RE: XP-SP2 "Feature"

• Previous message: Harlan Carvey: "Re: Windows/Exchange security auditing tool"
• Maybe in reply to: Jordan Wiseman: "XP-SP2 "Feature""
• Next in thread: Matthew.van.Eerde_at_hbinc.com: "RE: XP-SP2 "Feature""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 2 Sep 2004 12:04:49 -0700
To: "Jordan Wiseman" <Jordan_Wiseman@Valleymed.org>, <focus-ms@securityfocus.com>

"Requests of this type are automatically allowed if TCP port 445 is
enabled".

Sounds like an intended feature to me, however I don't know what logic
backs this feature, hopefully someone can elaborate.

However, if its configured for only your local subnet in the scope
options, I don't know that its much of a security risk. In fact, if the
machine is exposed to the internet via ICS there will be two interfaces,
internal (local subnet) and external (routable address), by default the
windows firewall configured the File & Print Sharing for only the local
subnet and not the internet interface. If you change the scope options
from the defaults then I believe it's a misconfiguration as opposed to a
bug.

The fact that services are enabled via a "piggyback" method is
definitely something that should be addressed by microsoft. Imagine a
Pix that enables ICMP when you open ports for HTTP or FTP "just for ease
of administration".

E.

-----Original Message-----
From: Jordan Wiseman [mailto:Jordan_Wiseman@Valleymed.org]
Sent: Thursday, September 02, 2004 9:09 AM
To: focus-ms@securityfocus.com
Subject: XP-SP2 "Feature"

Hey everyone,

I was configuring the Windows Firewall on an XP-SP2 box and noticed
something "funny". When I enabled the "File and Print Sharing"
exception (only port 445 actually) for my local subnet, the "Allow
Incoming ICMP Echo Request" GLOBAL setting was forced on. The
configuration dialog cheerfully explains that when port 445 is enabled,
so is incoming pings. In fact, the setting is grayed out so you can't
disable it!

I submitted a "comment/support" request to MS about SP2 to see what they
had to say and got "it is enabled for the convenience of the
Administrator"?!? It would seem to me that if this were true, it [being
forced to allow pings] would only apply if the machine were a domain
member....this one is not. Even if a domain admin wanted to enable
ping, they could configure this via policy. An admin would more than
likely have better ways to troubleshoot the box anyway.

The real uncomfortable thing here is for home users. Imagine someone
with a small network at home, enabling file and print sharing for their
local subnet and having the same machine (which could <shudder> be a
gateway using ICS) to smile and enable the machine to show up in ping
sweeps. The scope of the ICMP settings can not be limited like it can
with the exceptions list. To secure this, you would have to use IPSec
filters possibly...not many home users could easily configure that.

Anyway, has anyone else run into this? Anyone tried to see if it could
be corrected with a GPO?

Jordan

DISCLAIMER:
This message is confidential, intended only for the named recipient(s)
and may contain information that is privileged or exempt from disclosure
under applicable law. If you are not the intended recipient(s), you are
notified that the dissemination, distribution or copying of this
information is strictly prohibited. If you received this message in
error, please notify the sender then delete this message.

------------------------------------------------------------------------

---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Harlan Carvey: "Re: Windows/Exchange security auditing tool"
• Maybe in reply to: Jordan Wiseman: "XP-SP2 "Feature""
• Next in thread: Matthew.van.Eerde_at_hbinc.com: "RE: XP-SP2 "Feature""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]