Improvements to the Windows firewall in Vista

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I recently attended a Windows Vista security session at Microsoft, presented by Steve Lamb. Windows Vista security is too broad to cover in a single presentation (or even in a single blog post!) but some of the key points that Steve concentrated on were around the Windows firewall and IPsec. This post picks up on the main points from Steve’s presentation.

The Windows XP firewall was criticised by some because it only inspected inbound traffic. Microsoft responded to customer demands and, in Windows Vista, the firewall also inspects outbound traffic; however it should be noted that a compromised machine can have its firewall disabled, so the presence of the firewall is not a reason to feel complacent; indeed Steve Lamb used the term security theatre (http://en.wikipedia.org/wiki/Security_theatre) to highlight security products that promise much and offer little.

Consider the following process:

The fundamental issue with client firewalls

I wrote about this problem a while back, but in short, outbound control can only be relied upon where the computer is not compromised and the user cares about security – i.e. not on those machines where it is needed (compromised computers where the users don’t care about security)! It can be useful for restricting known software from communicating; however in such cases, prompting should be disabled.

Trying to find a balance between ease of use/flexibility and security, the default actions for the Windows firewall are:

  • Inbound – block most traffic, with a few exceptions.
  • Outbound – allow all interactive traffic but restrict services.

Allow/block rules can be configured for programs, services, users, computers, protocols or ports.

The Windows Vista firewall feature list is extended in other ways too:

Windows XP SP2 Windows Vista
Direction Inbound Inbound and outbound
Default action Block Configurable for direction
Packet Types TCP, UDP, some ICMP All
Rule types Application, global ports, ICMP types Multiple conditions (programs, services, users, computers, protocols or ports)
Rule actions Block Block, allow, bypass; with rule merge logic
UI and tools Control Panel, netsh Control Panel, netsh, MMC
APIs Public COM, private C More COM to expose rules, more C to expose features
Remote management None Hardened RPC interface
Group policy Administrative template MMC, netsh
Terminology Exceptions; profiles Rules; categories

The Windows filtering platform (WFP) is a series of APIs, designed to allow developers to hook into the network stack without requiring kernel changes. WFP provides authenticated communication, dynamic firewall configuration, a foundation for the Windows firewall and IPsec, works with encrypted traffic, and because it is fully documented there is little risk that a service pack release will break third-party applications. Architecturally, this also provides improvements with synchronous API calls, exposure of the user context for auditing policy changes, access control lists on API calls (no longer using registry ACLs and escaltion of privilege) and incremental policy updates.

Firewall configuration is still available from the Control Panel (with a few minor presentation differences); however a new Windows Firewall with Advanced Security MMC snap-in is provided which can also be used to assign settings to remote computers and to apply IPsec configuration. The new MMC snap-in is complemented with a new netsh advfirewall command line interface.

When merging and evaluating rules, the following order is applied, from highest priority to lowest:

  • Service restrictions (restricting connections that can be established by services – operating system services are configured appropriately by default).
  • Connection rules (restricting connections from particular computers using IPsec for authentication and authorisation).
  • Authenticated bypass (allowing specified computers to bypass other rules).
  • Block rules (explicitly blocking incoming or outgoing traffic).
  • Allow rules (explicitly allowing incoming or outgoing traffic).
  • Default rules (the default behaviour for a connection).

It should be noted that these rules are stored in the registry; however editing them directly is unsupported.

Firewall exceptions are also more flexible, including the ability to filter based on:

  • Active Directory user accounts and groups.
  • Source/destination IP addresses/range.
  • Source/destination TCP/UDP ports.
  • Comma-delimited list of ports.
  • IP protocol number.
  • Interface type.
  • ICMP type and code.
  • Services.

Support is also provided for multiple network profiles:

  • Domain – domain joined and connected to the domain (i.e. able to authenticate).
  • Private – connected to a defined private network (home or work).
  • Public – all other networks.

Network location awareness (NLA) detects networking changes and assigns each connection a GUID, whereby the network profile service (NPS) creates a profile upon connection and notifies the firewall whenever NLA detects a change. Local administrator privileges are required in order to define that a network is private and the computer defines the category when multiple interfaces are in use based on the logic in the accompanying diagram.

Determining network state with multiple interfaces

Windows Firewall group policy processing is also enhanced. Previously, computer policies were applied on operating system boot and user policies at logon, with a periodic refresh. Windows Vista extends this to apply computer and user policies when establishing a VPN connection or when resuming from hibernation/standby. Of course, firewall policies are set at the computer level, although they can be further restricted with per-user settings as previously described.

Windows Vista enhanced IPsec capabilities are integrated with the Windows Firewall, eliminating confusion with overlapping rules and allowing firewall rules to be IPsec-aware. IPsec configuration has been simplified in Windows Vista but it is still a complex subject, worthy of a separate post; however there are a couple of points worth noting:

  • Authenticated headers (AH) traffic is not compatible with network address translation (NAT) as it cannot be routed – an alternative is to use encapsulated payload (ESP) with 0-bit encryption to effectively provide the same function.
  • Shared secrets are stored as plain text in the registry so should not be used in production scenarios – certificates or Kerberos should be used instead for authentication.

In summary, Microsoft has made significant improvements to the Windows Firewall in Vista and anyone who is not using a third party product (and I would question the need for the use of third party firewalls in Vista) should turn it on right away, otherwise they are asking for trouble.

Who needs an iPhone?

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I just read about the HTC Touch and, whilst I haven’t seen one in the flesh, my existing phone is out of contract in a month or so and do have to say I’m seriously tempted.

This is what the BBC had to say about the device:

As far as I can see, for UK users, the HTC Touch has at least two of advantages over an iPhone:

  1. It’s available here, now.
  2. It’s about 40% less expensive than the iPhone is predicted to be, without a contract (and just over £50 with a £30 monthly contract on Vodafone).

Of course, it also runs Windows Mobile and lacks the Apple wow factor but I can live without an iPhone. For those who just don’t fancy the idea of running Windows on their phone – there is the Symbian-based Nokia N95, which includes a 5MP camera on it’s spec-sheet.

Virtualisation on the Mac with Parallels Desktop

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

ParallelsA few weeks back, I wrote about creating a media PC using Windows Vista and an Apple Mac Mini. Unfortunately, its going to take me a while to save up and replace the Mac as my primary home computer and so it’s not quite ready to start life as a living room PC. Also, rebooting to switch between Windows Vista and Mac OS X very quickly became tiresome, so I decided to see if I could use the highly-regarded SWsoft Parallels Desktop for Mac to run Windows Media Center from my Boot Camp partition as a virtual machine under OS X.

After downloading a trial version of Parallels Desktop, I attempted to load my Boot Camp partition within the virtual environment; however it refused to play ball:

Unable to open disk image Boot Camp

I tried the fix which seems to be advocated by many on the support forums – i.e. appending the identified for my boot camp partition to the appropriate line in the virtual machine configuration file (e.g. Disk 0:0 image = Boot Camp;disk0s3) but that just changed the error message to:

Unable to open disk image Boot Camp;disk0s3

Looking on the parallels website, it seems that running Vista under Parallels Desktop from a Boot Camp partition is not yet supported:

Can I create a Parallels virtual machine with a Windows Vista operating system from a Boot Camp partition?
Parallels is currently compatible with Boot Camp partitions running Windows XP. Development is underway to support Vista partitions. However, you can run your licensed version of Windows Vista in Coherence mode, which enables you to run your guest operating system without having to manage two desktops.

Parallels Desktop for Mac FAQ

More worryingly, I was experiencing many spinning beachballs of death, resulting in force quitting Parallels and an unstable system, so I guess I’ll write that functionality off until the next version is released.

Changing tack, I decided to ignore the Boot Camp image and re-install Windows Vista inside a virtual machine. This is where Parallels Desktop redeemed itself, with near-native performance, no sign of any instability, and operating in a similar manner to the Microsoft and VMware virtualisation products with which I am more familiar (i.e. install the guest operating system, then install a tools package to provide improved device support). In additional to the various unsigned drivers (tut tut), there was one slightly-worrying feature – the Realtek 8029 network card that Parallels emulates is not supported under Vista, which could lead to issues later – even so, I very quickly had a Vista desktop running on the Mac; albeit with the standard graphics (i.e. no 3D effects). This is when I began to look at the killer feature in Parallels Desktop for Mac – coherence mode, whereby the Windows applications appear to be running natively on the OS X desktop:

Parallels Desktop for Mac presenting Windows Vista applications alongside native Mac OS X Tiger applications

Coherence is amazing – it really does have to been seen to be believed (Windows applications even appear when cycling between applications in OS X using command+tab). In fact, the whole application seems to be well-executed, with a widget-style 3D flip between configuration and the running virtual machine and all the features that would be expected of a desktop virtualisation product today as well as tools for P2V conversion (Parallels Transporter) and for manipulating disk images (Parallels Image Tool).

Another useful feature is the approach to sharing files – Parallels can provide Windows with access to my Mac OS X home folder (or any other folders that I define), alternatively I can simply copy files from Mac OS X to the Windows desktop. For anyone who is worried about the security implications of this, Parallels Desktop for Mac also includes Kapersky Internet Security 6.0 (although to install this, I needed to specify that I wanted to run kisstart.exe as administrator).

Parallels Desktop has a simple approach to USB device management – simply select the devices which will be made visible to the guest virtual machine from the device menu. I enabled the TV tuner and remote receiver that I’d bought for Windows Media Center and installed the drivers, then set up Windows Media Center to receive live TV and… nothing except an error message to say:

VIDEO ERROR

Files needed to display video are not installed or not working correctly. Please restart Windows Media Center or restart the computer.

It turns out that Windows Vista Media Center requires 64MB of onboard graphics memory and the Parallels video driver will only provide up to 32MB. Without any TV, that was effectively the end of that experiment, but it had been a good chance to have a look at Parallels Desktop for Mac.

So, what about the alternatives? When I looked at the VMware Fusion beta, it was more like VMware Workstation for Mac and lacked anything as impressive as coherence. My main reason for installing Fusion was to have virtual machine portability between platforms and that didn’t work out for me, resulting in disk driver issues and blue screens of death – I ran out of time for resolving these problems but it should be noted that Fusion is still a beta product (I haven’t tried the latest version). Parallels Desktop could be the way forward for me to run Windows applications on the Mac but I think I’ll be holding back until there is a version which properly supports Boot Camp and Vista. I’ll be watching to see what VMware does with Fusion and how SWsoft reacts – this could be an interesting year for virtualisation on the Mac.

Kaspersky Lab eStore

How Windows XP’s System Restore feature gave me back part of my weekend

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My father-in-law’s PC has gone screwy again. Sometimes it just happens.  He doesn’t deliberately make configuration changes, although he did recently buy a new digital camera and the installation CD added a lot of third party software that I would have managed without.  I would consider him to be a “normal” Windows user: he uses the PC for Internet (web) access, e-mail, the odd letter, home finances, some family history research and digital photography; he also pays for a McAfee subscription which should keep him safe from some of the badness out there on the ‘net – except that, a couple of nights back, McAfee updated itself and since then something has been “wrong” with the PC.

Actually, I don’t think I’ve ever seen a PC with a networking stack that was so badly “wrong”. Not having been there when the McAfee update took place, I don’t know what messages it displayed but from looking at the event log after a very slow boot, the DHCP client service shut down because “a system call that should never fail has failed”. Then, after a few minutes of waiting, various services failed because of missing dependencies (including, critically for Internet access using his ADSL modem, the Remote Access Connection Manager service). Removing all McAfee software didn’t help. Neither did restoring the IP stack to its default state with netsh int ip reset (see Microsoft knowledge base article 299357).

It was one of his friends that suggested the answer – what about System Restore?  I’d never previously used this feature in Windows XP but it was a godsend.  I restored the system to the state it had been in before the McAfee update and rebooted (see Microsoft knowledge base article 306084).  The boot up sequence was back to normal, the Internet connection was working again and all I needed to do was remove and reinstall the McAfee software.  Which meant that I did get to spend at least part of my Sunday afternoon in the park with my wife and kids.  Result.

BT Openzone may not work with Linux-based Intel Centrino systems

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

It’s Saturday afternoon, the sun is shining, and I’m in my den, blogging. Which makes me a bit of a saddo.

Actually, I’m just posting items that I wrote in my hotel a couple of nights back… and I’ll soon get back to doing something more wholesome with my weekend. You see, normally I like to stay at Hilton hotels because:

  • In my experience, the rooms are comfortable, with a contemporary décor.
  • The staff deliver great customer service (something that is increasingly rare to find in the UK).
  • I can get a reliable high-speed Internet connection in my room.

Sure, the iBahn Internet connection is pretty expensive (£15 for 24 hours) but if I’m working late into the evening for nothing more that the price of a broadband connection, then I figure that the company is getting value for money. In fact, it’s not unusual for me to work at the hotel the next morning too, because the connection is faster than the one I use at work!

Unfortunately, last Thursday night, the Internet connection in my room wasn’t working, so I tried the BT Openzone hotspot instead. After repeatly trying to connect, I eventually got a connection but lost it before I even had the chance to pay. Eventually, I gave up, figuring that there must be something up with my Wi-Fi stack. Later, I googled “BT Openzone Linux” and found that:

“Some hotspots may not support Linux-based Intel Centrino mobile technology systems”

[buried deep within a BT press release]

Thanks (for nothing) BT. IEEE 802.11b/g access shouldn’t care about my choice of operating system!

Group policy in Windows Vista

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Windows Vista makes a number of changes to the implementation and management of group policy objects (GPOs) and, as group policy is something that I haven’t worked with for a while, I figured it was time to take another look. A week or so back, I spent the morning at Microsoft, where Steve Lamb presented a session on using Group Policy in Windows Vista to control user behaviour and network security.

Policy has existed in various versions of Windows for a long time but group policy was introduced in Windows 2000 (enforced by Active Directory) and many group policy settings are also available as local computer policies (used when a machine is not authenticated by an Active Directory domain controller). Each new version of Windows brings more control over what can be controlled using policies and Windows Vista is no exception with a significant increase in the available options (Microsoft quotes various figures but they all indicate at least 2000 new settings). The new areas covered include removable device management, power management and user access control. There are also new management tools the group policy management console (GPMC) is now included with Windows (previously, it was a separate download ) and the group policy editor (gpedit.exe) now supports filtering of administrative template policy settings via a context-sensitive option on the view menu to show, for example, only those settings that apply to at least Windows XP Professional with SP2.

Windows Vista also makes improvements to policy control around network awareness, detecting changes in network conditions (e.g. connecting to a new network) and enforcing new policy settings accordingly. There are also improvements to the application of policy (with fewer requirements for synchronous application of policy).

It’s important to note the difference between a policy – stored in a subfolder (machine or user) on the domain controller under %systemroot%\sysvol\sysvol\domainname\policies\guid\ – and policy definition files – stored at the same location but simply defining the available settings.

Although Windows Vista will still act on legacy (.adm) policy definition files, policy definitions created under Windows Vista use a new XML-based file format with an .admx extension. Furthermore, Windows Vista group policy uses separate .adml files to provide the language-specific textual components of each policy.

When editing policy on a Windows Vista computer, the policy definition files are stored at %systemroot%\policydefinitions\ with one .admx file for each area of control and associated .adml files in each language subfolder (e.g. en-us).

These can be copied to the central store (really just a grand name for the policies folder that is replicated as part of sysvol) in order to make them available for administration from multiple locations. Central store copies of policy definitions will then take precedence over local copies (but legacy clients will be unaffected by the new settings).

Although legacy clients will simply ignore policy settings that they do not understand, Microsoft recommends that once Windows Vista policies are implemented, then no further policy edits should be made from pre-Vista computers. The reasoning for this is that even opening the policy definition on a pre-Vista computer will cause the legacy .adm files to be created on the sysvol and this leads to a phenomenon known as sysvol bloat. By using only Windows Vista clients for group policy management, this bloat can be avoided. It’s also worth noting that GPO reporting should be performed within the Windows Vista version of the GPMC (rather than using the resultant set of policy MMC snap-in) and that new policy backups should be taken using the Windows Vista GPMC to avoid issues when restoring policy backups taken from GPMC running on Windows XP/Server 2003. Further details for managing group policy administrative template (.adm) files can be found in Microsoft knowledgebase article 816662.

For bringing forward settings from legacy (.adm) policy templates, Microsoft has licensed the ADMX Migrator utility (from Full Armor).

Another new feature with Windows Vista group policy is the ability to define multiple local policies (administrator, non-administrator and per-user) and even to disable local policy altogether on domain-joined computers. Whilst the local computer policy remains (and is created by default), further local policies may be created using the group policy editor. This is useful for computers over which some control is required but which fall outside the scope of management for Active Directory (e.g. kiosks or computers deployed in a DMZ).

Troubleshooting group policy is aided with Windows Vista’s improved event logging (with more useful events and links to support information on the Internet) as well as the ability to view events in friendly (human-readable) format or XML (for analysis/processing). The new event viewer also supports the ability to create subscriptions. Actions can also be associated with events (e.g. send an e-mail, or execute a script).

Filters can be used to view just group policy events and by drilling down into the appropriate logfile, an activity ID can be extracted from a failure event to further filter events, or to view with the group policy log view (gplogview.exe) – another free download from Microsoft. This allows for step-by-step group policy processing to identify the failure point and any error codes, after which changes can be made and gpupdate.exe used to apply the new settings for re-analysis.

For enterprise customers, Microsoft has a new tool for advanced group policy management – GPOVault is part of the desktop optimisation pack for software assurance (DOPSA), gained as part of Microsoft’s acquisition of DesktopStandard.

Further information

Microsoft resources:

MVP and community resources:

Working around UAC

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

There’s been a lot written about Windows Vista’s user account control (UAC) and personally I can’t see what the criticsm is about (Mac OS X and Linux both have similar mechanisms, although the implementation is slightly different); however it was interesting to hear Steve Lamb mention at a recent event that commands launched from a command shell (cmd.exe) running as administrator will not invoke UAC.

Of course it goes without saying that, just as when running a root shell in Linux, the use of such sessions should be limited and I’ve written previously about how the shortcut to run cmd.exe as an administrator can be modified to make it very obvious that elevated permissions are in use.

Steve also pointed out that, if developers wrote less code that requires privileged execution, then UAC would not appear so frequently. Although UAC behaviour can be modified in group policy, it is not recommended.

Configuring wireless Ethernet with Red Hat Enterprise Linux 5

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Even Linux advocates admit that Linux is not as user-friendly as it should be when it comes to mobile networking:

“Networking on Linux right now is painful for the mobile desktop user, especially in comparison to other operating systems. A laptop user should never need to use the command line or configuration files to manage their network; it should ‘Just Work’ as automatically as possible and intrude as little as possible into the user’s workflow.”

GNOME NetworkManager project website

Oh how true!

A couple of nights back, I was staying at a hotel which only offered Wi-Fi connectivity for guest Internet access. That’s all very well if you have Wi-Fi configured on your laptop but, since rebuilding on Red Hat Enterprise Linux (RHEL) 5 last week, I haven’t got around to setting up the Intel PRO Wireless 2200BG adapter in my notebook. It turns out that it is pretty straightforward, once you have worked out what to do.

I recently wrote about configuring wireless Ethernet with Fedora Core 5 (using the same computer). After a long-winded effort, installing updated drivers, kernel modules and firmware, I finally got it working but only on one network and not with the NetworkManager applet. Then, I found out that the drivers are included in the kernel by default – all that is required is the correct firmware.

As it happens, the same is true for RHEL (lsmod | grep ipw2200 told me that ipw2200 and ieee80211 were both present in the kernel) and Jeff at nethub.org suggests (for CentOS, which is basically a rebadged version of RHEL):

“…download the firmware from the Intel Pro/Wireless 2200GB SourceForge project

[…]

After downloading the file, type in the following commands as root:

tar -zxf ipw2200-fw-2.0.tgz
mv *.fw /lib/firmware/
rmmod ipw2200

Then, wait a few seconds, and type:

modprobe ipw2200

It’s actually even easier than that – the RHEL supplementary CD includes an RPM for the appropriate firmware (so why it’s not installed by default I don’t know) and, after installing the package and running modprobe ipw2200, eth1 became visible in my computer. Running service NetworkManager start and service NetworkManagerDispatcher start launched the NetworkManager applet too; although to make the change permenant, I used chkconfig NetworkManager on and chkconfig NetworkManagerDispatcher on. I also found that a reboot was required before all the wireless network components got themselves in order.

Following this, it was a case of selecting the appropriate SSID from the NetworkManager icon, and supplying the appropriate security details when prompted.

Network Manager - security

Following that, a connection was established (and NetworkManager even activates/deactivates the wired network connection as appropriate).

Network Manager - connected

It seems that getting wireless in Linux is becoming easier but it’s still not as simple as it should be. NetworkManager helps (a lot) but if the leading Linux distribution had automatically detected my industry-standard hardware (as Novell SUSE Linux Enterprise did… and as Windows did), it would have been a whole lot easier.

Windows Vista and ATI display drivers

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My IBM T40 is not an old PC. Well, it may be three years old but it’s still a perfectly capable machine. One of its great features is the S-Video display output – perfect for watching films from the computer on a TV – at least it would be if I could get it to work under Windows Vista.

The trouble is that the T40 has an ATI Mobility Radeon 7500 graphics chipset. The Windows Vista setup routine had installed the standard VGA graphics adapter driver (v6.0.6000.16386) but there is no supported Windows Vista driver for this chipset. I could rant on about how this lack of device support is a terrible way for ATI to treat customers and how it’s not as if I have any option to upgrade the graphics in a notebook PC but that won’t get me anywhere (and my blood pressure is already high enough). Nor will it sell me another PC, which is what hardware manufacturers really want, rather than developing modern drivers for old products. Instead, I spent far too much time today trying to get it working:

  • I found a forum post that suggested the Windows XP drivers would work (at least on pre-release versions of Vista) so I downloaded the latest available drivers from the IBM website, extracted them to a folder on my hard disk and let Windows Vista look there for updated drivers. After a successful installation (v6.14.10.6547) Windows reported the correct adapter type and provided support for multiple displays. So I was half way to my goal but without ATI-specific device options to enable advanced features (like the S-Video) connection.
  • Next, I tried running the full installer for the XP drivers and all the associated bloat but all I got was a blue screen of death (ati3duag.dll PAGE_FAULT_IN_NON_PAGED_AREA)… not a good result.
  • So I downloaded and installed the latest version (v7.5) of the ATI Catalyst Control Center (CCC) – except that it ignored my graphics adapter completely and just gave me some Catalyst Install Manager (CIM) links for updating/uninstalling CCC. At one stage, I was even dumped back to 4-bit 640×480 graphics and had to roll back my driver to the standard VGA before reinstalling the XP driver that had previously been working in Vista.
  • I tried running individual installers from within the extracted CCC package (e.g. ccc-graphics-full-existing.msi) and something happened to make a desktop right-click option for ATI CATALYST(R) Control Center appear (I hate excessive capitalisation in menu items!) but CCC still doesn’t load, so I guess it doesn’t like the XP display driver.
  • After reading Koroush Ghazi’s ATI Catalyst Tweak Guide, I tried Ray Adams’ ATI Tray Tools but these just produced memory errors on Vista, even when run as Administrator.
  • Finally, I went back to my extracted driver package and ran the ATI Control Panel (v8.133.2.1.1-061116a0949984C) setup (from the CPANEL folder, rather than the top level CIM installer). Even though Vista informed me that “this program has known compatibility issues” and that “ATI Control Panel is incompatible with this version of Windows”, it gave me access to all the advanced display settings but I couldn’t get it to recognise that the TV was connected.

ATI Control Panel

Now it’s the end of the day and I’m giving up. I guess I’ll have to go back to XP to use my TV-out (or watch videos on the laptop display). Grrr.

File name limitations when accessing Windows file shares from a Mac

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Earlier this afternoon, one of my friends got in touch with “a quick tech question” (it had to be quick as his method of communication was SMS text message):

“…We have a brand new, state of the art pre-press system which, for some reason, is running Windows 2000. It seems that this OS cannot handle file names longer than 27 chars…”

I was sure that this would be an integration issue rather than an operating system restriction as I’ve never come across any such limitation with a Windows NT-based Windows system (leaving aside the question as to why would a state of the art device use an old and unsupported operating system?) – besides which, I was in no mood to give an office full of professional Mac users an excuse to bash Microsoft!

After a very short time spent googling, I found a newsgroup post which explains the issue. It seems that Apple filing protocol (AFP) 2.2, used by Windows Services for Macintosh, has a 31-character limit (presumably 4 of those characters are used by the driveletter:\ portion of the filename and another one somewhere else leaving 27 visible characters). AFP 3.x has no such limitation but, as all modern Macs can use SMB to communicate natively with Windows servers, there seems little point in using Services for Macintosh these days. Looking at the Wikipedia article on AFP, there may also be restrictions on file sizes with AFP and certain client-server combinations.