Re: XP-SP2 "Feature"

• Previous message: yaakov yehudi: "RE: Windows/Exchange security auditing tool"
• In reply to: Jordan Wiseman: "XP-SP2 "Feature""
• Next in thread: George Sibble: "RE: XP-SP2 "Feature""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Jordan Wiseman" <Jordan_Wiseman@Valleymed.org>, <focus-ms@securityfocus.com>
Date: Thu, 2 Sep 2004 12:30:52 -0700

Several options:

1) If you are worried about ICF, then just leave FS disabled on the
interface/connection that goes to the internet, which should be done anyway.

2) If the home user is the concern, then they could always disable 445, and
use standard nb, in which case ICMP is not required. But again, it should
never be enabled on the ICF interface anyway.

3) Non-local connections (for those who would use dialup or something) can
be individually configured to deny ICMP (but of course, you wouldn't have fs
on that inf anyway.)

4) IPSec is an option as you said, and so is TCP/IP filtering at the
interface level by allowing specific protocols like 6 TCP and 17 UDP (and
whatever else you need, but don't use 1 ICMP)

hth

t

----- Original Message -----
From: "Jordan Wiseman" <Jordan_Wiseman@Valleymed.org>
To: <focus-ms@securityfocus.com>
Sent: Thursday, September 02, 2004 9:08 AM
Subject: XP-SP2 "Feature"

Hey everyone,

I was configuring the Windows Firewall on an XP-SP2 box and noticed
something "funny". When I enabled the "File and Print Sharing"
exception (only port 445 actually) for my local subnet, the "Allow
Incoming ICMP Echo Request" GLOBAL setting was forced on. The
configuration dialog cheerfully explains that when port 445 is enabled,
so is incoming pings. In fact, the setting is grayed out so you can't
disable it!

I submitted a "comment/support" request to MS about SP2 to see what they
had to say and got "it is enabled for the convenience of the
Administrator"?!? It would seem to me that if this were true, it [being
forced to allow pings] would only apply if the machine were a domain
member....this one is not. Even if a domain admin wanted to enable
ping, they could configure this via policy. An admin would more than
likely have better ways to troubleshoot the box anyway.

The real uncomfortable thing here is for home users. Imagine someone
with a small network at home, enabling file and print sharing for their
local subnet and having the same machine (which could <shudder> be a
gateway using ICS) to smile and enable the machine to show up in ping
sweeps. The scope of the ICMP settings can not be limited like it can
with the exceptions list. To secure this, you would have to use IPSec
filters possibly...not many home users could easily configure that.

Anyway, has anyone else run into this? Anyone tried to see if it could
be corrected with a GPO?

Jordan

DISCLAIMER:
This message is confidential, intended only for the named recipient(s)
and may contain information that is privileged or exempt from disclosure
under applicable law. If you are not the intended recipient(s), you are
notified that the dissemination, distribution or copying of this
information is strictly prohibited. If you received this message in
error, please notify the sender then delete this message.

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: yaakov yehudi: "RE: Windows/Exchange security auditing tool"
• In reply to: Jordan Wiseman: "XP-SP2 "Feature""
• Next in thread: George Sibble: "RE: XP-SP2 "Feature""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]