Re: XP-SP2 "Feature"

From: Thor (thor_at_hammerofgod.com)
Date: 09/02/04

  • Next message: George Sibble: "RE: XP-SP2 "Feature""
    To: "Jordan Wiseman" <Jordan_Wiseman@Valleymed.org>, <focus-ms@securityfocus.com>
    Date: Thu, 2 Sep 2004 12:30:52 -0700
    
    

    Several options:

    1) If you are worried about ICF, then just leave FS disabled on the
    interface/connection that goes to the internet, which should be done anyway.

    2) If the home user is the concern, then they could always disable 445, and
    use standard nb, in which case ICMP is not required. But again, it should
    never be enabled on the ICF interface anyway.

    3) Non-local connections (for those who would use dialup or something) can
    be individually configured to deny ICMP (but of course, you wouldn't have fs
    on that inf anyway.)

    4) IPSec is an option as you said, and so is TCP/IP filtering at the
    interface level by allowing specific protocols like 6 TCP and 17 UDP (and
    whatever else you need, but don't use 1 ICMP)

    hth

    t

    ----- Original Message -----
    From: "Jordan Wiseman" <Jordan_Wiseman@Valleymed.org>
    To: <focus-ms@securityfocus.com>
    Sent: Thursday, September 02, 2004 9:08 AM
    Subject: XP-SP2 "Feature"

    Hey everyone,

    I was configuring the Windows Firewall on an XP-SP2 box and noticed
    something "funny". When I enabled the "File and Print Sharing"
    exception (only port 445 actually) for my local subnet, the "Allow
    Incoming ICMP Echo Request" GLOBAL setting was forced on. The
    configuration dialog cheerfully explains that when port 445 is enabled,
    so is incoming pings. In fact, the setting is grayed out so you can't
    disable it!

    I submitted a "comment/support" request to MS about SP2 to see what they
    had to say and got "it is enabled for the convenience of the
    Administrator"?!? It would seem to me that if this were true, it [being
    forced to allow pings] would only apply if the machine were a domain
    member....this one is not. Even if a domain admin wanted to enable
    ping, they could configure this via policy. An admin would more than
    likely have better ways to troubleshoot the box anyway.

    The real uncomfortable thing here is for home users. Imagine someone
    with a small network at home, enabling file and print sharing for their
    local subnet and having the same machine (which could <shudder> be a
    gateway using ICS) to smile and enable the machine to show up in ping
    sweeps. The scope of the ICMP settings can not be limited like it can
    with the exceptions list. To secure this, you would have to use IPSec
    filters possibly...not many home users could easily configure that.

    Anyway, has anyone else run into this? Anyone tried to see if it could
    be corrected with a GPO?

    Jordan

    DISCLAIMER:
    This message is confidential, intended only for the named recipient(s)
    and may contain information that is privileged or exempt from disclosure
    under applicable law. If you are not the intended recipient(s), you are
    notified that the dissemination, distribution or copying of this
    information is strictly prohibited. If you received this message in
    error, please notify the sender then delete this message.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: George Sibble: "RE: XP-SP2 "Feature""

    Relevant Pages

    • Re: XP-SP2 "Feature"
      ... systems management, etc. over 139, keeping 445 and ICMP closed. ... >Incoming ICMP Echo Request" GLOBAL setting was forced on. ... >so is incoming pings. ... >filters possibly...not many home users could easily configure that. ...
      (Focus-Microsoft)
    • Re: How to prevent system from replying to Ping (ICMP Echo) requests?
      ... blocking ICMP does not impact anything useful ... large corporation broke their "VPN" by disallowing echo requests. ... > network from unknown locations, but, as I'm smarter than that, I set the ... The "stealth those pings" scenario would seem to really only ...
      (comp.security.firewalls)
    • Re: ping
      ... Pings are not being blocked by ipf. ... pass in quick proto icmp from any to any keep frags group 100 ... Is there an equivalent of ipmon for ipfw? ...
      (freebsd-questions)
    • ICMP question
      ... My firewall has been receiving an inordinate amount of ICMP ... of these pings originate from *.cirn.net. ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Re: Output Varies from Show Access-List Command
      ... permit icmp any host 192.168.0.30 time-exceeded ... You are probably using ICMP inspection on one of the interfaces ... Inspection creates dynamic ACEs in the return path so that you don't need to specifically configure static ACEs to accommodate return traffic. ...
      (comp.dcom.sys.cisco)