASF with TCP In and out: TCP on port 1755 In and out: RTSP on port 554 Streaming ASF with HTTP In and out: TCP on port 80 IP multicast
Choosing to allow Windows Media streaming through IP multicast is simply a choice to allow traffic that is addressed to the standard Class D IP addresses (224.0.0.0 through 239.255.255.255). As of this writing, most routers have IP multicast disabled. Router companies made a decision to have their equipment default to disable IP multicast at a time when a typical video stream took up 30 percent of a 10BaseT network. (10BaseT is the Ethernet standard for baseband local area networks.) Microsoft is working with major router vendors to reverse this situation, now that media streams are compressed and standards are in place that eliminate unwanted multicast traffic. The Internet Group Management Protocol (IGMP) supported by Windows Media assures that multicast traffic passes through the network only when a client has requested it. Windows Media streams are highly compressed, usually only taking up the bandwidth of a single modem connection. The following firewall configuration enables IP multicasting: Streaming ASF with multicast IP multicast address range: 224.0.0.1 through 239.255.255.255 To enable IP multicasting, you must allow packets sent to this standard IP multicast address range to come through the firewall. This IP multicast address range must be enabled on both client and server sides, as well as on every router in between. For more information about firewall settings for Windows Media, search for the latest information on the Windows Media Web site at:
139
http://www.microsoft.com/Windows/WindowsMedia/ Information about firewall settings can also be found on the Windows Media Web site at: http://go.microsoft.com/fwlink/?LinkId=29862
Enabling and Disabling Features

All key features in Windows Media Player are enabled by default. However, each can be disabled through Tools\Options in Windows Media Player, through the use of Group Policy, or through an answer file during unattended installation. For more information, see "Settings That Can Be Controlled Through Group Policy" and "Procedures for Configuration of Windows Media Player," later in this section.
Controlling Windows Media Player to Limit the Flow of Information to and from the Internet
If the Player is not widely used in your organization, you can remove all visible entry points to it by using the procedure described in the subsections that follow. If Windows Media Player is being used in your organization, you can control individual features of the Player either through Tools\Options or through Group Policy. The recommended method for controlling the features in a managed environment is through Group Policy. To use this method, you must first update the appropriate Administrative template, Wmplayer.adm, to a version that contains the new Group Policy settings for Windows XP with SP2. For more information, see Appendix B, Learning About Group Policy and Updating Administrative Templates. A white paper in the Enterprise Deployment Pack (EDP) for Windows Media Player 9 Series provides detailed information about Group Policy settings that you can use with Windows Media Player 9 Series. To download the white paper or the entire EDP, see the Windows Media Web site at: http://go.microsoft.com/fwlink/?LinkId=29521 Note that there are several relevant Group Policy settings for Windows XP with SP2 that are not described in a version of the EDP white paper, specifically, the version for Windows XP with SP1. These Group Policy settings are as follows: Prevent Radio Station Preset Retrieval: This setting is located in User Configuration\Administrative Templates\Windows Components\Windows Media Player. Prevent Windows Media DRM Internet Access: This setting is located in Computer Configuration\Administrative Templates\Windows Components\Windows Media Digital Rights Management.
For more information about these settings, first ensure that you have updated to the latest Administrative template files as described in Appendix B, "Learning About Group Policy and Updating Administrative Templates." Then navigate to a setting, double-click it, and read the explanatory text. The following sections describe options for controlling Windows Media Player using Group Policy and other methods. For information about viewing or configuring these options, see "Procedures for Configuration of Windows Media Player," later in this section.
140
Controlling Windows Media Player Through the User Interface

When users interact with Windows Media Player through the user interface, they can limit the flow of information to and from the Internet by following this list of practices. Metadata retrieval. Avoid inserting a CD or DVD. After clicking Tools\Options, on either the Media Library or Privacy tab, clear the check box labeled Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet. On the Privacy tab, clear the check box labeled Retrieve media information for CDs and DVDs from the Internet. Metadata submission. Avoid submitting metadata. Media guide. After clicking Tools\Options, on the Player tab, clear the Start Player in Media Guide check box. Radio tuner. Use a custom skin with no Radio Tuner access. In addition, see the previous subsection for a note describing a Group Policy that prevents radio station preset retrieval. Codec download. After clicking Tools\Options, on the Player tab, clear the Download codecs automatically check box. Newsletter signup. Use a custom skin with no Media Guide access. Eliminating access to Media Guide eliminates access to the newsletter signup. Downloadable skins. Use a custom skin that does not display downloadable skins. Downloadable visualizations. Use a custom skin that does not display downloadable visualizations. Download plug-ins. Avoid selecting the Download Plug-ins options from any of the trigger locations mentioned previously. Download Device SPs. Avoid selecting the Download Device SPs options from any of the trigger locations mentioned previously. Customer experience improvement program. Avoid selecting the option.
As an administrator, you can use Group Policy settings to prevent users from selecting the option. Enable Hide Privacy Tab to keep users from selecting the option in that tab. Enable the Do Not Show First Use Dialog Boxes policy setting to keep users from selecting the option in those dialog boxes. Connect to the Internet. After clicking Tools\Options, on the Player tab, clear the check box labeled Connect to the Internet (overrides other commands). Licenses. After clicking Tools\Options, on the Privacy tab, clear the Acquire licenses automatically for protected content check box.
Settings That Can Be Controlled Through Group Policy

A wide variety of configuration settings for Windows Media Player can be controlled through Group Policy. A white paper in the Enterprise Deployment Pack (EDP) for Windows Media Player 9 Series provides detailed information about these settings. To download the white paper or the entire EDP, see the Windows Media Web site at: http://go.microsoft.com/fwlink/?LinkId=29521
141
Note that there are several relevant Group Policy settings for Windows XP with SP2 that are not described in a version of the EDP white paper, specifically, the version for Windows XP with SP1. These Group Policy settings are as follows: Prevent Radio Station Preset Retrieval: This setting is located in User Configuration\Administrative Templates\Windows Components\Windows Media Player. Prevent Windows Media DRM Internet Access: This setting is located in Computer Configuration\Administrative Templates\Windows Components\Windows Media Digital Rights Management.
For more information about these settings, first ensure that you have updated to the latest Administrative template files as described in Appendix B, "Learning About Group Policy and Updating Administrative Templates." Then navigate to a setting, double-click it, and read the explanatory text.
Other Ways to Control Windows Media Player

You can control several aspects of Windows Media Player by using methods other than the user interface or the individual Group Policy settings for Windows Media Player. These methods for controlling the Player include the following: Prevent users from starting Windows Media Player through Group Policy by adding Wmplayer.exe to a list of Windows applications that cannot be run. This will prevent users from opening the Player by double-clicking media files or through other indirect methods. For more information, see "To Prevent Users from Starting Windows Media Player by Using Group Policy," later in this section. Use Set Program Access and Defaults, which is available from the Start menu, to remove visible entry points to Windows Media Player. With this dialog box, the administrator of a computer running Windows XP Professional with SP2 can specify which media player is shown on the Start menu, desktop, and other locations. Use the firewall or proxy or both to block access to the WindowsMedia.com Web site. Create custom player skins that contain only those features that you want users to use. For information about creating custom skins, see these MSDN Web sites:
Windows Media Player Skins at http://go.microsoft.com/fwlink/?LinkId=29864 Introducing the Windows Media Player SDK at http://go.microsoft.com/fwlink/?LinkId=29863
Procedures for Configuration of Windows Media Player

Windows Media Player can be configured in several ways, as described previously. This subsection provides procedures for the following: Locating Group Policy settings for configuring Windows Media Player Accessing the Network tab on the user interface in Windows Media Player (to set streaming media protocols) Preventing users from starting Windows Media Player by using Group Policy Removing visible entry points to Windows Media Player on a computer running Windows XP with SP2
142
Removing visible entry points to Windows Media Player during unattended installation by using an answer file
Important To prevent users from manually updating Windows Media Player, we recommend that those users are not set up with administrative credentials on their computers.
To Locate Group Policy Settings for Configuring Windows Media Player

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. In Group Policy, click User Configuration, click Administrative Templates, click Windows Components, and then click Windows Media Player. 3. View the Group Policy settings that are available. 4. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Windows Media Player. 5. View the Group Policy settings that are available. For more information about these settings, see the white paper described in "Settings That Can Be Controlled Through Group Policy," earlier in this section.
Setting Streaming Media Protocols

There are two methods for setting streaming media protocols. One method, described in the following procedure, is to use the Network tab to both configure the protocols and proxy settings that you want Windows Media Player to use when receiving streaming media files, and to then hide the Network tab through the use of Group Policy in Windows Media Player. The second method is to use Group Policy directly. For more information about using Group Policy, see "To Locate Group Policy Settings for Configuring Windows Media Player" and "Settings That Can Be Controlled Through Group Policy," earlier in this section.
To Access the Network Tab on the User Interface in Windows Media Player
1. On the Tools menu, click Options, and then click Network. 2. The following options are listed on the Network tab: Protocols. Specifies the protocols that Windows Media Player can use to receive a stream. Select one or more of the following: Multicast UDP TCP HTTP By default, all protocols are selected, which means that the Player tries to use each protocol in turn until it finds one that succeeds. Because the Player can receive files using a variety of protocols, we recommend that you select all protocols.
143
Use ports. Specifies a particular portor port range if UDP is the protocol used through which to receive streaming content. This option is useful if your network or firewall administrator has established a specific port that enables streaming content to pass through. Unless otherwise instructed, Windows Media streams attempt to pass through firewalls on port 1755. Streaming proxy settings. Select one of the following: HTTP MMS RTSP Proxy settings specify how each protocol operates with a proxy server. Proxy servers are used when networks are protected by firewalls. If your network is behind a firewall, and you do not know how to configure your settings, refer to "Windows Media and Firewalls" in the list under "How Windows Media Player Communicates with Sites on the Internet, earlier in this section.
Configure button. Click this button to change the proxy settings of the selected protocol. The following table lists the options for configuring a protocol to work with a proxy server.
Options for Configuring a Protocol to Work with a Proxy Server

This Option Autodetect proxy settings Use proxy settings of the Web browser Do not use a proxy server Use the following proxy server Specifies That The Player discovers the ports that are open and uses them to receive streaming content. The Player uses the same HTTP configuration as your browser to access network communication. The Player does not attempt to communicate with a proxy server. Typically, this means that the Player does not receive streaming content from the Internet. The Player uses the proxy server and port that you specify. Select Bypass proxy server for local addresses if you do not want the Player to use the proxy server when streams are from local servers.
To Prevent Users from Starting Windows Media Player by Using Group Policy
1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. In Group Policy, click User Configuration, click Administrative Templates, and then click System. 3. In the details pane, double-click Dont run specified Windows applications. 4. Select Enabled, click Show, click Add, and then type the executable name: Wmplayer.exe
To Remove Visible Entry Points to Windows Media Player on a Computer Running Windows XP with SP2
1. Click Start and then click Set Program Access and Defaults.
144
2. Click the Custom button. Note Alternatively, you can click the Non-Microsoft button, which will not only remove visible entry points to Windows Media Player, but also to Internet Explorer, Outlook Express, and Windows Messenger. If you do this, skip the remaining steps of this procedure. 3. To disable access to Windows Media Player on this computer, to the right of Windows Media Player, clear the check box for Enable access to this program. 4. If you want a different default media player to be available to users of this computer, select the media player from the options available. Note For the last step, if your program does not appear by name, contact the vendor of that program for information about how to configure it as the default. Also, for related information about registry entries that are used to designate that a program is a browser, e-mail, media playback, or instant messaging program, see Registering Programs with Client Types on the MSDN Web site at: http://go.microsoft.com/fwlink/?LinkId=29306 For more information about Set Program Access and Defaults, see article 328326, How to Use the Set Program Access and Defaults Feature in Windows XP Service Pack 1, in the Microsoft Knowledge Base at: http://go.microsoft.com/fwlink/?LinkId=29309
To Remove Visible Entry Points to Windows Media Player During Unattended Installation by Using an Answer File
1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment." 2. In the [Components] section of the answer file, include the following entry: WMPOCM = Off For complete details about how the WMPOCM entry works, see the resources listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).
145
Windows Messenger
This section provides information about the following: The benefits of Windows Messenger How Windows Messenger communicates with sites on the Internet How to control Windows Messenger to limit or prevent the flow of information to and from the Internet
Note The version of Windows Messenger that comes with Windows XP with SP2 is version 4.7.3000. If you plan to use Windows Messenger in your organization, we recommend that you deploy server infrastructure that is appropriate to your situation. For more information, see Instant Messaging (IM) Clients for Exchange 2000 Instant Messaging Service on the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=29865
Benefits and Purposes of Windows Messenger

Windows Messenger enables users to communicate instantly and to collaborate with their selected contacts. Windows Messenger version 4.7.3000 in Microsoft Windows XP Professional with Service Pack 2 (SP2) offers not only instant messaging, but also voice and video communications, application sharing, whiteboard, file transfer, and remote assistance.
Overview: Using Windows Messenger in a Managed Environment

Windows Messenger clients initiate communication between one another through server infrastructure that provides for client registration, configuration, and presence (the online status of a users contacts). This server infrastructure also acts as a broker in client-to-client communication. In an Internet environment, the server infrastructure used by Windows Messenger is .NET Passport. In a managed environment, you can provide the needed server infrastructure with either of two products, Exchange 2000 Instant Messaging Service or Microsoft Live Communications Server 2003. The following list describes these services: .NET Messenger Service (Internet environment): This service enables users who have a Microsoft .NET Passport account to communicate with Windows Messenger across the Internet. Live Communications Server 2003 (managed environment): This product provides support for instant messaging, presence awareness, and an extensible platform that connects people, information, and business processes. Encryption is one of the features included in this product. With Live Communications Server 2003, you must use Windows Messenger 5.0 on clients. The server operating systems that support Live Communications Server 2003 are Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
146
For more information, see the Live Communications Server Web site at: http://go.microsoft.com/fwlink/?LinkId=29216 Exchange 2000 Instant Messaging service (managed environment): This service is a component of Exchange 2000 Server that uses Microsoft Active Directory directory service to provide additional security and identity controls critical to enterprise customers. We recommend that you use Windows Messenger 5.0 on clients when using Exchange 2000 Instant Messaging service. The server operating system that supports Exchange 2000 Server is Windows 2000 Server.
For more information, see Instant Messaging (IM) Clients for Exchange 2000 Instant Messaging Service on the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=29865
How Windows Messenger Communicates with Sites on the Internet

This section describes various aspects of the data that is sent to and from the Internet through Windows Messenger and how the exchange of information takes place. Specific information sent or received: Information sent or received when the .NET Messenger Service is used: For a description of the information that Microsoft requests when users sign up for the .NET Messenger Service, and about hardware and software information collected automatically by the .NET Messenger Service, see the .NET Messenger Service Statement of Privacy at: http://go.microsoft.com/fwlink/?LinkId=29218 Information sent or received by Windows Messenger: Windows Messenger also sends less obvious information when communicating with a server that supports it: Change in presence status Typing indicator traffic during a conversation Network Address Translation (NAT) traversal traffic to echo the server for the PC to Phone feature UPnP NAT traversal traffic Information sent or received through the Windows Messenger Customer Experience Improvement Program: With the Windows Messenger Customer Experience Improvement Program, users can allow Microsoft to collect anonymous information about how the product is used. Examples of information collected include the number of times a user logs on or off, which features of Messenger are used, and the length of the sessions. This information is used to improve the product in future releases. You can use Group Policy to prevent users from using this program. For more information, see Procedures for Windows Messenger, later in this section. Default: The default is to enable open communication between internal and external networks. Trigger and user notification: Windows Messenger is triggered when the user starts it by any of various methodsfor example, by double-clicking the icon in the task bar or clicking Start/All Programs/Windows Messenger. The user interface provides options and prompts that notify the user of available actions.
147
Logging: No logging takes place on the client. Encryption: There is no encryption of information with Windows Messenger 4.7, with the exception of the logon process, which is encrypted. Any information is sent in plaintext format and is therefore open to viewing by anyone. Privacy for the .NET Messenger Service: You can view the privacy statement for the .NET Messenger Service at:
http://go.microsoft.com/fwlink/?LinkId=29218 Port: Audio and video. When an audio/video (A/V) session is being negotiated, dynamic ports are chosen for the audio/video stream. Dynamic ports are used to enable the application to work regardless of which other applications are running on the system and using port resources. The actual Real-time Transport Protocol (RTP) streams are sent using dynamically allocated User Datagram Protocol (UDP) ports in the range of 5004 through 65535. Without a way to open these UDP ports on any firewall in the path dynamically, the streams will fail to reach their destination. Application sharing and whiteboard. Since a specific port is used for the Transmission Control Protocol (TCP) data connection (1503), if the client is behind a NAT device, the port must be mapped to that client. Instant messaging. To initiate instant messaging, the Windows Messenger client uses outgoing TCP connections on port 1863. File transfer: For file transfer, the Windows Messenger client uses ports in the range 6891 through 6900. If all of these ports are available for use, each sender can carry out up to 10 simultaneous file transfers. If port 6891 is the only port available, users will be able to do only one file transfer at a time. Transmission protocol: Presence and instant messaging: The protocol used for presence and for initialization and communication on the instant messaging session depends on the server or service being used. Voice and video. Voice and video calls require more than a server-mediated session. A peer-to-peer session is needed to avoid creating congestion on the server. In this case, the servers and services are used to initiate the session setup and media type negotiation using Session Initiation Protocol (SIP) and Session Description Protocol (SDP). The Real-time Transport Protocol (RTP) is used over UDP for the actual voice or video streams. Application sharing and whiteboard. Application sharing and whiteboard, modes of communication and collaboration in Windows Messenger, start out the same as a voice or video session. The Rendezvous service is used to exchange the initial invitations, followed by a SIP invitation and acknowledgment in which the session information is exchanged. When voice and video are compared with application sharing and whiteboard, the differences are as follows: For application sharing and whiteboard, the actual media exchange is done using T.120 over a TCP connection as opposed to UDP. (T.120 is a set of International Telecommunications Union specifications for multipoint data communications services within computer applications.) This connection may be initiated by the one being called, as are many Windows Messenger calls.
148
For application sharing and whiteboard, the port used for the TCP connection is set at port 1503 on the called station. File transfer. A file transfer session, used when the client requests to send a file to a peer, is initiated similarly to voice, video, application sharing, and whiteboard, but without the SIP invitation and acceptance exchange. Once the session is configured through the server, file transfer is accomplished using a TCP connection between the peers over a fixed range of ports. Remote assistance. Remote assistance uses Remote Desktop Protocol (RDP)the same protocol used by Microsoft Terminal Services. RDP is used over TCP/IP. Windows Messenger sets up the remote assistance session using the server-based session invitation logic. This is similar to file transfer. The additional SIP invitation signaling is only added if a voice session is added in support of remote assistance. Ability to disable: Windows Messenger can be disabled through Group Policy. The procedures for this method are provided later in this section.
Controlling Windows Messenger to Limit or Prevent the Flow of Information to and from the Internet
Windows Messenger can be controlled in a variety of ways, including: Group Policy Through Set Program Access and Defaults, which is available from the Start menu. With Set Program Access and Defaults, you can remove visible entry points to Windows Messenger from the Start menu, desktop, and other locations.
The recommended method for a managed environment is through the use of Group Policy. The procedures for these methods are given in the next subsection. For more information, see the white paper, Windows Messenger in Windows XP: Working With Firewalls and Network Address Translation Devices on the Microsoft TechNet Web site at: http://go.microsoft.com/fwlink/?LinkId=29219
Procedures for Windows Messenger

The following subsections provide information about the following: Preventing Windows Messenger from running on a computer running Windows XP Turning off the Windows Messenger Customer Experience Program Removing visible entry points to Windows Messenger on a computer running Windows XP with SP2 Removing visible entry points to Windows Messenger during unattended installation of Windows XP with SP2 by using an answer file
149
To Prevent Windows Messenger from Running by Using Group Policy

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Windows Messenger. 3. In the details pane, double-click Do not allow Windows Messenger to be run, and then click Enabled. Note This method also prevents applications that use the Windows Messenger application programming interfaces (APIs) from using Windows Messenger. Outlook 2002, Outlook Express 6, and the Remote Assistance feature in Windows XP are examples of programs that use these APIs and that depend on Windows Messenger.
To Turn Off the Windows Messenger Customer Experience Program

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, click Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, click User Configuration. 3. Click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 4. In the details pane, double-click Turn off the Windows Messenger Customer Experience Improvement Program. Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management or in User Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
To Remove Visible Entry Points to Windows Messenger on a Computer Running Windows XP with SP2
1. Click Start and then click Set Program Access and Defaults. 2. Click the Custom button. Note Alternatively, you can click the Non-Microsoft button, which will not only remove visible entry points to Windows Messenger, but also to Internet Explorer, Outlook Express, and Windows Media Player. If you do this, skip the remaining steps of this procedure. 3. To disable access to Windows Messenger on this computer, to the right of Windows Messenger, clear the check box for Enable access to this program.
150
4. If you want a different default instant messaging program to be available to users of this computer, select the instant messaging program from the options available. Note For the last step, if your program does not appear by name, contact the vendor of that program for information about how to configure it as the default. Also, for related information about registry entries that are used to designate that a program is a browser, e-mail, media playback, or instant messaging program, see Registering Programs with Client Types on the MSDN Web site at: http://go.microsoft.com/fwlink/?LinkId=29306 For more information about Set Program Access and Defaults, see article, How to Use the Set Program Access and Defaults Feature in Windows XP Service Pack 1 in the Microsoft Knowledge Base at: http://go.microsoft.com/fwlink/?LinkId=29309
To Remove Visible Entry Points to Windows Messenger During Unattended Installation by Using an Answer File
1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment." 2. In the [Components] section of the answer file, include the following entry: WMAccess = Off For complete details about how the WMAccess entry works, see the resources listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).
151
Windows Movie Maker

This section provides information about the following: The benefits of Microsoft Windows Movie Maker How Windows Movie Maker communicates with sites on the Internet How to control Windows Movie Maker to limit the flow of information to and from the Internet
Benefits and Purposes of Windows Movie Maker

With Windows Movie Maker, users can bring together video, audio, and other multimedia content, then arrange and edit the content to create a finished movie. After creating the movie, users can save it on a hard disk, CD, or DVD, send it in an e-mail, or send it to a video hosting provider on the Web. These tasks are kept simple with an interface based mostly on drag-and-drop and on short lists of tasks from which to choose. As part of keeping tasks simple, Windows Movie Maker can display links to Web sites, such as a link to a potential video hosting provider, and can automatically download missing codecs for audio and video files. (A codeccompressor/decompressoris software that compresses or decompresses audio or video data.)
Overview: Using Windows Movie Maker in a Managed Environment

If you want to prevent users from running Windows Movie Maker, you can use Group Policy. You can also allow users to run Windows Movie Maker, but use Group Policy to control whether Windows Movie Maker can do the following: Automatically download codecs Display links to Web sites Save movies to an online video hosting provider
Note that by default in Windows XP with SP2, Windows Movie Maker does not automatically download codecs. You can configure this option through Windows Movie Maker itself, in addition to configuring it through Group Policy.
How Windows Movie Maker Communicates with Sites on the Internet

The following list describes how Windows Movie Maker communicates with sites on the Internet: Specific information sent or received: The following list describes the information that is sent or received in specific situations.
152
When the user clicks Help and then clicks Windows Movie Maker on the Web, Windows Movie Maker displays the following Web site:
http://www.microsoft.com/windowsxp/moviemaker/default.asp When the user clicks Help and then clicks Privacy Statement, Windows Movie Maker displays the following Web site:
http://go.microsoft.com/fwlink/?LinkId=27987 When the user clicks Tools\Options\Compatibility and clicks the link to learn more about video filters on the Microsoft Web site, Windows Movie Maker displays the following Web site:
http://www.microsoft.com/windowsxp/moviemaker/default.asp When the user chooses to save a movie to the Web, through a wizard, a connection is made to the following Web site in order to obtain a list of potential hosting providers to offer to the user:
http://go.microsoft.com/fwlink/?LinkId=26247 This occurs when, after creating a Windows Movie Maker project, the user clicks the task Send to the Web. Alternatively, the user can click File, click Save Movie File, and then click The Web as the location for saving. The Save Movie Wizard then guides the user through the process of saving the movie and sending it to a video hosting providers Web site. When the user imports an audio or video file for which no codec is available locally, and automatic downloading of codecs is enabled, Windows Movie Maker connects to the following Web site to locate a codec to download:
http://autoupdate.windowsmedia.com Default settings: By default, Windows Movie Maker offers options that allow the user to link to Web sites for information or for saving a movie, as described in the previous item. However, by default, Windows Movie will not automatically download codecs. Triggers and user notification: When downloading of codecs is enabled, connection with the codec server is triggered when the user imports an audio or video file for which no codec is available on the local computer. The user is notified and must confirm the download for it to occur. Otherwise, to cause Windows Movie Maker to connect to a site on the Internet, the user must explicitly click a link or choose the option of saving a movie to the Web. Logging: On the sites to which Windows Movie Maker connects, the only data saved by Microsoft is the number of downloads of a given codec. No computer is identified in the process of a codec download. Encryption: There is no encryption of the requests for Web sites or of the codec downloads that can occur through Windows Movie Maker. Privacy: You can view the Windows Movie Maker privacy statement at:
http://go.microsoft.com/fwlink/?LinkId=27987 Transmission protocol and port: When Windows Movie Maker communicates with sites on the Internet, it uses HTTP with port 80. Ability to disable: You disable Windows Movie Maker through Group Policy. You can also control whether Windows Movie Maker connects to the Internet as described in the following procedures.
153
Procedures for Configuration of Windows Movie Maker

This subsection provides procedures for the following: Disabling Windows Movie Maker by using Group Policy. Locating the Group Policy settings that control how Windows Movie Maker communicates with the Internet. These settings control whether Windows Movie Maker can automatically download codecs, display links to Web sites, or save movies to an online video hosting provider. Configuring Windows Media Player on a specific computer to prevent automatic downloading of codecs.
To Disable Windows Movie Maker by Using Group Policy

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, click Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, click User Configuration. 3. Click Administrative Templates, click Windows Components, and then click Windows Movie Maker. 4. In the details pane, double-click Do not allow Windows Movie Maker to run.
To Locate the Group Policy Settings that Control how Windows Movie Maker Communicates with the Internet
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, click Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, click User Configuration. 3. Click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 4. View the following Group Policy settings: Turn off Windows Movie Maker automatic codec downloads Turn off Windows Movie Maker online Web links Turn off Windows Movie Maker saving to online video hosting provider
For a detailed explanation of a setting, select the setting and click the Extended tab, or open the setting and click the Explain tab.
154
Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management or in User Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
To Configure Windows Media Player on a Specific Computer to Prevent Automatic Downloading of Codecs
1. Click Start, click Programs or All Programs, and then click Windows Movie Maker. 2. On the Tools menu, click Options. 3. Click the General tab. 4. Make sure that the check box for Download codecs automatically is cleared. Note By default, automatic downloading of codecs for Windows Movie Maker is not enabled.
Related Links
For more information about Windows Movie Maker, see Help in Windows Movie Maker, or see the Windows Movie Maker page on the Microsoft Web site at: http://www.microsoft.com/windowsxp/moviemaker/default.asp
155
Windows Time Service

This section provides information about the following: The benefits of Windows Time Service How Windows Time Service communicates with sites on the Internet How to control Windows Time Service to limit the flow of information to and from the Internet How to monitor and troubleshoot Windows Time Service after configuration is complete
Benefits and Purposes of Windows Time Service

Many components of Microsoft Windows XP Professional with Service Pack 2 (SP2) rely on accurate and synchronized time to function correctly. For example, without clocks that are synchronized to the correct time on all computers, Windows XP authentication might falsely interpret logon requests as intrusion attempts and consequently deny access to users. With time synchronization, you can correlate events on different computers in an enterprise. With synchronized clocks on all of your computers, you ensure that you can correctly analyze events that happen in sequence on multiple computers. Windows Time Service automatically synchronizes a local computers time with other computers on a network to improve security and performance in your organization.
Overview: Using Windows Time Service in a Managed Environment

Computers keep the time on their internal clocks, which allows them to perform any function that requires the date or time. For scheduling purposes, however, the clocks must be set to the correct date and time, and they must be synchronized with the other clocks in the network. Without some other method in place, these clocks must be set manually. With time synchronization, computers set their clocks automatically to match another computer's clock. One computer maintains very accurate time, and then all other computers set their clocks to match that computer. In this way, you can set accurate time on all computers. Windows Time Service is installed by default on all computers running Windows Server 2003 and Windows XP. Windows Time Service uses Coordinated Universal Time (UTC), which is independent of time zone. Time zone information is stored in the computer's registry and is added to the system time just before it is displayed to the user. By default, Windows Time Service starts automatically on computers running Windows XP. In a domain, time synchronization takes place when Windows Time Service turns on during system startup and periodically while the system is running. In the default configuration, the Net Logon service looks for a domain controller that can authenticate and synchronize time with the client. When a domain controller is found, the client sends a request for time and waits for a reply from the domain controller. This communication is an exchange of Network Time Protocol (NTP) packets intended to calculate the time offset and round-trip delay between the two computers.
156
Note that computers running Windows XP use the Network Time Protocol (NTP), while computers running Windows 2000 use the Simple Network Time Protocol (SNTP).
How Windows Time Service Communicates with Sites on the Internet

In Windows XP, Windows Time Service automatically synchronizes the local computer's time with other computers on the network. The time source for this synchronization varies, depending on whether the computer is joined to a domain in the Active Directory directory service or to a workgroup.
When a Computer Running Windows XP Is Part of a Workgroup

In this scenario, the default setting for the time synchronization frequency is set to "once per week," and this default setting uses the time.windows.com site as the trusted time synchronization source. This setting will remain until you manually set it otherwise. One or more computers might be identified as a locally reliable time source by configuring Windows Time Service on those computers to use a known accurate time source, either by using special hardware or a time source available on the Internet. All other workgroup computers can be configured manually to synchronize their time with these local time sources.
When a Computer Running Windows XP Is a Member of a Domain

In this scenario, Windows Time Service configures itself automatically, using the Windows Time Service that is available on the domain controllers. Windows Time Service on a domain controller can be configured as either a reliable or an unreliable time source. Windows Time Service running on a client will attempt to synchronize its time source with servers that are indicated as reliable. Windows Time Service can configure a domain controller within its domain as a reliable time source, and it synchronizes itself periodically with this source. These settings can be modified or overwritten, depending on specific needs.
Communication Between Windows Time Service and the Internet

The following list describes various aspects of Windows Time Service data that is sent to and from the Internet and how the exchange of information takes place. Specific information sent or received: The service sends information in the form of a Network Time Protocol (NTP) packet. For more information about Windows Time Service and NTP packets, see the references listed in Related Links, later in this section. Default and recommended settings: Computers that are members of an Active Directory domain synchronize time with domain controllers by default. Domain controllers synchronize time with their parent domain controller. By default, the root parent domain controller will not synchronize to a time source. The root parent domain controller can be set to either synchronize to a known and trusted Internet-based time source, or a hardware time device that provides an NTP or SNTP interface. Its time accuracy can also be maintained manually.
157
Triggers and user notification: Windows Time Service is started when the computer starts. Additionally, the service will continue to synchronize time with the designated network time source and adjust the computer time of the local computer when necessary. Notification is not sent to the user. Logging: Information related to the service is stored in the Windows System event log. The time and network address of the time synchronization source is contained in the Windows event log entries. Additionally, warning or error condition information related to the service is stored in the Windows System event log. Encryption: Encryption is not used in the network time synchronization for domain peers. (Authentication, however, is used.) Information storage: The service does not store information, as all information that results from the time synchronization process is lost when the time synchronization service request is completed. Port: NTP and SNTP use User Datagram Protocol (UDP) port 123 on time servers. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP or NTP servers. Protocol: The service on Windows XP implements NTP to communicate with other computers on the network. Ability to disable: Disabling the service might have indirect effects on applications or other services. Applications and services that depend on time synchronization, such as Kerberos V5 authentication protocol, may fail, or they may yield undesirable results if there is a significant time discrepancy among computers. Because most computers hardware-based clocks are imprecise, the difference between computer clocks on the network usually increases over time.
Controlling Windows Time Service to Limit the Flow of Information to and from the Internet
Group Policy can be used to control Windows Time Service for computers that are running Windows XP with SP2 to limit the flow of information to and from the Internet. The synchronization type and NTP time server information can be managed and controlled through Group Policy. The Windows Time Service Group Policy object (GPO) contains configuration settings that specify the synchronization type. When the synchronization type is set to Nt5DS, Windows Time Service synchronizes its time resource with the network domain controller. Alternatively, setting the type attribute to NTP configures Windows Time Service to synchronize with a specified NTP time server. The NTP server is specified by either its Domain Name System (DNS) name or its IP address when you select NTP as the synchronization type. For more information about configuring Windows Time Service during deployment of products in the Windows Server 2003 family, see Designing and Deploying Directory and Security Services and Designing a Managed Environment in the Microsoft Windows Server 2003 Deployment Kit at: http://go.microsoft.com/fwlink/?LinkId=29887 Clients on a managed network can be configured to synchronize computer clock settings to an NTP server on the network to minimize traffic out to the Internet and to ensure that the clients synchronize to a single reliable time source. If you choose to do so, you can disable time synchronization for both non-domain and domain computers running Windows XP by using
158
Group Policy. The procedures for configuring Windows Time Service are given at the end of this section of the white paper.
How Windows Time Service Can Affect Users and Applications

Windows components and services depend on time synchronization. For example, the Kerberos V5 authentication protocol on a Windows Server 2003 family domain has a default time synchronization threshold of five minutes. Computers that are more than five minutes out of synchronization on the domain will fail to authenticate using the Kerberos protocol. This time value is also configurable, allowing for greater or lesser thresholds. Failure to authenticate using the Kerberos protocol can prevent logons and access to Web sites, file shares, printers, and other resources or services within a domain. When the local clock offset has been determined, the following adjustments are made to the time: If the local clock time of the client differs from the time on the server by more than the threshold amount, Windows Time Service will change the local clock time immediately. The threshold is five minutes if the computer is part of a domain. It is one second if the computer is part of a workgroup. However, if a computer is part of a workgroup and the time differs from the time source by more than 15 hours, the time is not synchronized, as described later in this list. If the local clock time of the client differs from the server by less than the threshold amount, the service will gradually synchronize the client with the correct time. In a workgroup, if the local clock time of the client differs from the time on a time source by more than 15 hours, a workstation running Windows Time Service and using default settings will not synchronize with the time source. Such occurrences are rare, and are often caused by configuration setting errors. For example, if a user sets the date on the computer incorrectly, the time does not synchronize. Under these circumstances, most often the time is off by a day or more. Be sure to check the computer's calendar and ensure that the correct date has been set.
Configuration Settings for Windows Time Service

You can set the global configuration settings for Windows Time Service by using Group Policy. The settings that might be relevant to communication between Windows Time Service and the Internet are described in this subsection. In Computer Configuration\Administrative Templates\System\Windows Time Service\Global Configuration Settings, there is only one setting that might, in certain scenarios, affect the way that Windows Time Service communicates when the computer is in a domain. This setting is AnnounceFlags, which controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server. The settings are as follows: 0 Not a time server 1 Always a time server 2 Automatic time server, meaning the role is decided by Windows Time Service 4 Always a reliable time server 8 Automatic reliable time server, meaning the role is decided by Windows Time Service
159
The default is 10, meaning that Windows Time Service decides the role. In the Group Policy settings located in Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers, there are a number of settings that might affect the way that Windows Time Service communicates across the Internet. The following table describes some of these policy settings. Note The table lists the settings that most directly affect the way Windows Time Service communicates with time sources, but the table does not list all settings. For example, it does not list the setting that specifies the location of the Windows Time Service DLL or the setting that controls the logging of events for Windows Time Service. Selected Group Policy Settings for Configuring the Windows Time Service NTP Client for Computers Running Windows XP
Policy Setting NtpServer Effect of Setting Establishes a space-delimited list of peers from which a computer obtains time stamps, consisting of one or more DNS names or IP addresses per line. Computers connected to a domain must synchronize with a more reliable time source, such as the official U.S. time clock. This setting is used only when Type is set to NTP or AllSync. 0x01 SpecialInterval 0x02 UseAsFallbackOnly 0x04 SymmetricActive 0x08 NTP request in Client mode Type Indicates which peers to accept synchronization from: NoSync. The time service does not synchronize with other sources. NTP. The time service synchronizes from the servers specified in the NtpServer registry entry. NT5DS. The time service synchronizes from the domain hierarchy. AllSync. The time service uses all the available synchronization mechanisms. CrossSiteSyncFlags Determines whether the service chooses synchronization partners outside the domain of the computer. None PdcOnly All 0 1 2 2 Default options NTP. Use on computers that are not joined to a domain. NT5DS. Use on computers that are joined to a domain. Default Setting time.microsoft.com, 0x1
This value is ignored if the NT5DS value is not set. ResolvePeerBackoffMinutes Specifies the initial interval to wait, in minutes, before attempting to locate a 15
160
peer to synchronize with. If the Windows Time Service cannot successfully synchronize with a time source, it will keep retrying, using the settings specified in ResolvePeerBackOffMinutes and ResolvePeerBackoffMaxTimes. ResolvePeerBackoffMaxTimes Specifies the maximum number of times to double the wait interval when repeated attempts fail to locate a peer to synchronize with. A value of zero means that the wait interval is always the initial interval in ResolvePeerBackoffMinutes. Specifies the special poll interval in seconds for peers that have been configured manually. When a special poll is enabled, Windows Time Service will use this poll interval instead of a dynamic one that is determined by synchronization algorithms built into Windows Time Service. 7
SpecialPollInterval
604800 (workgroup) 3600 (domain)
For other sources of information about Group Policy, see Appendix B, "Learning About Group Policy and Updating Administrative Templates."
Procedures for Configuring Windows Time Service

The following procedures explain how to set some of the Windows Time Service configuration settings available in Group Policy. For details about other Group Policy settings for Windows Time Service, see the table earlier in this section.
To Set Group Policy for Windows Time Service Global Configuration Settings
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, and then click Windows Time Service. 3. In the details pane, double-click Global Configuration Settings, and then click Enabled.
To Configure the Group Policy Setting to Prevent a Computer Running Windows XP from Synchronizing Its Computer Clock with NTP Servers
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Windows Time Service, and then click Time Providers. 3. In the details pane, double-click Enable Windows NTP Client and then select Disabled.
161
To Configure the Group Policy Setting to Prevent a Computer Running Windows XP from Servicing Time Synchronization Requests from Other Computers on the Network
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Windows Time Service, and then click Time Providers. 3. In the details pane, double-click Enable Windows NTP Server, and then select Disabled.
Starting and Stopping Windows Time Service

By default, Windows Time Service starts automatically at system startup. You can, however, start or stop the service manually by accessing services in Administrative Tools or by using the net command.
To Manually Start Windows Time Service Using the Graphical Interface

1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click Administrative Tools, and then double-click Services. 3. Select Windows Time from the list of services. 4. On the Action menu, click Start to begin the service.
To Manually Stop Windows Time Service Using the Graphical Interface

1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click Administrative Tools, and then double-click Services. 3. Select Windows Time from the list of services. 4. On the Action menu, click Stop to discontinue the service.
To Manually Start Windows Time Service Using the net Command

1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type net start w32time, and then press ENTER.
To Manually Stop Windows Time Service Using the net Command

1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type net stop w32time, and then press ENTER.
162
Synchronizing Computers with Time Sources

Use the following procedures to synchronize the internal time server with an external time source, and to synchronize the client time with a time server.
To Synchronize an Internal Time Server with an External Time Source

1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following, where PeerList is a comma-separated list of Domain Name System (DNS) names or Internet protocol (IP) addresses of the desired time sources: w32tm /config /syncfromflags:manual /manualpeerlist:PeerList and then press ENTER. 3. Type w32tm /config /update and then press ENTER. Note The most common use of this procedure is to synchronize the internal network's authoritative time source with precise external time source. This procedure can be run on any computer running Windows 2000, Windows XP, or Windows Server 2003. If the computer cannot reach the servers, the procedure fails and an entry is written to the Windows System event log.
To Synchronize the Client Time with a Time Server

1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type w32tm /resync, and then press ENTER. Note This procedure only works on computers that are joined to a domain. The W32tm command-line tool is used for diagnosing problems that can occur with Windows Time Service. If you are going to use the tool on a domain controller, it is necessary to stop the service. Running the tool and Windows Time Service at the same time on a domain controller generates an error because both are attempting to use the same UDP port. When you finish using the W32tm command line tool, the service must be restarted.
Monitoring and Troubleshooting Windows Time Service

In many cases, problems with Windows Time Service can be attributed to network configuration. If the network is not configured correctly, computers might not be able to communicate to send time samples back and forth. Viewing the contents of NTP packets can help you to identify exactly where a packet is blocked on a network. An error associated with Windows Time Service might occur when a computer is unable to synchronize with an authoritative source. You can use the W32tm command-line tool to assist you in troubleshooting this and other types of errors associated with Windows Time Service.
163
The W32tm command-line tool is the preferred command-line tool for configuring, monitoring, and troubleshooting Windows Time Service. For more information, search for "W32tm" in Help and Support Center.
Procedure to Follow When a Computer Is Unable to Synchronize

By default, a standalone workstation running Windows Time Service will not synchronize with a time source if the workstations time is more than 15 hours off. For information about scenarios in which this can occur, see How Windows Time Service Can Affect Users and Applications, earlier in this section.
To Resynchronize the Client Time with a Time Server

1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type w32tm /resync /rediscover and then press ENTER. Note When you run the preceding command, it redetects the network configuration and rediscovers network resources, causing resynchronization. This rediscovery procedure only works on computers that are joined to a domain. You can then view the event log for more information about why the time service does not synchronize.
Related Links
For more information about configuring Windows Time Service during deployment of products in the Windows Server 2003 family, see Designing and Deploying Directory and Security Services and Designing a Managed Environment in the Microsoft Windows Server 2003 Deployment Kit at: http://go.microsoft.com/fwlink/?LinkId=29887
164
Windows Update and Automatic Updates

This section provides information about the following: The benefits of Windows Update and Automatic Updates How Windows Update and Automatic Updates communicate with sites on the Internet How to control Windows Update and Automatic Updates to limit the flow of information to and from the Internet
Important This section describes methods for controlling the way the Automatic Updates component interacts with the Windows Update Web site. To control the way Automatic Updates interacts with Windows Update, also control the type of accounts that people log on with. If an account does not allow software to be installed (for example, if the account is a user account), only one option for Automatic Updates will function while that person is logged on. That option is the automatic download and installation of updates, which means that updates are installed on the users computer at a regularly scheduled time, regardless of what type of account the user has, or whether the user is logged on at the time.
Benefits and Purposes of Windows Update and Automatic Updates

Windows Update
Windows Update is an online catalog that can be used to support computers running Microsoft Windows operating systems, including Windows XP Professional with Service Pack 2 (SP2). The catalog contains items such as drivers, critical updates, Help files, and Internet products. Windows Update scans the users computer and provides a tailored selection of updates that apply only to the software and hardware on that specific computer. Windows Update then enables users to choose updates for their computer's operating system and hardware. New content is added to the Windows Update Web site regularly, so users can always get the most recent and secure updates and solutions. Windows Update contains two key components: Web site control: The Windows Update Web site includes an ActiveX Web control program that downloads and installs updates. The Windows Update team receives feedback from their customers on how to improve their Web site, and responds by periodically updating the Web control. The newest version of the Web control program is downloaded automatically when the user visits the Windows Update site or when any of the other Windows features calls on the Windows Update control. Just like downloading an ActiveX control, the user may receive a security dialog box that a Web control is attempting to be installed. Users may not receive the dialog box if they have selected to always trust Microsoft as a content provider (using their security settings in Microsoft Internet Explorer). If users do not click Yes on the security dialog box, the control will not be updated and they will not be able to access the Windows Update site.
165
Updates: As needed, the user can access the Windows Update Web site and select component updates to download and install. The user is fully aware of downloads to the computer. The Windows Update Web site is located at:
http://windowsupdate.microsoft.com/
Automatic Updates
This option for updating a computer allows for updates without interrupting the users Internet experience. Automatic Updates is not enabled by default. The person who installs the operating system is prompted to enable this option following setup. When Automatic Updates is configured so that updates automatically download and install, users do not need to visit special Web pages or remember to periodically check for new updates. Automatic Updates can be configured to use one of the following options: Automatic download and installation of updates: Windows XP downloads and installs updates automatically on a schedule specified by an administrator of the computer. Updates are installed regardless of what type of account the user has, or whether the user is logged on at the time. Automatic download only: Windows XP automatically starts the download whenever it finds updates available for the computer. The updates are downloaded in the background, enabling the user to continue working uninterrupted. After the download is complete, an icon in the notification area will prompt a user logged on as an administrator that the updates are ready to be installed. Notification only: Windows XP sends a notification after which an administrator of the computer can respond by downloading and installing any updates. Turn off Automatic Updates: It is left to the user to go to the Windows Update Web site and download updates from time to time.
A user logged on as an administrator can decline a specific update that has been downloaded. The user can download those declined files again by opening the Performance and Maintenance category in Control Panel, clicking the System tool, clicking the Automatic Updates tab, and then clicking Offer updates again that Ive previously hidden. (In Control Panel's Classic View, you can open the System tool directly from Control Panel). If any of the previously declined updates can still be applied to the computer, those updates will appear the next time that Windows XP notifies the user of available updates. For more information about using Control Panel to configure Automatic Updates, see Procedures for Controlling Windows Update and Automatic Updates, later in this section.
Alternatives to Windows Update and Automatic Updates

For managed environments, there are several alternatives to Windows Update: Windows Update Catalog Web site Microsoft Software Update Services (SUS) Distribution software, such as Microsoft Systems Management Server, that can be used to distribute software updates
166
For more information, see the documentation for your distribution software, and see Appendix A, "Resources for Learning About Automated Installation and Deployment," especially the "Related Documentation and Links" subsection in that appendix.
Windows Update Catalog Web Site

By using the Windows Update Catalog site, you can use your own software distribution tools to deploy updates to Windows in a managed environment without requiring users to connect to the Windows Update Web site. The Windows Update Catalog site provides a comprehensive catalog of updates that can be distributed over a managed network. It provides a single location for Windows Update content and drivers that display the Designed for Windows logo. Administrators can search the site using keywords or predefined search criteria to select the relevant downloads and then download the updates to a location on their internal network. An enhancement in products in the Windows Server 2003 family enables you to select updates that you plan to deploy later, which means that you can control how and when the updates are deployed. For additional information, see information about Windows Update on the Microsoft Web site at: http://windowsupdate.microsoft.com/
Microsoft Software Update Services (SUS)

Microsoft Software Update Services (SUS) is a version of Windows Update designed for installation inside the boundary defined by an organization's firewall. This feature is very useful for organizations that Do not want their systems or users connecting to an external Web site Want to first test these updates before deploying them throughout their organizations
Microsoft Software Update Services enables administrators to quickly and reliably deploy critical updates to servers running Windows Server 2003 and Windows 2000 Server as well as desktop computers running Windows XP Professional and Windows 2000 Professional. For more information about software update services, see the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=29906
Overview: Using Windows Update and Automatic Updates in a Managed Environment

As an administrator, you can use Group Policy to block the use of Windows Update or to specify an internal server for Automatic Updates to use when searching for updates. You can also disable Automatic Updates using Control Panel or using the Group Policy Administrative template, Wuau.adm. Details on the methods and procedures for controlling these features are described in the following subsections.
167
How Windows Update and Automatic Updates Communicate with Sites on the Internet
This subsection summarizes the communication process. Specific information sent or received: Drivers and replacement files (critical updates, Help files, and Internet products) may be downloaded to the users computer. The computer is uniquely identified and is logged in the download and installation success report, but the user is not uniquely identified. Data storage and access: Windows Update tracks the total number of unique computers that visit the Windows Update Web site. The success or failure of downloading and installing updates is also recorded but no personally identifiable information is recorded as part of this. This information is stored on servers at Microsoft with limited access that are located in controlled facilities. No other information collected during a Windows Update session is retained past the end of the session.
For more information, see "Privacy," later in this list. Note If you want to block the use of the Windows Update Web site, you can apply Group Policy settings to specify an internal server for updates and for storing upload statistics. For more information see "Procedures for Controlling Windows Update and Automatic Updates." Default and recommended settings: By default, Windows XP allows access to the Windows Update Web site. Recommended settings are described in the next subsection, "Controlling Windows Update and Automatic Updates to Limit the Flow of Information to and from the Internet." Triggers: The user controls whether to run Windows Update. If Automatic Updates is enabled following setup, it is triggered about once per day when there is an Internet connection. User notification: Windows Update Web site: Users control whether to go to the Windows Update Web site to download files to their computers. Automatic Updates: The way that Automatic Updates notifies the user depends on how Automatic Updates is configured. For more information, see Automatic Updates, earlier in this section.
Note For information about configuring Automatic Updates, see To Configure or Disable Automatic Updates Using Control Panel on a Computer Running Windows XP SP2, later in this section. Logging: Automatic Updates logs events to the event log. Encryption: Initial data is transferred using HTTPS, and updates are transferred using HTTP. The data packages downloaded to the users system by Microsoft are digitally signed. Privacy: To view the privacy statement for Windows Update, see the Windows Update Web site, and click Read our privacy statement. The Windows Update Web site is located at:
http://windowsupdate.microsoft.com/ Automatic Updates is covered by the same privacy statement that covers Windows Update.
168
Transmission protocols and ports: The transmission protocols and ports used are HTTP 80 and HTTPS 443. Ability to disable: You can use Group Policy to prevent the operating system from being updated through Windows Update, to prevent access to Windows Update commands, or both. You can use Group Policy to specify an internal server to use for Automatic Updates. You can disable Automatic Updates using Control Panel tools or Group Policy. Procedures for these methods are given at the end of this section.
Controlling Windows Update and Automatic Updates to Limit the Flow of Information to and from the Internet
The recommended methods for controlling Windows Update and Automatic Updates or both are as follows. Important When using these methods, also control the type of accounts that people log on with. If an account does not allow software to be installed (for example, if the account is a user account), only one option for Automatic Updates will function while that person is logged on. That option is to automatically download and install updates, which means that updates are installed on the users computer at a regularly scheduled time, regardless of what type of account the user has, or whether the user is logged on at the time. You can use Group Policy settings to disable both Windows Update and Automatic Updates. To disable Windows Update and Automatic Updates by preventing the operating system from being updated through Windows Update, configure Turn off access to all Windows Update features in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings. To disable Windows Update and Automatic Updates by preventing access to Windows Update commands, configure Remove links and access to Windows Update in User Configuration\Administrative Templates\Start Menu and Taskbar. You can use Group Policy to configure Automatic Updates so that instead of searching the Windows Update Web site, Automatic Updates searches your internal server for updates.
To do this, configure Specify intranet Microsoft update service location in Computer Configuration\Administrative Templates\Windows Components\Windows Update. The server you specify in this setting must be one on which you are running Software Update Services. You can use Group Policy settings in the Administrative template Wuau.adm to selectively disable Automatic Updates.
To do this, disable Configure Automatic Updates in Computer Configuration\Administrative Templates\Windows Components\Windows Update. You can also configure Automatic Updates on individual computers by using Control Panel. For a description of the options available through Control Panel, see Automatic Updates, earlier in this section.
169
How Disabling Windows Update and Automatic Updates Can Affect Users and Applications
The following list shows the effects of two Group Policy settings, both of which prevent the use of Windows Update and Automatic Updates. Turn off access to all Windows Update features: This Group Policy setting is located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings.
When you enable this setting, the operating system cannot be updated through Windows Update, and Automatic Updates is disabled. Users or administrators can still perform actions such as clicking the Windows Update option on the Start menu, and the Windows Update Web site will appear in the browser. However, it will not be possible to update the operating system through Windows Update, regardless of the type of account being used to log on. Remove links and access to Windows Update This Group Policy setting is located in User Configuration\Administrative Templates\Start Menu and Taskbar. When you enable this setting, users will not be able to access the Windows Update Web site from any of the following locations: The Windows Update option on the Start menu The Tools menu in Microsoft Internet Explorer The Windows Update button in Add New Programs (Add New Programs is in Control Panel under Add or Remove Programs)
Enabling this setting also disables Automatic Updates notificationsthat is, the user for which this policy setting is enabled will neither be notified about nor receive critical updates from Windows Update. Removing end-user access to Windows Update also prevents Device Manager from automatically installing driver updates from the Windows Update Web site. For more information about controlling Device Manager, see the section of this white paper titled "Device Manager and Hardware Wizards." Blocking Windows Update and Automatic Updates will not block applications from running. The Windows Update site is located at: http://windowsupdate.microsoft.com/
Procedures for Controlling Windows Update and Automatic Updates

This subsection provides procedures for the following: Configuring or disabling Automatic Updates by using Group Policy. Preventing the operating system from being updated through Windows Update by using Group Policy. With this policy, commands for accessing Windows Update are visible and the Windows Update site can be viewed through the browser, although Windows Update cannot be used.
170
Turning off access to Windows Update commands and to Automatic Updates by using Group Policy. Specifying an internal server for Windows Update by using Group Policy. Configuring or disabling Automatic Updates using Control Panel on a computer running Windows XP SP2.
To Configure or Disable Automatic Updates Using Group Policy

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated (specifically, Wuau.adm), and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Windows Update. 3. In the details pane, double-click Configure Automatic Updates. 4. Select Not Configured, Enabled, or Disabled. If you choose Enabled, choose from the available settings, which are equivalent to the Control Panel settings described in Automatic Updates, earlier in this section. Note Disabling this setting disables Automatic Updates but does not block access to Windows Update.
To Prevent the Operating System from Being Updated Through Windows Update by Using Group Policy
1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings. 3. In the details pane, double-click Turn off access to all Windows Update features. Important This policy also disables Automatic Updates. You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."
To Turn Off Access to Windows Update Commands by Using Group Policy

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click User Configuration, click Administrative Templates, and then click Start Menu and Taskbar.
171
3. In the details pane, double-click Remove links and access to Windows Update. Important This policy also disables Automatic Updates.
To Specify an Internal Server for Windows Update Using Group Policy

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO. 2. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Windows Update. 3. In the details pane, double-click Specify intranet Microsoft update service location and then click Enabled. 4. Specify the name of the internal server to function as the update server, and specify the name of the server to store upload statistics. Important You must specify an upgrade server and a server to store upload statistics, but they can be the same server. The server you specify as the upgrade server must be one on which you are running Software Update Services.
To Configure or Disable Automatic Updates Using Control Panel on a Computer Running Windows XP SP2
1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. 2. Double-click Automatic Updates. 3. Choose from the available options, which are described in Automatic Updates, earlier in this section.
172
Appendices
173
Appendix A: Resources for Learning About Automated Installation and Deployment

This appendix provides the following: An overview of automated installation and deployment Procedures and resources for obtaining more information about automated installation and deployment
Overview: Automated Installation and Deployment

In the enterprise environment, it is often not cost-effective to install Microsoft Windows Server 2003 or Microsoft Windows XP Professional with Service Pack 2 (SP2) using the standard interactive setup on each computer. To greatly lower the total cost of ownership (TCO) and ensure configuration uniformity, you can perform an automated installation of Windows Server 2003 and Windows XP on multiple computers. By using an automated installation method, you can ensure that certain components and applications are not available on your organizations computers, or that certain components and applications are preconfigured in such a way that helps prevent unwanted communication over the Internet.
Methods for Automating the Setup Process

There are several options for automating the setup process. Any or all of the following tools can help ensure that all of your client computers are configured to appropriately limit communication over the Internet: Unattended setup using Setup (Winnt32.exe)
Unattended setup enables you to simplify the process of setting up the operating system on multiple computers. To run an unattended setup, you can create and use an answer file, which is a customized script that answers Setup questions automatically. Then you can run Setup (Winnt32.exe) from the command line with the appropriate options for invoking unattended setup. Using Winnt32.exe, you can upgrade your previous version of the operating system using all user settings from the previous installation, or you can perform a fresh installation using the answer file that provides Setup with your custom specifications. The latter method is most likely the best option to limit component communication over the Internet, provided you use an appropriate answer file. Details about specific answer file entries are included in the respective component sections of this white paper. Remote Installation Services (RIS)
With RIS, you can install the operating system by itself or a complete computer configuration, including desktop settings and applications. RIS installations can be either CD-based (through the use of Risetup.exe) or image-based (through the use of Riprep.exe). You can also specify which RIS server will provide installations to a given client computer, or you can allow any RIS server to provide the installation.
174
Image-based installation using the System Preparation (Sysprep) tool.
Image-based installation is also a good choice if you need to install an identical configuration on multiple computers. You typically use the Sysprep tool in conjunction with a non-Microsoft disk imaging tool or Microsoft Windows Server 2003 Automated Deployment Services (ADS) to perform image-based installations. On a master computer, you install the operating system and any applications that you want installed on all of the target computers. Then you run Sysprep and a disk imaging utility. Sysprep prepares the hard disk on the master computer so that the disk imaging utility can transfer an image of the hard disk to the other computers. This method decreases deployment time dramatically compared to standard or unattended installations. You can customize the images so that only the files required for a specific configuration appear on the image, such as additional Plug and Play drivers that might be needed on various systems. The image can also be copied to a CD and distributed to remote sites that have slow links. System management software, such as Microsoft Systems Management Server (SMS)
This type of software assists with the many tasks that are involved when you apply automated procedures to multiple servers and client computers throughout your organization. These tasks include the following: Selecting computers that are equipped for the operating system and that you are ready to support Distributing the operating system source files to all sites, including remote sites and sites without technical support staff Monitoring the distribution to all sites Providing the appropriate user rights to do the upgrade Automatically initiating the installation of the software package with the possibility of having the user control the timing Resolving problems related to the distributions or installations Reporting on the rate and success of deployment
Using system management software helps to further ensure that all computers within your organization have received the standardized operating system configuration that helps prevent unwanted communication over the Internet.
Using Scripts for Configuring Computers

In addition to the automated installation methods described here, another common method of controlling the configuration of computers in a domain is to use scripts. For more information about scripts, see Related Documentation and Links," at the end of this section.
Procedures for Accessing Additional Information About Automated Setup Tools

Products in the Windows Server 2003 family have extensive documentation describing unattended installation, RIS, and image-based installation with Sysprep. You can view this documentation from any computer that has Internet access (regardless of the operating system
175
running on that computer). You can also view Help for Windows Server 2003 from any computer running a product in the Windows Server 2003 family. The following procedure gives the details.
To Access Help for a Computer Running a Product in the Windows Server 2003 Family
1. Open Help and Support by doing one of the following: On any computer running a product in the Windows Server 2003 family, click Start, and then click Help and Support. View product documentation on the Web at: http://go.microsoft.com/fwlink/?LinkId=29881 On this site, click the link for the appropriate product. 2. Locate the specific topics as follows: For unattended installation: Navigate to Getting Started\Installing and upgrading the operating system\Concepts\Planning for unattended Setup For RIS: Navigate to Software Deployment\Remote Installation Services For Winnt32.exe: Navigate to Administration and scripting tools\Command-line reference\Command-line reference A-Z\Winnt32
Note Detailed information about unattended installation, RIS, and image-based installation with Sysprep is also available in the sources listed in "Related Documentation and Links."
Related Documentation and Links

You can also find additional information about all of the topics described earlier in this appendix in a variety of other locations: On the CD for Windows XP with SP2, you can find additional information about unattended installations in the Microsoft Windows Corporate Deployment Tools Users Guide, found in \Support\Tools\Deploy.cab. To view the guide and the associated reference information, make sure Deploy.chm and Ref.chm are in the same folder, and open Deploy.chm. For the most up-to-date information, be sure to view the version of the guide that is included in Windows XP with SP2, rather than older versions from Windows XP with SP1 or Windows XP. For additional information about unattended installation, RIS, and image-based installation with Sysprep, see the following sources. The Microsoft Windows Server 2003 Deployment Kit, especially the book titled Automating and Customizing Installations. The Microsoft Windows Server 2003 Deployment Kit is available on the Web at: http://go.microsoft.com/fwlink/?LinkId=29887 Installation and Setup Technologies in the Core Operating System Collection of the Windows Server 2003 Technical Reference on the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=29907
176
For general information about Group Policy, see Appendix B, "Learning About Group Policy and Updating Administrative Templates." To learn about specific Group Policy settings that can be applied to computers running Windows XP, see the Group Policy Settings Reference on the Microsoft Download Center Web site at:
http://go.microsoft.com/fwlink/?LinkId=29911 For more information about scripting, see the Script Center on the TechNet Web site at:
http://go.microsoft.com/fwlink/?LinkId=24771 The Help documentation for Windows Server 2003, included in the product and on the Web, contains information about Windows Script Host. You can find the documentation on the Web at:
177
Appendix B: Learning About Group Policy and Updating Administrative Templates

This appendix provides the following: A list of resources for learning about Group Policy and about the Group Policy settings that can be used with Windows XP with SP2. A procedure for updating Administrative templates (.adm files) to the set of templates included in Windows XP with SP2.
Resources for Learning about Group Policy

To learn about using Group Policy and the Group Policy Management Console (GPMC), see the following resources. The Group Policy Technology Center Web site at:
http://www.microsoft.com/grouppolicy/ The Group Policy page on the TechNet Web site at:
http://www.microsoft.com/technet/grouppolicy/ Designing a Managed Environment in the Microsoft Windows Server 2003 Deployment Kit at:
http://go.microsoft.com/fwlink/?LinkId=29887 The Group Policy Collection of the Windows Server 2003 Technical Reference at:
http://go.microsoft.com/fwlink/?LinkId=29907 Article 816662, "Recommendations for Managing Group Policy Administrative Template (.adm) Files" in the Microsoft Knowledge Base at:
http://go.microsoft.com/fwlink/?LinkId=29128 To learn about Group Policy settings that can be used with Windows XP with SP2, see the following resources. The Group Policy Settings Reference on the Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=29911 Changes to Functionality in Microsoft Windows XP Service Pack 2 on the Microsoft Web site at:
Installing Group Policy Management Console (GPMC)
178
Group Policy Management Console (GPMC) unifies the management of all aspects of Group Policy. Using GPMC, you can manage Group Policy objects (GPOs), Windows Management Instrumentation (WMI) filters, and permissions on your network. GPMC is available for download from the Microsoft Web site. For instructions for downloading and installing GPMC, see the Microsoft Windows Server 2003 Web site at: http://go.microsoft.com/fwlink/?linkid=29909 To run GPMC, click Start, point to Administrative Tools, and then click Group Policy Management.
Updating Administrative Templates

You can use Group Policy to control registry keys using the settings supplied with Administrative templates. An updated set of Administrative templates is included with each new release of Windows and includes policy settings for earlier versions of Windows and earlier service packs as well as new policy settings. Use the following procedure to update the Administrative templates in your domain with the templates provided with Windows XP with SP2.
To Update Administrative Templates to the Version Provided in Windows XP with SP2

1. In the domain where you want to configure Group Policy, on a computer running Windows XP with SP2, ensure that you have installed GPMC. On that computer, log on as a member of the Domain Admins group, or with an account from which you can manage GPOs in the domain. For information about installing GPMC, see Installing Group Policy Management Console (GPMC), earlier in this section. 2. Click Administrative Templates under either User Configuration or Computer Configuration (it does not matter which one). Be sure that you click it so that it is selected (highlighted). When you select Administrative Templates, the Administrative templates are updated throughout the domain. For more information about managing .adm files, see article 816662, "Recommendations for Managing Group Policy Administrative Template (.adm) Files" in the Microsoft Knowledge Base at: http://go.microsoft.com/fwlink/?LinkId=29128 Caution You should treat the .adm files that are provided with the operating system as read-only. These files will be updated from time to time in service packs and in future releases. To use an existing .adm file as a template for a custom .adm file, first copy the original .adm file into a new filename and then edit the new file.
179
Appendix C: Group Policy Settings Listed Under the Internet Communication Management Key
Windows XP Service Pack 2 (SP2) contains Group Policy settings that were not available in Windows XP Service Pack 1 (SP1) or in the original release of Windows XP. Some of these settings can be found in Group Policy under a new key called Internet Communication Management. This new key is located within GPMC in Computer Configuration\Administrative Templates\System and in User Configuration\Administrative Templates\System. This appendix describes the settings under the Internet Communication Management key, and the way in which one setting, Restrict Internet communication, controls multiple other settings. The settings under the Internet Communication Management key are designed to help you control the way components in Windows XP with SP2 communicate with the Internet. Other settings can also help with controlling the way components communicate with the Internet. Individual settings under Internet Communication Management for specific components are described in the appropriate sections of this white paper and in the Explain text in the settings, as well as being described in this appendix. For example, the setting called Turn off Event Viewer "Events.asp" links, located under Internet Communication Management, is described in the section about Event Viewer, in the Explain text in the setting itself, and in this appendix. Many other Group Policy settings (beyond the ones described in this appendix) are also described in appropriate sections of this white paper.
Controlling Multiple Settings Through the Restrict Internet Communication Setting

There are multiple ways to configure the new Group Policy settings under Internet Communication Management in Windows XP with SP2. You can configure settings individually, which means you could configure, for example, Turn off Event Viewer "Events.asp" links differently from Turn off Windows Error Reporting. Alternatively, you can enable or disable the entire collection of settings at one time by configuring a setting that controls them all. This setting is called Restrict Internet communication. If you want to enable or disable Restrict Internet communication and then create exceptions to this master setting by configuring individual settings in the Internet Communication Management key, you must use two GPOs. To do this, ensure that you understand how processing and precedence works for multiple GPOs (for example, see the Help for GPMC). Choose or create a GPO that has lower precedence than another GPO. In the GPO with lower precedence, enable or disable Restrict Internet communication. Then, in the GPO that has precedence over it, apply the individual settings that are exceptions to the master setting. If you do not use two GPOs when setting both Restrict Internet communication and individual settings that are exceptions to the master setting, the settings might not work as expected. To check the effect of multiple Group Policy settings, you can use Group Policy Results in GPMC. For more information, see the Help in GPMC.
180
Settings That Affect Computer Configuration

This subsection of the appendix describes settings under Internet Communication Management in the Administrative template for computer configuration (which contrasts with the template for user configuration, described later in this appendix). For all these settings, the following is true: The settings apply to all users of a computer running Windows XP with SP2 and come into effect when the computer starts or when Group Policy is refreshed. Within GPMC, these settings are located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings. All of the settings can be enabled or disabled in one step by enabling or disabling the master setting that controls them, Restrict Internet communication. This setting is located in Computer Configuration\Administrative Templates\System\Internet Communication Management. When you change this setting, the change affects all of the settings in the following list, even if you previously configured individual settings in different ways.
Note This appendix does not describe all Group Policy settings that are available in Windows XP with SP2. It describes only the settings available under Internet Communication Management. For sources of information about new settings available in Windows XP with SP2, see Appendix D, Differences Between Service Pack 1 and Service Pack 2.
Individual Settings That Affect Computer Configuration

The following list describes the computer configuration settings under Internet Communication Management that are outlined in the previous subsection. Note More details about each setting are available in the Explain text for the setting. To view the text, select the setting in Group Policy and click the Extended tab, or open the setting and click the Explain tab. Turn off the "Publish to Web" task for files and folders: Specifies whether the tasks for publishing items to the Web are available from File and Folder Tasks in Windows folders. These tasks are Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web.
This setting is also described in Appendix F, Add Network Place Wizard and Web Publishing Wizard in this white paper. Turn off Internet download for Web publishing and online ordering wizards: Specifies whether Windows should download a list of providers for the Web Publishing Wizard, the Add Network Place Wizard, and the Online Print Wizard. By default, Windows displays providers downloaded from a Windows Web site in addition to providers specified in the registry. If you enable this setting, Windows will not download providers and only the service providers that are stored in the local registry will be displayed. When Windows XP with SP2 has been installed but the Web publishing and online ordering wizards have not yet been used, no service providers are stored in the local registry. If this Group Policy setting is applied at that time, the wizards will not display links to service providers.
181
For more information about the registry keys in which providers can be specified, see Registering a Service at the MSDN Web site at: http://go.microsoft.com/fwlink/?LinkId=29134 This setting is also described in Appendix F, Add Network Place Wizard and Web Publishing Wizard and Appendix G, Online Ordering Wizards and Tasks in this white paper. Turn off the "Order Prints" picture task: Specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.
This setting is also described in Appendix G, Online Ordering Wizards and Tasks in this white paper. Turn off the Windows Messenger Customer Experience Improvement Program: Specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the product in future releases.
This setting is also described in the Windows Messenger section of this white paper. Turn off Help and Support Center "Did you know?" content: Specifies whether to show the "Did you know?" section of Help and Support Center. By default, this content is dynamically updated when users are connected to the Internet and open Help and Support Center.
This setting is also described in the section of this white paper titled Help and Support Center: The Headlines and Online Search Features. Turn off Help and Support Center Microsoft Knowledge Base search: Specifies whether users can perform a Microsoft Knowledge Base search from Help and Support Center. The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products. By default, if a user performs a search through Help and Support Center, the Knowledge Base is included in the search. It can be excluded if a user opens the Search Options page in Help and Support Center and clears the Microsoft Knowledge Base check box.
This setting is also described in the section of this white paper titled Help and Support Center: The Headlines and Online Search Features. Turn off Windows Error Reporting: Specifies whether error reports from a system or application that has stopped responding are sent to Microsoft. Error reports are used to improve the quality of the product. This setting overrides any user setting made from the Control Panel for error reporting.
This setting and other ways of controlling error reporting through Group Policy are described in the Windows Error Reporting section of this white paper. Turn off Internet File Association service: Specifies whether to use the Web-based File Association service, or whether to use only locally stored information about file name extensions, file types, and the applications or components to use when opening a particular file type. The file association Web service is used only when a user tries to open a file and there is no locally stored information about the file name extension.
This setting is also described in the File Association Web Service section of this white paper. Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com: Specifies whether the Internet Connection Wizard can connect to
182
Microsoft to download a list of Internet Service Providers (ISPs). If you enable this setting, and a user running the New Connection Wizard clicks Choose from a list of Internet Service Providers (ISPs), finishes the wizard, and clicks Refer me to more Internet Service Providers, a message appears, saying that the user cannot complete the Internet Connection Wizard. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers. This setting is also described in Appendix H, New Connection Wizard and Internet Connection Wizard in this white paper. Turn off Event Viewer "Events.asp" links: Specifies whether Internet links shown within events in Event Viewer are activated. When such a link is activated and the user clicks it, information that identifies the event is sent to a Microsoft Web site so that explanatory text, if available, can be sent back to the user.
This setting and the information sent and received when an Event Viewer link is clicked are described in the Event Viewer section of this white paper. Turn off Automatic Root Certificates Update: Specifies whether to automatically update root certificates using the list of trusted certification authorities that Microsoft maintains on the Windows Update Web site. If you enable this setting, when a user is presented with a certificate issued by an untrusted root authority, the users computer will not contact the Windows Update web site.
This setting and the way that root certificate updates work are described in the Certificate Support and the Update Root Certificates Component section in this white paper. Turn off Registration if URL connection is referring to Microsoft.com: Specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration.
This setting and the differences between registration and activation are described in the section of this white paper titled Activation and Registration Associated with a New Installation or an Upgrade. Turn off Search Companion content file updates: Specifies whether Search Companion should automatically download content updates during local and Internet searches.
This setting and the way that Search Companion works for local and Internet searches are described in the Search Companion section of this white paper. Turn off printing over HTTP: Specifies whether to allow printing over HTTP from this computer. Note that this setting does not control whether the computer can act as an Internet print server.
This setting and other settings related to Internet printing are described in the Internet Printing section of this white paper. Turn off downloading of print drivers over HTTP: Specifies whether to allow this computer to download print drivers over HTTP when needed.
This setting and other settings related to Internet printing are described in the Internet Printing section of this white paper. Turn off Windows Update device driver searching: Specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present.
183
This setting is described in the Plug and Play section of this white paper. Related details about the searching of Windows Update for device drivers are described in the Device Manager and Hardware Wizards section of this white paper. Turn off access to all Windows Update features: Specifies whether Windows Update can be used to update the operating system on this computer.
This setting is described in the Windows Update and Automatic Updates section of this white paper. Turn off Windows Movie Maker automatic codec downloads: Specifies whether Windows Movie Maker automatically downloads missing codecs for audio and video files. A codeccompressor/decompressoris software that compresses or decompresses audio or video data.
This setting is also described in the Windows Movie Maker section of this white paper. Turn off Windows Movie Maker online Web links: Specifies whether links to Web sites are available in Windows Movie Maker.
This setting and the links it refers to are described in the Windows Movie Maker section of this white paper. Turn off Windows Movie Maker saving to online video hosting provider: Specifies whether users can send a final movie to a video hosting provider on the Web.
This setting and the methods that users can use to save a movie to the Web are described in the Windows Movie Maker section of this white paper.
Settings That Affect User Configuration

This subsection of the appendix describes settings under Internet Communication Management in the Administrative template for user configuration (which contrasts with the template for computer configuration). For all these settings, the following is true: The settings apply to the individual user and come into effect when the user logs on or when Group Policy is refreshed. Within GPMC, these settings are located in User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings. All of the settings can be enabled or disabled in one step by enabling or disabling the master setting that controls them, Restrict Internet communication. This setting is located in User Configuration\Administrative Templates\System\Internet Communication Management. When you change this setting, the change affects all of the settings in the following list, even if you previously configured individual settings in different ways.
Note This appendix does not describe all Group Policy settings available in Windows XP with SP2. It describes only the settings available under Internet Communication Management. For sources of information about new settings available in Windows XP with SP2, see Appendix D, Differences Between Service Pack 1 and Service Pack 2.
Individual Settings That Affect User Configuration
184
The user configuration settings under Internet Communication Management are as follows. For a description of a particular setting, find the setting under Individual Settings That Affect Computer Configuration, earlier in this section. Alternatively, you can select the setting in Group Policy and click the Extended tab, or open the setting and click the Explain tab. Turn off the "Publish to Web" task for files and folders Turn off Internet download for Web publishing and online ordering wizards Turn off the "Order Prints" picture task Turn off the Windows Messenger Customer Experience Improvement Program Turn off Internet File Association service Turn off printing over HTTP Turn off downloading of print drivers over HTTP Turn off Windows Movie Maker automatic codec downloads Turn off Windows Movie Maker online Web links Turn off Windows Movie Maker saving to online video hosting provider
185
Appendix D: Differences Between Service Pack 1 and Service Pack 2

In Windows XP Service Pack 2 (SP2), Microsoft introduces a set of security technologies that help to improve the ability of Windows XP-based computers to withstand malicious attacks from viruses and worms. The technologies include additional network protection, memory protection, and improved computer maintenance. Also included are technologies for safer e-mail handling and enhanced browsing security. In addition, SP2 includes enhanced Administrative templates for Group Policy settings. Together, these security technologies will help to make it more difficult to attack Windows XP with SP2, even if the latest updates are not applied. These security technologies together are particularly useful in mitigation against worms and viruses. This white paper provides information about some of the improvements in SP2 as compared to Windows XP Service Pack 1 (SP1). In particular, Appendix C, Group Policy Settings Listed Under the Internet Communication Management Key provides information about some of the Group Policy settings available only in SP2 and later. These settings are designed to provide specific ways to control the way components in Windows XP with SP2 communicate with the Internet. For additional information about the differences between SP2 and SP1, see the following resources: The release notes for SP2 on the Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=23354 Changes to Functionality in Microsoft Windows XP Service Pack 2 on the Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=30566 Other papers about SP2 on the Microsoft Web site at:
186
Appendix E: Internet Connection Sharing, Windows Firewall, and Network Bridge

Internet Connection Sharing, Windows Firewall, and Network Bridge are features designed for home and small office networks. These features are included in Windows XP with SP2. Information about these features is presented here so you as an IT administrator can be aware of these potential capabilities within your organizations network when you install Windows XP with SP2. Note Windows Firewall was formerly called Internet Connection Firewall or ICF. This appendix includes the following: An overview of Internet Connection Sharing, Windows Firewall, and Network Bridge. How Internet Connection Sharing, Windows Firewall, and Network Bridge can be used in a managed environment. How to control or prevent the use of Internet Connection Sharing, Windows Firewall, and Network Bridge.
Overview: Internet Connection Sharing, Windows Firewall, and Network Bridge

The features for implementing and administering small networks are described as follows: Internet Connection Sharing (ICS)
With ICS, users can share a public Internet connection with a private home or small business network. In an ICS network, a single computer is chosen to be the ICS host. The ICS host has at least two network adapters: one connected to the Internet, one or more connected to the private network. All Internet-destined traffic flows through the ICS host. ICS uses DHCP to assign private IP addresses on the network, and Network Address Translation (NAT) to allow multiple computers on the private network to connect to the public network through the ICS host. There are security benefits in using ICS. Only the ICS host is visible from the Internet. The private network is hidden. Also, NAT blocks any network traffic that did not originate from the private network or is a response to traffic originating from the private network. In addition, ICS provides name resolution to the home network through a DNS proxy. Note You should not use Internet Connection Sharing in an existing network with Windows Server 2003 domain controllers, Domain Name System (DNS) servers, gateways, Dynamic Host Configuration Protocol (DHCP) servers, or systems configured for static IP addresses. Windows Firewall
Windows Firewall provides protection against network attacks for computers on which it is enabled. Windows Firewall does this by checking all communications that cross the connection and selectively blocking certain communications, according to the configuration settings you specify.
187
For more information about Windows Firewall, see the link to Deploying Windows Firewall Settings for Windows XP SP2 on the Microsoft Web site at: http://go.microsoft.com/fwlink/?LinkId=23354 Note Another feature in Windows XP with SP2 is the Security Center in Control Panel. The Security Center monitors the status of firewalls including Windows Firewall, the status of virus protection, and the status of the Automatic Updates setting. The Security Center notifies the user when the computer might be at risk by providing an icon and balloon message in the notification area. When the computer running Windows XP with SP2 is part of a domain (the usual scenario for a managed environment), by default these notifications are not displayed. For more information, see the explanatory text in the Group Policy setting, Turn on Security Center (domain PCs only). This setting is located in Computer Configuration\Administrative Templates\Windows Components\Security Center. Network Bridge
Network Bridge removes the need for routing and bridging hardware in a home or small office network that consists of multiple LAN segments. Network Bridge forwards traffic among the multiple LAN segments, making them appear to be a single IP subnet. Caution If neither Windows Firewall nor ICS is enabled on your network, do not set up Network Bridge between the public Internet connection and the private network connection. Setting up Network Bridge between the public Internet connection and the private network connection creates an unprotected link between your network and the Internet, leaving your network vulnerable to external attacks. When either Windows Firewall or ICS is enabled, this risk is mitigated.
Using Internet Connection Sharing, Windows Firewall, and Network Bridge in a Managed Environment
Windows Firewall is enabled by default on Windows XP with SP2. Internet Connection Sharing and Network Bridge are not enabled by default, and Internet Connection Sharing (ICS) is available only on computers that have two or more network connections. An administrator or user with administrative credentials can enable ICS by clicking the Advanced tab on network connections (Control Panel\Network Connections). Also, when running the New Connection Wizard, administrators can choose to enable ICS. ICS lets administrators configure a computer as an Internet gateway for a small network, and it provides network services such as name resolution through Domain Name System (DNS). It also provides addressing through Dynamic Host Configuration Protocol (DHCP) to the local private network. Using Windows Firewall, an administrator can enable a firewall to protect the public connection of a small network or single computer that is connected to the Internet. Windows Firewall is considered a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that cross its path and inspects the source and destination address of each message that it handles. The Network Bridge menu command Bridge Connections is available only when two or more network adapters are present. By default, Network Bridge is disabled, but administrators can use Bridge Connections to enable Network Bridge. In a domain environment, you should not allow these features to be enabled or configured. See the following subsection for information about how to disable them.
188
It is important to be aware of all the methods users and administrators have for connecting to your networked assets, and to review whether your security measures provide in-depth defense (as contrasted with a single layer of defense, more easily breached).
Controlling the Use of Internet Connection Sharing, Windows Firewall, and Network Bridge
You can block administrators and users from accessing ICS, Windows Firewall, and Network Bridge by using answer files during initial installation and Group Policy post-deployment,
Using Answer Files for Unattended or Remote Installation

Using standard methods for preparing an unattended or remote installation, you can make entries in the [Homenet] section of the answer file. This section includes entries for installing home and small office networking settings for network adapters, Internet Connection Sharing, Windows Firewall, and Network Bridge. For example, to prevents users and administrators from enabling Internet Connection Sharing by using an answer file, the entry is as follows: [Homenet] EnableICS = No For additional configuration options for [Homenet] entries for the answer file, and for more information about unattended installation, see the references listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).
Using Group Policy to Disable Internet Connection Sharing, Windows Firewall, and Network Bridge
Group Policy settings for disabling small office networking features in your domain environment are as follows. Note For more details about any of the Group Policy settings, use a Group Policy interface to navigate to the setting and then click the Extended tab, or open the setting and then click the Explain tab. For other sources of information about Group Policy, see Appendix B, "Learning About Group Policy and Updating Administrative Templates." Prohibit use of Internet Connection Sharing on your DNS domain network, located in Computer Configuration\Administrative Templates\Network\Network Connections.
If you enable this policy setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. In the Advanced tab in the Properties dialog box for a local area network (LAN) or remote access connection, under Internet Connection Sharing, it says Internet Connection Sharing has been disabled by the Network Administrator. Also, if you enable this policy setting, the Internet Connection Sharing page is removed from the New Connection Wizard. Windows Firewall: Protect all network connections, located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile.
189
If you disable this policy setting, Windows Firewall does not run and cannot be started. Note that in Computer Configuration\Administrative Templates\Network\Network Connections, the setting called Prohibit use of Internet Connection Firewall on your DNS domain network still exists. This setting has no effect if Windows Firewall: Protect all network connections is enabled or disabled. However, if Windows Firewall: Protect all network connections is set to Not Configured, you can still prevent Windows Firewall from running by enabling Prohibit use of Internet Connection Firewall on your DNS domain network. (Internet Connection Firewall is the former name for Windows Firewall.) Prohibit installation and configuration of Network Bridge on your DNS domain network, located in Computer Configuration\Administrative Templates\Network\Network Connections.
When you enable this policy setting, administrators cannot create a Network Bridge. Enabling this policy setting does not remove an existing Network Bridge from a computer. Important Any of the preceding policy settings that have DNS in the name of the setting are dependent on the network context that the computer is in. They apply only when a computer is connected to the same DNS domain network it was connected to when the policy setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the policy setting was refreshed, the policy setting does not apply. For more information about home and small office networking features, see Help and Support Center in Windows XP with SP2.
190
Appendix F: Add Network Place Wizard and Web Publishing Wizard

In Microsoft Windows XP Professional with Service Pack 2 (SP2), users can use the Add Network Place Wizard to create shortcuts to shared folders and resources on the network or on Web or File Transfer Protocol (FTP) servers. Users can use the Web Publishing Wizard to publish files over the Internet or a local network so that those files can be viewed in a Web browser. If users do not have folders on a Web server already or do not have an account with a Web service provider, the Add Network Place Wizard or the Web Publishing Wizard can help them set these up. This appendix includes the following: An overview of the Add Network Place Wizard and the Web Publishing Wizard How to control the use of the Add Network Place Wizard and the Web Publishing Wizard
Overview: Add Network Place Wizard and Web Publishing Wizard

The Add Network Place Wizard and the Web Publishing Wizard are enabled by default for all users. Users use these wizards as follows: Add Network Place Wizard: Users access this wizard through My Network Places\Add a network place or in Windows Explorer through Tools\Map Network Drive (through the link labeled "Sign up for online storage or connect to a network server").
Users can use the wizard to sign up for a service that offers online storage space, or to create a shortcut to a Web site, an FTP site, or other local network connection. To add a shortcut in My Network Places to a folder on a Web server, the Web server must support network places. Supporting network places requires the Web Extender Client (WEC) protocol and Microsoft FrontPage Server Extensions, or the Web Distributed Authoring and Versioning (WebDAV) protocol and Internet Information Services (IIS). The user must also have read and write access to the Web server. Web Publishing Wizard: In Windows Explorer, when common tasks are shown, users can access this wizard through several different tasks. These tasks are Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web.
Users can use the Web Publishing Wizard to publish files over the Internet or a local network so that those files can be viewed in a Web browser. You can remove access to the Add Network Place Wizard and the Web Publishing Wizard using Group Policy. For more information about the WEC and WebDAV protocols, see About Web Folder Behaviors on the MSDN Web site at: http://go.microsoft.com/fwlink/?LinkId=29223
191
Controlling the Use of the Add Network Place Wizard and the Web Publishing Wizard
To control the Add Network Place Wizard and the Web Publishing Wizard, use Group Policy.
Controlling Whether the Wizards Download Information from a Microsoft Web site
To control whether the Add Network Place Wizard and the Web Publishing Wizard display a list of service providers downloaded from a Windows Web site, use the Group Policy setting Turn off Internet download for Web publishing and online ordering wizards. This setting is described in Appendix G, Online Ordering Wizards and Tasks.
Controlling the Use of the Add Network Place Wizard

To block users from accessing the Add Network Place Wizard from the Map Network Drive command, configure the following Group Policy setting in User Configuration\Administrative Templates\Windows Components\Windows Explorer: Remove "Map Network Drive" and "Disconnect Network Drive". This policy setting does the following: If you enable this policy setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in Windows Explorer and My Network Places. The system also removes these commands from menus that appear when you right-click the Windows Explorer or My Network Places icons. This policy setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. This policy setting does not remove the Add Network Place task from My Network Places.
Controlling the Use of the Web Publishing Wizard

To control access to the Web Publishing Wizard and related tasks, configure a Group Policy setting. The File and Folder Tasks affected by this setting are Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web. The setting is located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings, and is called Turn off the "Publish to Web" task for files and folders. If you want the policy setting to apply to all users of a computer and come into effect when the computer starts or when Group Policy is refreshed, use the setting listed in the preceding paragraph. If you want the policy setting to apply to users and come into effect when users log on or when Group Policy is refreshed, use the same setting in User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings.
192
Appendix G: Online Ordering Wizards and Tasks

In Microsoft Windows XP Professional, users can click tasks in Windows Explorer to run several different wizards to order picture prints online, sign up for a service that offers online storage space, or publish files that can be viewed in a browser. These wizards present the user with one or more service providers from which to request the online service. The task or wizard obtains the names and URLs of these service providers from two sources: a list stored locally (in the registry) and a list stored on a Microsoft Web site. By default, Windows displays providers from a list on the Microsoft Web site in addition to providers listed in the registry. As an administrator, you can use several Group Policy settings in Windows XP with SP2 to control the way the wizards and tasks work.
Wizards and Tasks That Can Be Used for Online Ordering

In Microsoft Windows XP Professional, users can use the following tasks in Windows Explorer and the following wizards for online ordering. Online Print Ordering Wizard and related tasks: In Windows Explorer, when common tasks are shown and the user selects either a picture or a folder that is configured as a picture folder, the user can choose picture tasks including Order prints online. This starts the Online Print Ordering Wizard.
A folder can be configured as a picture folder by right-clicking the folder, clicking Properties, clicking the Customize tab and, under Use this folder type as a template, selecting Pictures or Photo Album. The My Pictures folder is configured as a picture folder and cannot be configured as anything else. Add Network Place Wizard and related tasks: This wizard and the related tasks are described in Appendix F, Add Network Place Wizard and Web Publishing Wizard. Users can use the wizard to sign up for a service that offers online storage space. Web Publishing Wizard and related tasks: This wizard and the related tasks are described in Appendix F, Add Network Place Wizard and Web Publishing Wizard. Users can use the wizard to publish files over the Internet or a local network so that those files can be viewed in a Web browser.
Controlling the Way Online Ordering Wizards and Tasks Communicate with the Internet
You can control the way online wizards and tasks communicate with the Internet by using Group Policy settings available in Windows XP with SP2. Because the following Group Policy settings are part of Windows XP with SP2 but were not part of the original release of Windows Server 2003 nor of Windows 2000 Server with SP4, in order to use them, you must update your Administrative templates before you can use these settings. For more information, see Appendix B, "Learning About Group Policy and Updating Administrative Templates." To prevent the preceding wizards and tasks from accessing the Microsoft Web site for the list of providers to offer to users, configure the following Group Policy setting in Computer Configuration\Administrative Templates\System\Internet Communication
193
Management\Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards. By default, the Web publishing and online ordering wizards display providers downloaded from a Windows Web site in addition to providers specified in the registry. If you enable this setting, Windows will not download providers and only the service providers that are stored in the local registry will be displayed. When Windows XP with SP2 has been installed but the Web publishing and online ordering wizards have not yet been used, no service providers are stored in the local registry. If this Group Policy setting is applied at that time, the wizards will not display links to service providers. For more information about the registry keys in which providers can be specified, see Registering a Service on the MSDN Web site at: http://go.microsoft.com/fwlink/?LinkId=29134 To disable the Web Publishing Wizard and related File and Folder Tasks, see Appendix F, Add Network Place Wizard and Web Publishing Wizard. To disable the Online Print Ordering Wizard, configure the following Group Policy setting in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the "Order Prints" picture task.
Note If you want the policy settings to apply to all users of a computer and come into effect when the computer starts or when Group Policy is refreshed, use the settings listed in the preceding paragraphs. If you want the policy settings to apply to users and come into effect when users log on or when Group Policy is refreshed, configure the same settings in User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings. For information about other settings that control the way wizards and other components communicate with the Internet, see Appendix C, Group Policy Settings Listed Under the Internet Communication Management Key.
194
Appendix H: New Connection Wizard and Internet Connection Wizard

In Microsoft Windows XP Professional with Service Pack 2 (SP2) you use the New Connection Wizard to create Internet and other types of network connections for home and small office networks. While this feature is designed for home and small office use, information about this feature is presented here so IT administrators can be aware of these potential capabilities within the organizations network. This appendix includes the following: An overview of the New Connection Wizard and a wizard that can be started from it, called the Internet Connection Wizard How to control the use of the New Connection Wizard and the Internet Connection Wizard that can be started from it
There is another wizard, accessible from Outlook Express, called the Internet Connection Wizard. To prevent users from running this wizard, remove visible entry points to Outlook Express, possibly by using the Sysocmgr command, as described in the Outlook Express 6 section of this white paper. For information about methods for configuring Internet Explorer, see the Internet Explorer 6 section of this white paper.
Overview: New Connection Wizard and Internet Connection Wizard

The New Connection Wizard in Windows XP with SP2 replaces the Windows 2000 Network Connection Wizard and Internet Connection Wizard. Administrators for a home or small office network can use the New Connection Wizard to create any type of network connection including Internet, incoming, dial-up, virtual private network (VPN), and direct connection. You can start the New Connection Wizard in a variety of ways: By starting any program that requires an Internet connection when no Internet connection has yet been configured. An example of such a program is Internet Explorer. By opening Network Connections and clicking Create a new connection. Network Connections can be opened in a variety of ways, including through Control Panel\Network Connections. By opening Internet Options and, on the Connections tab, clicking the Setup button. Internet Options can be opened in a variety of ways, including through Control Panel\Internet Options. By clicking Start, clicking Programs or All Programs, clicking Accessories, clicking Communications, and then clicking New Connection Wizard.
195
A wizard called the Internet Connection Wizard still appears when the user starts the New Connections Wizard, clicks Connect to the Internet, clicks Choose from a list of Internet Service Providers (ISPs), finishes the wizard, and clicks the resulting icon labeled Refer me to more Internet Service Providers. Another wizard called the Internet Connection Wizard can be started from Outlook Express if a user takes actions to set up a mail account or a newsgroup account. To prevent users from running this wizard, remove visible entry points to Outlook Express, possibly by using the Sysocmgr command, as described in the Outlook Express 6 section of this white paper.
Controlling the Use of the New Connection Wizard and the Internet Connection Wizard
You can control how users can use the New Connection Wizard and the related Internet Connection Wizard by configuring Group Policy. Note Some of the Group Policy settings described in this section do not affect administrators. The descriptions provide details. Group Policy setting: Disable Internet Connection Wizard
This Group Policy setting is in User Configuration\Administrative Templates\Windows Components\Internet Explorer. It affects administrators as well as users. If you enable this policy, the Setup button on the Connections tab in the Internet Options dialog box appears dimmed. Also, if you enable this setting, and a user running the New Connection Wizard clicks Choose from a list of Internet Service Providers (ISPs), finishes the wizard, and clicks Refer me to more Internet Service Providers, a message appears, saying that the user cannot run the Internet Connection Wizard. Note This policy overlaps with the Disable the Connections page policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Connections tab from the interface. A second wizard called the Internet Connection Wizard can be started from Outlook Express if a user takes actions to set up a mail account or a newsgroup account. To prevent users from running this wizard, remove visible entry points to Outlook Express, possibly by using the Sysocmgr command, as described in the Outlook Express 6 section of this white paper. Group Policy setting: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
This Group Policy setting is in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings. It affects users but not administrators. This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). If you enable this setting, and a user running the New Connection Wizard clicks Choose from a list of Internet Service Providers (ISPs), finishes the wizard, and clicks Refer me to more Internet Service Providers, a message appears, saying that the user cannot complete the Internet Connection Wizard. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers.
196
Important You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key." Group Policy setting: Prohibit Access to the New Connection Wizard
This Group Policy setting is in User Configuration\Administrative Templates\Network\Network Connections. It affects users but not administrators. This policy setting determines whether users can use the New Connection Wizard, which creates new Internet or intranet connections. Group Policy setting: Enable Windows 2000 Network Connections settings for Administrators
This Group Policy setting is also in User Configuration\Administrative Templates\Network\Network Connections. Note This policy setting is intended to be used in a situation in which the Group Policy object (GPO) contains computers running both Windows 2000 and Windows XP and identical Network Connections policy setting behavior is required between those computers. With this policy setting enabled, policy settings that exist in both Windows 2000 and Windows XP behave the same for administrators. The set of Network Connections policy settings that exists in Windows 2000 also exists in Windows XP. In Windows 2000, all of these policy settings have the ability to prohibit the use of certain features by administrators. By default, Network Connections policy settings in Windows XP do not prohibit the use of features from administrators. For information about using Group Policy, see Appendix B, "Learning About Group Policy and Updating Administrative Templates."
197
Related Links
This section contains a list of Web sites that are found in other sections of this white paper.
Links to Product Information, Support Information, TechNet, Microsoft Developer Network, and Information in Resource Kits
The following sites provide information about Windows XP and other Microsoft products. The list includes sites containing product documentation as well as other basic sites that provide information about Microsoft operating systems and other Microsoft products: Windows XP and Windows XP Service Pack 2:
http://www.microsoft.com/windowsxp/ http://go.microsoft.com/fwlink/?LinkId=25243 http://go.microsoft.com/fwlink/?LinkId=23354 Product documentation for Windows Server 2003:
http://go.microsoft.com/fwlink/?LinkId=29881 Microsoft product support:
http://support.microsoft.com/ Microsoft TechNet:
http://www.microsoft.com/technet/ Microsoft Developer Network:
http://msdn.microsoft.com/ Prescriptive Architecture Guides:
http://go.microsoft.com/fwlink/?LinkId=29413 Windows Deployment and Resource Kits (includes links to the Windows Server 2003 Deployment Kit and the Windows Server 2003 Technical Reference):
http://www.microsoft.com/windows/reskits/ Microsoft Resource Kits:
http://go.microsoft.com/fwlink/?linkid=29894 Internet Explorer Administration Kit:
http://go.microsoft.com/fwlink/?linkid=29479 NetMeeting 3 Resource Kit (the NetMeeting section in this white paper provides links to specific chapters in this kit):
198
Links to Information About Security, Management, and Deployment

The following sites provide information about security, management, and deployment topics: Managing mobile code:
http://go.microsoft.com/fwlink/?linkid=29170 The Windows XP Professional Resource Kit documentation:
http://www.microsoft.com/windows/reskits/ Automating and Customizing Installations in the Microsoft Windows Server 2003 Deployment Kit:
http://go.microsoft.com/fwlink/?LinkId=29887 Using scripts:
http://go.microsoft.com/fwlink/?LinkId=24771 http://go.microsoft.com/fwlink/?LinkId=29221 Security:
http://www.microsoft.com/security/guidance/ http://go.microsoft.com/fwlink/?LinkId=29168 http://www.microsoft.com/windows/security/ http://msdn.microsoft.com/security/ http://www.microsoft.com/technet/security/
Links to Information About Components in Windows XP Professional SP2

The following sites provide information about some of the components in Windows XP Professional SP2: Add Network Place Wizard (specifically, related protocols called the Web Extender Client protocol and the Distributed Authoring and Versioning protocol):
http://go.microsoft.com/fwlink/?LinkId=29223 Certificates, certificate status, certificate revocation, and Public Key Infrastructure (PKI): http://go.microsoft.com/fwlink/?linkid=29886 http://go.microsoft.com/fwlink/?LinkId=27081
For more information, also see Links to Sites Maintained by Task Forces and Other Organizations, later in this section. Dynamic Update:
199
File association Web service (specifically, the related process of using Group Policy to remotely install software):
http://go.microsoft.com/fwlink/?linkid=29166 For more information about the file association Web service, also see Language codes in this list. Help and Support Center Headlines (for an explanation of how Headlines and the Newsver.xml file work, see "Help and Support Center: The Headlines and Online Search features," earlier in this white paper):
http://windows.microsoft.com/windowsxp/newsver.xml HyperTerminal (on the Hilgraeve Web site):
http://go.microsoft.com/fwlink/?linkid=29890 Internet Explorer:
http://www.microsoft.com/windows/ie/ For more information about Internet Explorer, also see the following: Microsoft Resource Kits and "Internet Explorer Administration Kit" in "Links to Product Information, Support Information, TechNet, Microsoft Developer Network, and Information in Resource Kits," earlier in this section. Language codes in this list. Set Program Access and Defaults in this list. Internet games:
http://www.zone.msn.com Internet Information Services in Windows XP SP2: http://go.microsoft.com/fwlink/?linkid=29895 http://go.microsoft.com/fwlink/?linkid=29174 http://go.microsoft.com/fwlink/?linkid=29896 Internet printing: http://go.microsoft.com/fwlink/?LinkId=29209 http://go.microsoft.com/fwlink/?LinkId=29131 Internet Protocol version 6 (IPv6):
http://go.microsoft.com/fwlink/?LinkId=29519 For more information about IPv6, also see Links to Sites Maintained by Task Forces and Other Organizations, later in this section. Language codes (used in Internet Explorer and the file association Web service when a language is being specified):
http://go.microsoft.com/fwlink/?linkid=29165 MSN Explorer (specifically, the privacy statement for the MSN.com Web site):
http://privacy.msn.com/
200
NetMeeting: http://www.microsoft.com/windows/NetMeeting/ http://go.microsoft.com/fwlink/?LinkId=29175 http://go.microsoft.com/fwlink/?LinkId=29206 http://go.microsoft.com/fwlink/?LinkId=29207
For more information about NetMeeting, also see the following: Links to Sites Maintained by Task Forces and Other Organizations, later in this section. "NetMeeting 3 Resource Kit" in "Links to Product Information, Support Information, TechNet, Microsoft Developer Network, and Information in Resource Kits," earlier in this section. Online Print Ordering Wizard:
http://go.microsoft.com/fwlink/?LinkId=29134 Outlook Express 6 (specifically, Sysocmgr.exe, a tool that helps you control whether entry points are visible for Outlook Express): http://go.microsoft.com/fwlink/?LinkId=31023 http://go.microsoft.com/fwlink/?LinkId=31120
For more information about Outlook Express, also see Internet Explorer and Set Program Access and Defaults in this list. Program Compatibility Wizard (specifically, the Windows Application Compatibility Toolkit, which can be used with the Program Compatibility Wizard):
http://go.microsoft.com/fwlink/?LinkId=29880 Remote Assistance:
http://go.microsoft.com/fwlink/?LinkId=29212 Search Companion:
http://sa.windows.com/privacy/ Set Program Access and Defaults (affects Internet Explorer, Outlook Express, Windows Media Player, and Windows Messenger): http://go.microsoft.com/fwlink/?linkid=29306 http://go.microsoft.com/fwlink/?linkid=29309 Web Publishing Wizard:
http://go.microsoft.com/fwlink/?LinkId=29134 Windows Error Reporting: http://go.microsoft.com/fwlink/?LinkId=825 http://go.microsoft.com/fwlink/?LinkId=29903 http://go.microsoft.com/fwlink/?LinkId=29517
201
Windows Media Player: http://www.microsoft.com/Windows/WindowsMedia/ http://go.microsoft.com/fwlink/?LinkId=29521 http://go.microsoft.com/fwlink/?LinkId=29867 http://go.microsoft.com/fwlink/?LinkId=29870 http://go.microsoft.com/fwlink/?LinkId=29868 http://go.microsoft.com/fwlink/?LinkId=29862 http://go.microsoft.com/fwlink/?LinkId=29864 http://go.microsoft.com/fwlink/?LinkId=29863
For more information about Windows Media Player, also see Set Program Access and Defaults in this list. Windows Messenger: http://go.microsoft.com/fwlink/?LinkId=29865 http://go.microsoft.com/fwlink/?LinkId=29216 http://go.microsoft.com/fwlink/?LinkId=29218 http://go.microsoft.com/fwlink/?LinkId=29219
For more information about Windows Messenger, also see Set Program Access and Defaults in this list. Windows Movie Maker: http://www.microsoft.com/windowsxp/moviemaker/default.asp http://go.microsoft.com/fwlink/?LinkId=27987 Windows Update and Automatic Updates: http://windowsupdate.microsoft.com/ http://go.microsoft.com/fwlink/?LinkId=29906
Links to Information About Licensing, Product Activation, and Registration

The following sites provide information about licensing, product activation, and registration: http://go.microsoft.com/fwlink/?LinkId=29878 http://go.microsoft.com/fwlink/?linkid=29225 http://go.microsoft.com/fwlink/?LinkId=29484 http://go.microsoft.com/fwlink/?LinkId=29923 http://go.microsoft.com/fwlink/?linkid=29226 http://go.microsoft.com/fwlink/?LinkId=29508
202
Links to Sites Maintained by Task Forces and Other Organizations

The following sites are maintained by the Internet Engineering Task Force: http://go.microsoft.com/fwlink/?LinkId=29898 http://go.microsoft.com/fwlink/?LinkId=29135 http://go.microsoft.com/fwlink/?LinkId=29136 http://go.microsoft.com/fwlink/?LinkId=29215 http://go.microsoft.com/fwlink/?LinkId=29924
The following site is maintained by the International Multimedia Telecommunications Consortium: http://www.imtc.org/ The following site is maintained by the International Telecommunication Union: http://go.microsoft.com/fwlink/?LinkId=29510 (Web addresses can change, so you might be unable to connect to the Web sites mentioned here.)
Links to Information About Group Policy

The following sites provide information about topics related to Group Policy: The Group Policy Technology Center Web site at:
http://www.microsoft.com/grouppolicy/ The Group Policy page on the TechNet Web site at:
http://www.microsoft.com/technet/grouppolicy/ Designing a Managed Environment in the Microsoft Windows Server 2003 Deployment Kit at:
http://go.microsoft.com/fwlink/?LinkId=29887 Information about the Group Policy Management Console at the Microsoft Windows Server 2003 Web site at:
http://go.microsoft.com/fwlink/?linkid=29909 The Group Policy Collection of the Windows Server 2003 Technical Reference at:
http://go.microsoft.com/fwlink/?LinkId=29907 Article 816662, "Recommendations for Managing Group Policy Administrative Template (.adm) Files" in the Microsoft Knowledge Base at:
http://go.microsoft.com/fwlink/?LinkId=29128 The Group Policy Settings Reference on the Microsoft Web site at:
203
204

MN XPSP2

Uploaded by

Copyright:

Available Formats

MN XPSP2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MN XPSP2

Uploaded by

Copyright:

Available Formats

Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet

Microsoft Corporation Published: July 2004

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Types of Components Covered in This White Paper

Types of Components Not Covered in This White Paper

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Other Sources of Information About Security Basics

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Activation and Registration Associated with a New Installation or an Upgrade

Purposes of Activation and Registration Associated with a New Installation or an Upgrade

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Overview: Activation and Registration in the Context of a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Activation Improvements in Windows XP Service Packs

Procedure for Preventing Online Product Registration with Microsoft

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Certificate Support and the Update Root Certificates Component

Benefits and Purposes of Certificate Functionality

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Overview: Using Certificate Components in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

How Update Root Certificates Communicates with Sites on the Internet

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

To Disable the Update Root Certificates Component by Using Group Policy

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Device Manager and Hardware Wizards

Benefits and Purposes of Device Manager

Overview: Using Device Manager in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

How Hardware Wizards Communicate with Sites on the Internet

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Benefits and Purposes of Dynamic Update

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Overview: Using Dynamic Update in a Managed Environment

How Dynamic Update Communicates with Sites on the Internet

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Steps to Take and Effect on Dynamic Update

Steps to Take and Effect on Dynamic Update

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Avoiding Dynamic Update

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Procedures for Controlling Dynamic Update

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Benefits and Purposes of Event Viewer

Overview: Using Event Viewer in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

How Event Viewer Communicates with Sites on the Internet

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

Using Windows XP Professional with Service Pack 2 in a Managed Environment

File Association Web Service