A few months ago, I discussed several file-access problems that Windows XP Service Pack 1 (SP1) users experience when they access files on a Windows 2000 domain controller (DC) or file server on which Server Message Block (SMB) signing is enabled. (See "Solving XP SP1 Network File Errors,".) An incompatibility in how an XP system negotiates signed SMB packets with Win2K causes a variety of file-access errors, including the inability to save a file, the inability to copy files, and error messages indicating that a file or network path doesn't exist (even when the file and network share are valid). XP SP1 clients also have difficulty applying group policies and encounter errors running logon scripts. When you have problems applying Group Policy on the client, you’ll see messages in the event log stating that Group Policy processing was aborted (e.g., event ID 1058 from UserEnv or event ID 1030 from SceCli).
When Microsoft first addressed this problem, the company announced a Win2K fix, pulled the fix, and recommended you disable SMB signing as a temporary workaround. I heard from several readers that the workaround reduced, but didn’t eliminate, file-access errors. Microsoft has reclassified the fix for the SMB signing/file-access problem as a security vulnerability in Security Bulletin MS02-070 (Flaw in SMB Signing Could Enable Group Policy to be Modified).
Now you can download a permanent fix that correctly implements SMB signing between XP and Win2K systems and eliminates a security flaw as well. You need to download at least two versions of the security hotfix, one for XP SP1 clients and one for Win2K servers that host client-accessible files. Both updates are packaged with the hotfix utility, which lets you install the update interactively or by using a script. Here’s a quick review of the hotfix command-line options:
- /?—display the list of installation switches
- /u—run in unattended mode
- /f—force other programs to quit when the computer shuts down
- /n—don't back up files for removal
- /o—overwrite OEM files without prompting
- /z—don't restart when installation is complete
- /q—quiet mode (no user interaction)
- /l—list installed hotfixes
- /x—extract the files without running Setup
The XP fix solves file-access error problems and eliminates a Group Policy vulnerability documented in MS02-070. You need to install this update—a new version of srv.sys with a file release date of October 21, 2002—on all XP SP1 systems. Because srv.sys is a protected system file, you must reboot to load the new version. Click here to download the 32-bit version of the patch. Click here to download the 64-bit XP version.
The Win2K fix corrects the SMB signing problem on Win2K SP3 and SP2 systems and eliminates the same Group Policy vulnerability. The fix updates nine components, including two core server service files and several files that support local and remote printing. Most of the files have a release date of November 1, 2002. You need to install this update on all Win2K systems that host Group Policy, logon scripts, files, and printers for XP clients, but only if SMB signing is enabled. Unless you override installation defaults, Setup configures Win2K DCs with SMB signing enabled, which means you should install this fix on all DCs. You can also enable this feature on Win2K servers by editing SMB parameters in the registry. This hotfix is incompatible with Win2K versions earlier than SP2, so you’ll need to upgrade affected systems to SP2 or, better yet, SP3, before you install the hotfix. Click here to download the Win2K version of the hotfix. You need to reboot to complete the process.
Microsoft Removes Hard-Coded IE Links
Here’s some good news for Windows 2000 users who prefer a third-party browser over the native Win2K Internet Explorer (IE). If you routinely use Netscape or another vendor’s browser for Web-enabled activities, you’re aware that you can’t use your preferred browser for all Win2K browser-aware functions. Microsoft has hardwired IE as the default browser in many functions, including Win2K Help, the Accessibility Wizard, Add/Remove Programs, and on the Active Desktop. For example, although you define Netscape as the default browser, you can't avoid IE when you ask for Help or when you change features on the Active Desktop.
If you want to use your default browser in all Win2K browser-aware functions, you can install the patch that removes the hard links to IE. After you install this patch, Win2K should start the default browser, not IE, in all browser-aware applications. You can download 23 language-specific versions of this modification here. The patch contains 14 files with file release dates between November 22 and December 10, 2002. According to the Microsoft article "Hyperlinks Open in Internet Explorer Instead of in the Default Browser", this patch is also available as a critical update at the Windows Update site.
