|From:||MICROSOFT <secure_(at)_microsoft.com> |
|Subject:||Description of the critical update for Windows Firewall "My Network (subnet) only" scoping in Windows XP Service Pack 2|
Description of the critical update for Windows Firewall "My Network (subnet) only" scoping in Windows XP Service Pack 2
Article ID : 886185
Last Review : December 18, 2004
Revision : 2.0
On this Page
This article describes Critical Update for Windows XP (KB886185). This update helps narrow the definition of the My network (subnet) only, or local subnet, scope option in Windows Firewall. This is helpful in situations where Windows Firewall would consider a large network to be on the local subnet because of how the dial-up software configured the route tables. After you install Critical Update for Windows XP (KB886185), you may have to restart your computer.
After you set up Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that anyone on the Internet can access resources on your computer when you use a dial-up connection to connect to the Internet. For example, after creating an exception in Windows Firewall for File and Printer Sharing, you may discover that anyone can access shared files and printers.
Note Windows Firewall automatically selects the My network (subnet) only scope option when you create an exception for File and Printer Sharing.
Because of the way that some dialing software configures routing tables, Windows Firewall in Windows XP SP2 can sometimes interpret the whole Internet to be a local subnet. This can let anyone on the Internet access a Windows Firewall exception if the exception is configured to use the My network (subnet) only scope option.
To resolve this problem, you must download and install Critical Update for Windows XP (KB886185). You can download and install Critical Update for Windows XP (KB886185) by using the Windows Update Web site or the Microsoft Download Center.
To download and install Critical Update for Windows XP (KB886185) by using the Windows Update Web site, follow these steps: 1. Start Microsoft Internet Explorer.
2. On the Tools menu, click Windows Update.
3. Follow the instructions on the screen to update your computer.
Microsoft Download Center
The following file is available for download from the Microsoft Download Center:
Download the Critical Update for Windows XP 886185 package now.
Release Date: December 14, 2004
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
You must be running one of the following operating systems:• Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Media Center Edition with Windows XP Service Pack 2
• Microsoft Windows XP Tablet PC Edition 2005
To install this critical update without any user intervention, use the following command:
windowsxp-kb886185-x86-enu.exe /passive /quiet
To install this critical update without forcing the computer to restart, use the following command:
Note You can combine these switches in one command line. For additional information about the command-line switches that can be used with critical update 886185, click the following article number to view the article in the Microsoft Knowledge Base:
262841 Command-line switches for Windows Software Update packages
For information about how to deploy this critical update by using Software Update Services (SUS), visit the following Microsoft Web site:
To remove this critical update, use the Add or Remove Programs tool in Control Panel.
System administrators can use the Spuninst.exe utility to remove this critical update. Spuninst.exe is located in the %windir%\$NTUninstallKB886185$\Spuninst folder. The utility supports the following Setup switches: • /? : Show the list of installation switches.
• /u : Use Unattended mode.
• /f : Force other programs to quit when the computer shuts down.
• /z : Do not restart when the installation is completed.
• /q : Use Quiet mode (no user interaction).
You may have to restart your computer after you apply this update.
Update replacement information
This update does not replace any other updates.
The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. Date Time Version Size File name Folder
29-Sep-2004 22:28 5.1.2600.2524 134,912 Ipnat.sys SP2GDR
29-Sep-2004 22:31 5.1.2600.2524 134,912 Ipnat.sys SP2QFE
For additional information about Windows XP Service Pack 2 software update packages, click the following article number to view the article in the Microsoft Knowledge Base:
824994 Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages
Some dial-up software configures the routing tables in a way that leads the Windows Firewall to determine that the whole dial-up connection is on the local subnet. After you install Critical Update for Windows XP (KB886185), Windows Firewall will no longer interpret network connections to be on the local subnet if they have IP Route Table entries that have an IP address of 0.0.0.0 and a mask of 0.0.0.0. This means that any port exceptions or program exceptions that use the My network (subnet) only scope option in Windows Firewall will not be available over most dial-up connections. You will still be able to access exceptions over a dial-up connection if you remove all scope restrictions or if you create a custom scope for exceptions.
Local network subnet configuration varies depending on the network that you are connected to and how that network is configured. Using the My network (subnet) only scope restriction does not guarantee security because it relies on the network subnet configuration to define what is the local network.
Important We strongly recommend that you use the custom scope option when you want to make sure that no unwanted incoming traffic is permitted to pass through your firewall exceptions.
To access the custom scope options for an exception, follow these steps:1. Log on to your computer as a member of the local Administrators group.
2. Click Start, click Run, type firewall.cpl, and then click OK.
3. In Windows Firewall, click the Exceptions tab. Click the program or service that you want to create an exception for.
4. Click Edit, click Change scope, and then click Custom list.
For more information about configuring Windows Firewall, visit the following Microsoft TechNet Web page:
• Microsoft Windows XP Home Edition Service Pack 2 (SP2)
• Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Tablet PC Edition 2005
• Microsoft Windows XP Media Center Edition Service Pack 2 (SP2)
Top of Page
Keywords: kbfix kbbug kbfirewall atdownload kbtshoot KB886185