I am looking at deploying a Win2K IIS server on the Internet. The only
services offered are IIS on port 80 and IPSec for administration. While
researching this I had found ICMP to be somewhat of a grey area. My initial
question was to allow ICMP or not in this Internet scenario. After talking
to Microsoft they suggested I filter ICMP to Types 3,4,5 and 11 to allow for
proper operation of the server. That seemed fair because I was told systems
may not be able to communicate with the server if they are using a smaller
MTU than the server. With the ICMP filters I was worried that ICMP redirects
would not be filtered and could leave the system open to DOS attacks. Going
back to the NSA document on IIS5 they leave all ICMP traffic blocked. Is
Win2K to be trusted with ICMP or is this too problematic to deal with? Left
somewhat unsure I thought I would ask a community of versed security experts
for their opinions on ICMP and Win2K. What is a safe ICMP configuration in
the real world that will not affect client connectivity? Or maybe I should
leave it more open as to what is your policy on ICMP with Win2K and why?

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]