IBM win XP SP2問題解決

[psac]

IBM users are directed to not install SP2 at this time.

What is a Service Pack? Service packs are the means by which Microsoft Windows product updates are distributed. Service packs keep the product current, and extend and update your computer's functionality. Service packs include updates, system administration tools, drivers, and additional components.





As you may have heard, Microsoft is preparing to make available Service Pack 2 (SP2) for Windows XP in mid-August of this year. IBM is directing users not to install Service Pack 2 due to known application problems.

Microsoft recognizes that SP2 will change the behavior of Internet Explorer and cause some application incompatibilties. IBM's large number of web applications will need to be tested and some modified to work correctly with SP2. Currently some high profile, business critical applications are known to conflict with SP2. With SP2, Microsoft is also trying to dramatically tighten the level of security provided by the operating system. However, some of these efforts conflict with the security tools already in place in IBM. When the current issues and concerns have been addressed, IBM will migrate users to a customized version of SP2.
Known Issues and Conflicts

1. Windows XP SP2 has yet to be fully tested. IBM has over 5,000 worldwide enterprise applications, many of which we must ensure work properly with SP2. The service pack contains data execution prevention code that marks all memory locations in a process as non-executable unless the location explicitly contains executable code. There is a class of attacks that attempt to insert and execute code from non-executable memory locations. Data execution prevention helps prevent these attacks by intercepting them and raising an exception. The result is that there may be some IBM applications that do not function properly.





--------------------------------------------------------------------------------

2. The new Windows Security Center introduced with this Service Pack conflicts with the standard client. The Windows Security Center is programmed to detect third party client firewall and antivirus programs, but it does not properly detect the version IBM has deployed. So while the Windows Security Center may imply that a machine is at risk or noncompliant, this is not necessarily the case. In addition, the functionality of the Windows Security Center is a duplication of IBM's Workstation Security Tool (WST).


IBM Customizations

IBM is creating registry keys to provide to users via ISSI that will disable the Windows Security Center, to prevent confusion related to its reporting. The registry values that will be added are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
// Have MSC Stop Monitoring AV, FW, and AU
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
// Disable antivirus and firewall check at boot time




--------------------------------------------------------------------------------

3. Windows XP SP2 enables Automatic Updates by default. The standard IBM client for e-business comes with Windows Automatic Update (AU) disabled, in favor of the use of ISSI and EZUpdate. Although the benefit of enabling AU for home users is clear, many software packages are untested on the IBM client for e-business, which is why IBM does not use the function.


IBM Customizations

IBM is creating registry keys to provide to users via ISSI that will disable the Automatic Update utility, to prevent confusion related to its reporting. The registry values that will be added are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000001
// Turn OFF Automatic Updates




--------------------------------------------------------------------------------

4. The Microsoft Firewall conflicts with the Zone Labs Integrity Desktop. The ZLID client firewall provides exceptional protection from known threats and malicious network activity. The Microsoft Firewall is enabled by default in SP2, causing a conflict and blocking applications that IBM has pre-programmed to allow through ZLID.


IBM Customizations

IBM is creating registry keys to provide to users via ISSI that will disable the Microsoft Firewall, to prevent confusion related to its reporting. The registry values that will be added are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000000
// Disable Firewall Policy for the Domain Profile
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=dword:00000000
// Disable Firewall Policy for the Standard Profile


Although testing indicates that the Microsoft Firewall and ZLID can function concurrently, there is no guarantee that a conflict will not occur. Both products operate as a shim in the network stack, which should cause a system conflict. The result of both firewalls running is that the Microsoft Firewall will generate pop-up alerts for applications already secured by ZLID.





--------------------------------------------------------------------------------

5. The Internet Explorer pop-up blocking feature breaks applications. While pop-up blocking is a feature for which many users want, some web applications depend on this pop-up feature. IBM is testing all web applications for compatibility and working with our external software vendors to remediate these and other issues relative to this new, forthcoming Service Pack for Windows XP.

Microsoft's pop-up blocking technology prevents the the window.open() and showHelp() methods of opening a new window from functioning. However, a new user interface called InewWindowManager has been added to allow developers to request new windows for web applications.


IBM Customizations

IBM is creating registry keys to provide to users via ISSI that will disable the Internet Explorer 6 pop-up blocker which is no change from today's user experience. Users will still be able to enable the pop-up blocker via the user interface. The registry values that will be added are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000001
"1004"=dword:00000001
"1200"=dword:00000000
"1809"=dword:00000003
// This and the following settings disable the Pop-Up Blocker, and sets the ActiveX Component
handling to the Pre-SP2 style. The Pop-Up Blocker has some potential issues with CRM,
e-meetings, etc. In detail:
Setting 1001 = 1 means that the download signed ActiveX controls requires a prompt
Setting 1004 = 1 means that the download unsigned ActiveX controls requires a prompt
Setting 1200 = 0 means that the download signed ActiveX controls requires a prompt
Setting 1809 = 3 means that the pop-up blocker is disabled
// This set of four settings is repeated below for each Internet Zone and for both the Local
Machine and the Current User
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000001
"1004"=dword:00000001
"1200"=dword:00000000
"1809"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000001
"1004"=dword:00000001
"1200"=dword:00000000
"1809"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000001
"1004"=dword:00000001
"1200"=dword:00000000
"1809"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1001"=dword:00000001
"1004"=dword:00000001
"1200"=dword:00000000
"1809"=dword:00000003
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000001
"1004"=dword:00000001
"1200"=dword:00000000
"1809"=dword:00000003
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000001
"1004"=dword:00000001
"1200"=dword:00000000
"1809"=dword:00000003
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000001
"1004"=dword:00000001
"1200"=dword:00000000
"1809"=dword:00000003
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000001
"1004"=dword:00000001
"1200"=dword:00000000
"1809"=dword:00000003
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1001"=dword:00000001
"1004"=dword:00000001
"1200"=dword:00000000
"1809"=dword:00000003

[leowang]

這是啥東東ㄚ........
好像是一些登錄的東西
這是做啥用的

英文!!看不懂!