Re: SP4 and Group Policies - ICMP link speed detection, and an ICMP easter egg.
From: Ben Ryan (ben_at_BSSC.EDU.AU)
Date: 12/10/03
- Previous message: Chamberlain, Matthew C. (LNG-DAY): "Kinth"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Dec 2003 07:06:26 +1100 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> But, now that I know what is wrong, I still don't know why earlier
> versions of W2K work without ICMP, and latter versions do. I know that
> GPOs are supposed to use ICMP, and yet without it, they still worked
> with earlier versions of W2K, not latter ones tho.
> I want to thank all who responded to my post. There is something
> different about SP4 and several gave me a hint of what the problem was
> (we do not use Cross Domain Logins, but the fact that SP4 broke it lead
> me to the sucessful conclusion).
Not the first to have tripped across this when using a WAN connection with an
overzealous ACL set. As discovered, ICMP is used for the Slow Link Detection option in System
Policies. AFAIK it's been there since NT40.
As to the SP4 part, in the refs I have noted below it's interesting that most these articles were published or
modified in the latter part of SP4's release cycle...
A funny aside is the part where the ICMP payload of that link speed check is 2000 odd bytes.
[The JFIF part looks familiar..] The data portion of that ICMP is byte code for an
image in JPG format.
lol, dump the bytes to a file and open it in an image viewer :)
For interests' sake I've linked to a saved copy of these bytes:
http://thrasher.impulse.net.au/images/msgpo.jpg
Funny stuff. This byte code btw, is pulled from userenv.dll (User environment init).
In this dll, below the image bytecode lies the prompt:
"Windows detected a slow network connection. Would you like to download your
profile or use the locally stored copy?"
The interesting part of this whole saga is, why only SP4?
cheers
-- Refs: *KB:227260 [How a Slow Link Is Detected for Processing User Profiles and Group Policy] *KB:816045 [A Fast Link May Be Detected as a Slow Link Because of Network ICMP Policies] *Perhaps regarding changes in SP4, KB:328991 [Script Policy Is Not Run When a Slow Link Is Detected] *RTFM: "DO NOT TURN OFF ICMP" (Win2k3 Deployment Guide) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/deployguide/dmebb_gpu_zozl.asp ________.-~-.________ Ben Ryan Network Engineer Forrest Computing Bendigo, Victoria, Australia Phone +61-[0]417 502061 email: ben@bssc.edu.au URL: http://thrasher.impulse.net.au/index.htm ---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----
- Previous message: Chamberlain, Matthew C. (LNG-DAY): "Kinth"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
