Upgrade from 2000 - Local Security Settings desensitized

[Guest]

I was upgrading computers from Windows 2000 Professional to Windows XP.
I performed the recommended upgrade operation since that was simplest.
There were no problems during the process of upgrading. After the upgrade,
I installed service pack 2 but turned off the firewall. I found that
several options in the Local Security Policy / Security Options were
desensitized and they could not be set. This includes the 'Network Access:
Sharing and security model for local accounts' setting. Subsequently,
there seemed to be a security problem that disallowed applications from
connecting to the computer.

When I instead performed the full installation of Windows XP, the Local
Security Policy settings were not desensitized. What settings in XP could
be causing the security settings to be desensitized? I need to be able to
perform 2000 upgrades.
Thanx.

 

[Gerry Hickman]

Hi,

I was upgrading computers from Windows 2000 Professional to Windows XP.

Bad move.

Always do clean installs, otherwise you can get subtle LSA problems. Why
on earth anyone would want to "upgrade" to XP on a corporate setup is
beyond me.

 

[Guest]

Mine is not to question the wishes of our project teams who demand that we
are able to upgrade from Win2k Pro to WinXP Pro. Quite frankly, Microsoft
sanctions this as well. When I put my install CD in, the install RECOMMENDS
that an upgrade, not a full install, is performed.

Is there a technical reason for these security problems?

 

[Gerry Hickman]

Hi Brian,

Mine is not to question the wishes of our project teams who demand that we
are able to upgrade from Win2k Pro to WinXP Pro. Quite frankly, Microsoft
sanctions this as well. When I put my install CD in, the install RECOMMENDS
that an upgrade, not a full install, is performed.

Microsoft will promote which ever route they think will be "easy" for
home users. That does not mean Enterprise Admins have to follow in their
footsteps. Enterprise guys do NOT go round putting in CDs, they use PXE,
RIS, GHOST etc.

Unfortunately, the problems with upgrades are never documented - the
reason being it would come across as bad press. One of the classic
examples being NT profiles are not compatible with 2000 profiles, but it
doesn't actually say that in the readme.txt file, another is the way
NTFS permissions and the LSA end up getting inherited, so it's never
like a clean system would be.

The main problem with upgrading, however, is that you have no baseline,
you can not run a differencing engine against your registry and your
DLLs, because you don't have an official clean-install and registry to
start with.

Upgrades are strictly for home users.