OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Kevin Kaminski (Kevin.Kaminskitelus.com)
Date: Thu Oct 04 2001 - 01:35:03 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Microsoft KB article Q136970 suggests that is all that is needed for PMTU. I
    cannot see any need to allow anything else. After reading about PMTU and
    ICMP this all looks so blatantly simple. If I turn on anything else I am
    just asking for problems. I cannot see any way to abuse that config.

    -----Original Message-----
    From: Stefan Norberg [mailto:stefanorbisec.com]
    Sent: Thursday, October 04, 2001 12:11 AM
    To: Kevin Kaminski; focus-mssecurityfocus.com
    Subject: RE: ICMP, NT and IIS: What is a safe cocktail?

    Kevin,
    Allowing only incoming type 3 code 4 (packet too big - need to fragement) is
    a pretty tight config. That won't break people stilling behind links with
    smaller MTUs. I don't see any obvious reason for allowing anything else in
    most scenarios.

    Stefan Norberg

    -----Original Message-----
    From: Kevin Kaminski [mailto:Kevin.Kaminskitelus.com]
    Sent: den 3 oktober 2001 21:51
    To: 'focus-mssecurityfocus.com'
    Subject: ICMP, NT and IIS: What is a safe cocktail?

    I am looking at deploying a Win2K IIS server on the Internet. The only
    services offered are IIS on port 80 and IPSec for administration. While
    researching this I had found ICMP to be somewhat of a grey area. My initial
    question was to allow ICMP or not in this Internet scenario. After talking
    to Microsoft they suggested I filter ICMP to Types 3,4,5 and 11 to allow for
    proper operation of the server. That seemed fair because I was told systems
    may not be able to communicate with the server if they are using a smaller
    MTU than the server. With the ICMP filters I was worried that ICMP redirects
    would not be filtered and could leave the system open to DOS attacks. Going
    back to the NSA document on IIS5 they leave all ICMP traffic blocked. Is
    Win2K to be trusted with ICMP or is this too problematic to deal with? Left
    somewhat unsure I thought I would ask a community of versed security experts
    for their opinions on ICMP and Win2K. What is a safe ICMP configuration in
    the real world that will not affect client connectivity? Or maybe I should
    leave it more open as to what is your policy on ICMP with Win2K and why?