Re: XP-SP2 "Feature"

From: Eric (ews_at_tellurian.com)
Date: 09/02/04

  • Next message: Zack Schiel: "RE: XP-SP2 "Feature""
    Date: Thu, 02 Sep 2004 15:00:27 -0500
    To: "Jordan Wiseman" <Jordan_Wiseman@Valleymed.org>, <focus-ms@securityfocus.com>
    
    

    Yes, I noticed this too. I'm gathering MS did this because some of their
    apps that use 445 also use ICMP. I find it very frustrating that MS didn't
    give an option to disable this.

    You can, however, workaround this for many circumstances. Instead of using
    445, use 139. If opening 139 only, ICMP is not force-enabled. 139 will do
    almost all of what 445 does - you can do all your file and print sharing,
    systems management, etc. over 139, keeping 445 and ICMP closed.

    At 11:08 AM 9/2/2004, Jordan Wiseman wrote:
    >Hey everyone,
    >
    >I was configuring the Windows Firewall on an XP-SP2 box and noticed
    >something "funny". When I enabled the "File and Print Sharing"
    >exception (only port 445 actually) for my local subnet, the "Allow
    >Incoming ICMP Echo Request" GLOBAL setting was forced on. The
    >configuration dialog cheerfully explains that when port 445 is enabled,
    >so is incoming pings. In fact, the setting is grayed out so you can't
    >disable it!
    >
    >I submitted a "comment/support" request to MS about SP2 to see what they
    >had to say and got "it is enabled for the convenience of the
    >Administrator"?!? It would seem to me that if this were true, it [being
    >forced to allow pings] would only apply if the machine were a domain
    >member....this one is not. Even if a domain admin wanted to enable
    >ping, they could configure this via policy. An admin would more than
    >likely have better ways to troubleshoot the box anyway.
    >
    >The real uncomfortable thing here is for home users. Imagine someone
    >with a small network at home, enabling file and print sharing for their
    >local subnet and having the same machine (which could <shudder> be a
    >gateway using ICS) to smile and enable the machine to show up in ping
    >sweeps. The scope of the ICMP settings can not be limited like it can
    >with the exceptions list. To secure this, you would have to use IPSec
    >filters possibly...not many home users could easily configure that.
    >
    >Anyway, has anyone else run into this? Anyone tried to see if it could
    >be corrected with a GPO?
    >
    >Jordan
    >
    >DISCLAIMER:
    >This message is confidential, intended only for the named recipient(s)
    >and may contain information that is privileged or exempt from disclosure
    >under applicable law. If you are not the intended recipient(s), you are
    >notified that the dissemination, distribution or copying of this
    >information is strictly prohibited. If you received this message in
    >error, please notify the sender then delete this message.
    >
    >---------------------------------------------------------------------------
    >---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Zack Schiel: "RE: XP-SP2 "Feature""

    Relevant Pages

    • Re: XP-SP2 "Feature"
      ... in which case ICMP is not required. ... never be enabled on the ICF interface anyway. ... so is incoming pings. ... The real uncomfortable thing here is for home users. ...
      (Focus-Microsoft)
    • Re: ping
      ... Pings are not being blocked by ipf. ... pass in quick proto icmp from any to any keep frags group 100 ... Is there an equivalent of ipmon for ipfw? ...
      (freebsd-questions)
    • Re: How to prevent system from replying to Ping (ICMP Echo) requests?
      ... blocking ICMP does not impact anything useful ... large corporation broke their "VPN" by disallowing echo requests. ... > network from unknown locations, but, as I'm smarter than that, I set the ... The "stealth those pings" scenario would seem to really only ...
      (comp.security.firewalls)
    • ICMP question
      ... My firewall has been receiving an inordinate amount of ICMP ... of these pings originate from *.cirn.net. ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • RE: XP-SP2 "Feature"
      ... Incoming ICMP Echo Request" GLOBAL setting was forced on. ... so is incoming pings. ... The real uncomfortable thing here is for home users. ...
      (Focus-Microsoft)