RE: XP-SP2 "Feature"

From: Zath, Linda A (linda.a.zath_at_intel.com)
Date: 09/08/04

  • Next message: Keith: "Network Monitor/sniffer"
    Date: Wed, 8 Sep 2004 15:51:58 -0600
    To: "Ian Miller" <miller@ucalgary.ca>
    
    

    We experienced problems with GPO's failing when ICMP was blocked at the
    FW. When ICMP traffic was allowed the GPO's worked fine. Annoying
    problem that took awhile to track down as on some settings in the GPO's
    failed.

    Linda Zath

    -----Original Message-----
    From: Ian Miller [mailto:miller@ucalgary.ca]
    Sent: Wednesday, September 08, 2004 8:32 AM
    Cc: focus-ms@securityfocus.com
    Subject: Re: XP-SP2 "Feature"

    What about Group Policy? Does anyone know if XP/2K Pro require ICMP to
    be open across firewalls? The reason I ask this is we have been told
    (but unable to confirm) by other sources that ICMP must be available in
    order for Group Policy to work. If ICMP is not required (could you
    please indicate in your response) what work-arounds are necessary in
    order for Group Policy (both Computer and User) to work across
    firewalls.

    >
    > Thanks.
    >
    >>
    >> Jordan Wiseman wrote:
    >>
    >>>I understand that ICMP is used to verify connectivity to a server
    >>>hosting a CIFS resource. The problem I have with how the WF [Windows
    >>>Firewall] handles this. If you enable File & Print Sharing (port 445
    >>>only/at least) on the exceptions tab, where you can limit the scope,
    it
    >>>still opens up ICMP for the world, not with a similarly limited
    scope.
    >>>
    >>>Even though ICMP is used by various clients to verify connectivity to
    a
    >>>CIFS server, it is not NECESSARY to do so. In this very situation,
    if
    >>>you manually configure port 445 on a specific interface (which
    >>>ironically doesn't force ICMP on the same interface) without allowing
    >>>ICMP you can still browse the shared resources on the XP-based
    server.
    >>>
    >>>I concede the fact that this is not a real vulnerability. However, I
    >>>still do not believe that it is necessary to force this setting on a
    >>>user. At the very least, it should be suggessted to the user (in
    help
    >>>for instance) that IF they are having problems connected after
    enabling
    >>>port 445, they should then try enabling ping. This would be in
    keeping
    >>>with the idea of "least access".
    >>>
    >>>Jordan
    >>>
    >>>-----Original Message-----
    >>>From: Thor [mailto:thor@hammerofgod.com]
    >>>Sent: Saturday, September 04, 2004 6:08 AM
    >>>To: Jordan Wiseman; focus-ms@securityfocus.com; Eric
    >>>Subject: Re: XP-SP2 "Feature"
    >>>
    >>>
    >>>I don't see where this is an issue... Different CIFS protocols use
    ICMP
    >>>to verify connectivity to DC's. If you choose to specify a CIFS
    >>>exception in WF, ICMP is enabled on the specified interface so that
    >>>CIFS-based processes/protocols operate as expected. Specifically
    >>>regarding the "server class" of DFS, though the service provided
    lives
    >>>at the host, it is the client that requests, and is subsequently
    >>>redirected to as required, the DFS resources. During that process,
    ICMP
    >>>is used to verify the DC providing that config via LDAP is reachable.
    >>>
    >>>It's not if the workstation was going to be managed- you can do that
    via
    >>>139/nb - it's if the workstation has CIFS bound to the interface,
    thus
    >>>indicating that it is configured to use CIFS supported protocols. If
    >>>one enables CIFS on an interface, then ICMP is enabled as well. In
    the
    >>>event that a CIFS bound interface is facing the public, I would hope
    >>>that *that* config would be the source for concern before worrying
    about
    >>>ICMP.
    >>>
    >>>AFA ICF in SP1 is concerned, I don't think that is a valid
    comparison--
    >>>there are no pre-defined "File & Print Sharing" rules available. ICF
    in
    >>>SP1 was not designed to be deployed on domain-member LAN interfaces.
    It
    >>>was a connection-based implementation with no remote config options,
    no
    >>>group policy options, and no central management.
    >>>
    >>>Again, if the binding exists, (which should not be the case for INet
    >>>facing systems anyway) that's the real problem; not ICMP.
    >>>
    >>>
    >>>T
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>----- Original Message -----
    >>>From: "Jordan Wiseman" <Jordan_Wiseman@Valleymed.org>
    >>>To: "Thor" <thor@hammerofgod.com>; <focus-ms@securityfocus.com>;
    "Eric"
    >>><ews@tellurian.com>
    >>>Sent: Friday, September 03, 2004 12:19 AM
    >>>Subject: RE: XP-SP2 "Feature"
    >>>
    >>>
    >>>It is true that DFS, as well as many other microsoft related services
    >>>have built-in dependancies on ping. But most of these services are
    only
    >>>installable/configurable (DFS included I think) for the server class
    >>>OS's. This setting is only forced on XP-SP2 workstations who enable
    >>>[except] port 445 for SMB over TCP (for now).
    >>>
    >>>I still don't see this as truly necessary. It seems it was done as a
    >>>matter of conveniance in the off chance the workstation might be
    managed
    >>>as part of a domain. Ironically...if you allow just port 445 through
    on
    >>>an SP1 system, it doesn't force pings to be allowed too. This means
    >>>that for most existing XP environments, this issue (having to turn on
    >>>ping if needed) likely had already been addressed (assuming of course
    >>>they have implemented the ICF in those environments in the first
    place).
    >>>
    >>>Jordan
    >>>
    >>>
    >>>-----Original Message-----
    >>>From: Thor [mailto:thor@hammerofgod.com]
    >>>Sent: Thursday, September 02, 2004 5:44 PM
    >>>To: Jordan Wiseman; focus-ms@securityfocus.com; Eric
    >>>Subject: Re: XP-SP2 "Feature"
    >>>
    >>>The CIFS implementation of SMB in Win2k supports many extended
    >>>protocols, one of which is DFS. Part of the referral process when
    >>>getting DFS configuration information includes verification of DC
    >>>connectivity via ICMP.
    >>>Similar startup/logon processes that use CIFS validate DC
    connectivity
    >>>using ICMP as well.
    >>>
    >>>That's why the firewall config allows ICMP when FS over 445 is bound
    to
    >>>the interface.
    >>>
    >>>T
    >>>
    >>>----- Original Message -----
    >>>From: "Eric" <ews@tellurian.com>
    >>>To: "Jordan Wiseman" <Jordan_Wiseman@Valleymed.org>;
    >>><focus-ms@securityfocus.com>
    >>>Sent: Thursday, September 02, 2004 1:00 PM
    >>>Subject: Re: XP-SP2 "Feature"
    >>>
    >>>
    >>>
    >>>
    >>>>Yes, I noticed this too. I'm gathering MS did this because some of
    >>>>their apps that use 445 also use ICMP. I find it very frustrating
    >>>>that MS didn't give an option to disable this.
    >>>>
    >>>>You can, however, workaround this for many circumstances. Instead
    of
    >>>>using 445, use 139. If opening 139 only, ICMP is not force-enabled.
    >>>>139 will do almost all of what 445 does - you can do all your file
    and
    >>>>
    >>>>
    >>>
    >>>
    >>>
    >>>>print sharing, systems management, etc. over 139, keeping 445 and
    ICMP
    >>>>
    >>>>
    >>>closed.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>DISCLAIMER:
    >>>This message is confidential, intended only for the named
    recipient(s)
    >>>and may contain information that is privileged or exempt from
    disclosure
    >>>under applicable law. If you are not the intended recipient(s), you
    are
    >>>notified that the dissemination, distribution or copying of this
    >>>information is strictly prohibited. If you received this message in
    >>>error, please notify the sender then delete this message.
    >>>
    >>>---------------------------------------------------------------------

    ---
    >>>---
    >>>---------------------------------------------------------------------
    ---
    >>>---
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>DISCLAIMER: 
    >>>This message is confidential, intended only for the named
    recipient(s)
    >>>and may contain information that is privileged or exempt from
    disclosure
    >>>under applicable law.  If you are not the intended recipient(s), you
    are
    >>>notified that the dissemination, distribution or copying of this
    >>>information is strictly prohibited.  If you received this message in
    >>>error, please notify the sender then delete this message.
    >>>
    >>>---------------------------------------------------------------------
    ------
    >>>---------------------------------------------------------------------
    ------
    >>>  
    >>>
    >>
    >>-- 
    >>=======================================
    >>D. Ian Miller                      }8-)
    >>Systems Analyst
    >>Information Technologies
    >>University of Calgary
    >>W: 403.220.8643
    >>M: 403.605.9856
    >>
    >>  
    >>
    >
    >-- 
    >=======================================
    >D. Ian Miller                      }8-)
    >Systems Analyst
    >Information Technologies
    >University of Calgary
    >W: 403.220.8643
    >M: 403.605.9856
    >
    >  
    >
    -- 
    =======================================
    D. Ian Miller                      }8-)
    Systems Analyst
    Information Technologies
    University of Calgary
    W: 403.220.8643
    M: 403.605.9856
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Keith: "Network Monitor/sniffer"

    Relevant Pages

    • RE: XP-SP2 "Feature"
      ... ICMP is used to detect connection speed between the computer and the DC ... Subject: XP-SP2 "Feature" ... We experienced problems with GPO's failing when ICMP was blocked at the ...
      (Focus-Microsoft)
    • Re: ICMP Ping and Group Policy Update
      ... sounds like folks pretty much confirmed that blocking ICMP blocks ... Group Policy updates for at least some users. ... stopping 40 byte packets. ...
      (NT-Bugtraq)
    • Re: XP-SP2 "Feature"
      ... What about Group Policy? ... Does anyone know if XP/2K Pro require ICMP to ... order for Group Policy to work across firewalls. ... >>Systems Analyst ...
      (Focus-Microsoft)
    • Re: ICMP Ping and Group Policy Update
      ... we blocked ICMP Pings to & from our VPN. ... > it appears that this also has disabled group policy updates for remote ... when a client machine attempts to connect to ... ICMP pings to the DC in order to test connectivity and link speed. ...
      (NT-Bugtraq)
    • RE: XP-SP2 "Feature"
      ... I recently took a class on applying MS security features and I did not ... icmp did not work but GPO still worked. ... What about Group Policy? ... be open across firewalls? ...
      (Focus-Microsoft)