RE: XP-SP2 "Feature"

From: Jordan Wiseman (Jordan_Wiseman_at_Valleymed.org)
Date: 09/03/04

  • Next message: Lothar Kimmeringer: "Re: XP-SP2 "Feature"" 
    Date: Fri, 3 Sep 2004 00:06:25 -0700
To: "Aaron Drew" <ripper@internode.on.net>, <focus-ms@securityfocus.com>

    Ping sweeps are often a routine scan for a script-kiddie/auto-hack tool.
    I was simply pointing out that for a novice user, unaware of the risks
    involved in connecting a computer directly to the internet, this forced
    setting could possibly make them more of a target without their
    knowledge. We have enough compromized home machines on "high-speed"
    networks; I don't think it was really responisble of Microsoft to make
    it easier for a host to be targeted in the name of conveiniance. I
    could see users enabling file and print sharing for their subnet and not
    realizing that it also forces their computer to respond to ICMP echo
    request from ANY subnet.

    All in all, if the system is up-to-date on VS/QFE's/Settings it might
    not be much of a risk...but is that a chance that should be taken
    blindly?

    Jordan

    -----Original Message-----
    From: Aaron Drew [mailto:ripper@internode.on.net]
    Sent: Thursday, September 02, 2004 7:05 PM
    To: Jordan Wiseman
    Subject: RE: XP-SP2 "Feature"

    I fail to see the big deal here. If someone cares enough to ping sweep
    such a network, they're probably already on it (insecure 802.11??) in
    which case they could do an ARP sweep to find hosts anyway.

    - Aaron

    -----Original Message-----
    From: Jordan Wiseman [mailto:Jordan_Wiseman@Valleymed.org]
    Sent: Friday, 3 September 2004 2:09 AM
    To: focus-ms@securityfocus.com
    Subject: XP-SP2 "Feature"

    Hey everyone,

    I was configuring the Windows Firewall on an XP-SP2 box and noticed
    something "funny". When I enabled the "File and Print Sharing"
    exception (only port 445 actually) for my local subnet, the "Allow
    Incoming ICMP Echo Request" GLOBAL setting was forced on. The
    configuration dialog cheerfully explains that when port 445 is enabled,
    so is incoming pings. In fact, the setting is grayed out so you can't
    disable it!

    I submitted a "comment/support" request to MS about SP2 to see what they
    had to say and got "it is enabled for the convenience of the
    Administrator"?!? It would seem to me that if this were true, it [being
    forced to allow pings] would only apply if the machine were a domain
    member....this one is not. Even if a domain admin wanted to enable
    ping, they could configure this via policy. An admin would more than
    likely have better ways to troubleshoot the box anyway.

    The real uncomfortable thing here is for home users. Imagine someone
    with a small network at home, enabling file and print sharing for their
    local subnet and having the same machine (which could <shudder> be a
    gateway using ICS) to smile and enable the machine to show up in ping
    sweeps. The scope of the ICMP settings can not be limited like it can
    with the exceptions list. To secure this, you would have to use IPSec
    filters possibly...not many home users could easily configure that.

    Anyway, has anyone else run into this? Anyone tried to see if it could
    be corrected with a GPO?

    Jordan

    DISCLAIMER:
    This message is confidential, intended only for the named recipient(s)
    and may contain information that is privileged or exempt from disclosure
    under applicable law. If you are not the intended recipient(s), you are
    notified that the dissemination, distribution or copying of this
    information is strictly prohibited. If you received this message in
    error, please notify the sender then delete this message.

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
DISCLAIMER: 
This message is confidential, intended only for the named recipient(s)
and may contain information that is privileged or exempt from disclosure
under applicable law.  If you are not the intended recipient(s), you are
notified that the dissemination, distribution or copying of this
information is strictly prohibited.  If you received this message in
error, please notify the sender then delete this message.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Lothar Kimmeringer: "Re: XP-SP2 "Feature""

    Relevant Pages

    • Re: host availability
      ... >Here's something for you think about: I have tested the Windows ... which will periodically do ping sweeps over ... This was on a local LAN that I had complete control of -- and if pings ... using ping to monitor remote systems is much *much* more likely to ...
      (comp.security.firewalls)
    • Re: TCP/IP Question
      ... >> can be a bit confusing. ... >> C. Ping the DNS server on the local subnet ... >> D. Ping a remote host ... >> I chose D since that would not only test the local subnet but also ...
      (microsoft.public.cert.exam.mcse)
    • Re: Mapping Home Network???
      ... Run ping to ever possible IP combination of the local subnet? ... Gotta' be a better approach than brute force. ...
      (comp.sys.mac.system)
    • Re: TCP/IP Question
      ... > B. Ping the default gateway ... > D. Ping a remote host ... > I chose D since that would not only test the local subnet but also ... We don't need no steenking Certificates! ...
      (microsoft.public.cert.exam.mcse)
    • RE: XP-SP2 "Feature"
      ... this is because windows network printing uses an ICMP ping ... Incoming ICMP Echo Request" GLOBAL setting was forced on. ... The real uncomfortable thing here is for home users. ...
      (Focus-Microsoft)