Re: OS Fingerprinting Prevention

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/24/05


Date: Thu, 23 Jun 2005 23:48:31 -0500

Firewalls will help and Windows 2003 has a built in firewall with the SP1
firewall being much more configurable. This should not be happening from
outside your network if your perimeter firewall is configured correctly.
Ipsec require policy that does not respond to non ipsec traffic would also
prevent such from computers that do not have a compatible ipsec policy
enabled. Ipsec configuration however is not trivial, requires exceptions for
domain controllers, and must be tested thoroughly before rolled out. If
other security measures are in place on your network such as requirement for
strong passwords, prompt management of security patches, concept of least
needed privilege applied for permissions and user rights, reviewing the
security logs, and hardening of the operating system then the threat from OS
fingerprinting is minimized.

Windows 2003 also has many security options to restrict access from
anonymous access that can also reduce what info scans can acquire. Refer to
the Windows 2003 Server Security Guide and the Threats and Countermeasure
Guide for more information on security options and what levels to use in
different network environments. --- Steve

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
 --- Windows 2003 Security Guide
http://www.microsoft.com/technet/security/default.mspx --- TechNet
Security

"SunRace" <SunRace@discussions.microsoft.com> wrote in message
news:6370E272-3C31-4119-97E5-15314FD5E49D@microsoft.com...
> Hello,
>
> Is there any way to prevent OS fingerprinting scans on Windows 2003?
>