OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Fred Williams (A20FBW1_at_wpo.cso.niu.edu)
Date: Wed Nov 06 2002 - 10:59:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,

    Yes, thank you for making this clarification. This is indeed only for
    Win2k ipsec filters and if your win2k servers/workstations/intranet are
    already behind a properly configured firewall this issue would be
    minimized. However, the problem is not limited to Domain controllers
    only, but all Win2k installations, both servers and workstations (just
    tested a win2k pro sp3). So, if someone is relying solely on Win2K
    IPSec IP filtering for ip blocking (maybe someone's home system for
    example), they might have a false sense of security.

    Thanks
    Fred

    >>> "Dante Mercurio" <dmercurioccgsecurity.com> 11/06/02 10:17AM >>>
    Just to clarify to avoid confusion: This only applies to IPSec
    policies
    setup ON MS systems. Two domain controllers behind a Watchguard (or
    any
    vendor for that matter) branch office VPN will have these packets
    encrypted while traveling over the VPN.

    M. Dante Mercurio, CCNA, MCSE+I, CCSA
    dmercurioccgsecurity.com
    Consulting Group Manager
    Continental Consulting Group, LLC
    www.ccgsecurity.com

    -----Original Message-----
    From: Fred Williams [mailto:A20FBW1wpo.cso.niu.edu]
    Sent: Tuesday, November 05, 2002 1:29 PM
    To: focus-mssecurityfocus.com; security-basicssecurityfocus.com
    Subject: was - RE: Access to well-known ports on Win2K -now [IPSec
    -Default behavior]

    Hello,

    As long as you're discussing ipsec filters please permit this bit of
    "thread drift"... Most all of you know this already but there are
    always
    new readers or perhaps those new to Win2k ipsec policies...

    According to the article:
    Traffic That Can--and Cannot--Be Secured by IPSec
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q253169

    All traffic from any ip port 88 is ASSUMED to be Kerberos traffic and
    hence is exempt from all ipsec filters. So just by implementing a
    "block
    all" ipsec policy, ANYONE can still port scan your computer by binding
    their scanner to their local port 88 and targeting your computer.

    According to this article:
    IPSec Does Not Secure Kerberos Traffic Between Domain Controllers
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;q254728&

    A registry setting was added in Win2K SP1 to support disabling this
    "feature" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC
    REG_DWORD: NoDefaultExempt
    Value: 1

    I wrote a quick VBScript to then set this key on all computers in an
    Active Directory OU. If anyone is interested in the script just email
    me
    directly. Note the ipsec policy agent needs to be restarted for the
    change to take effect...this can be scripted as well... Hope someone
    finds this helpful.

    Thanks
    Fred