was - RE: Access to well-known ports on Win2K -now [IPSec - Default behavior]

From: Fred Williams (A20FBW1@wpo.cso.niu.edu)
Date: 11/05/02


Date: Tue, 05 Nov 2002 12:28:34 -0600
From: "Fred Williams" <A20FBW1@wpo.cso.niu.edu>
To: <focus-ms@securityfocus.com>, <security-basics@securityfocus.com>

Hello,

As long as you're discussing ipsec filters please permit this bit of
"thread drift"...
Most all of you know this already but there are always new readers or
perhaps those new to Win2k ipsec policies...

According to the article:
Traffic That Can--and Cannot--Be Secured by IPSec
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q253169

All traffic from any ip port 88 is ASSUMED to be Kerberos traffic and
hence is exempt from all ipsec filters. So just by implementing a "block
all" ipsec policy, ANYONE can still port scan your computer by binding
their scanner to their local port 88 and targeting your computer.

According to this article:
IPSec Does Not Secure Kerberos Traffic Between Domain Controllers
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q254728&

A registry setting was added in Win2K SP1 to support disabling this
"feature"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC
REG_DWORD: NoDefaultExempt
Value: 1

I wrote a quick VBScript to then set this key on all computers in an
Active Directory OU. If anyone is interested in the script just email me
directly. Note the ipsec policy agent needs to be restarted for the
change to take effect...this can be scripted as well...
Hope someone finds this helpful.

Thanks
Fred



Relevant Pages