NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-MS> 2004-q3

RE: XP-SP2 "Feature"

From: Laura A. Robinson (laurarobinsonearthlink.net)
Date: Fri Sep 10 2004 - 11:49:35 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Client computers attempt to determine if they are connected via a slow
connection before processing GP, as some settings are not processed over
slow links (some can be changed; others cannot). In order to do this, ICMP
must be allowed or the registries on the machines must be hacked. FRS and AD
replication also need ICMP.

This, I suspect, is why MS set the firewall setting as they did- because
many admins would knee-jerk block ICMP while allowing directory service
(port 445 [MS-DS]) traffic (File & Print Sharing is not technically what
port 445 is for), by hooking ICMP into port 445 allowance, MS reduces
significantly the number of support calls they'll have to field. They also
reduce administrative troubleshooting/frustration.

The assumption is, if you're opening port 445, you *have* AD, because that
is what port 445 is *for*. Therefore, you are going to *need* ICMP
communication.

Laura

> -----Original Message-----
> From: Zath, Linda A [mailto:linda.a.zathintel.com]
> Sent: Wednesday, September 08, 2004 5:52 PM
> To: Ian Miller
> Cc: focus-mssecurityfocus.com
> Subject: RE: XP-SP2 "Feature"
>
> We experienced problems with GPO's failing when ICMP was
> blocked at the
> FW. When ICMP traffic was allowed the GPO's worked fine. Annoying
> problem that took awhile to track down as on some settings in
> the GPO's failed.
>
> Linda Zath
>
> -----Original Message-----
> From: Ian Miller [mailto:millerucalgary.ca]
> Sent: Wednesday, September 08, 2004 8:32 AM
> Cc: focus-mssecurityfocus.com
> Subject: Re: XP-SP2 "Feature"
>
> What about Group Policy? Does anyone know if XP/2K Pro
> require ICMP to be open across firewalls? The reason I ask
> this is we have been told (but unable to confirm) by other
> sources that ICMP must be available in order for Group Policy
> to work. If ICMP is not required (could you please indicate
> in your response) what work-arounds are necessary in order
> for Group Policy (both Computer and User) to work across firewalls.
>
> >
> > Thanks.
> >
> >>
> >> Jordan Wiseman wrote:
> >>
> >>>I understand that ICMP is used to verify connectivity to a server
> >>>hosting a CIFS resource. The problem I have with how the
> WF [Windows
> >>>Firewall] handles this. If you enable File & Print
> Sharing (port 445
> >>>only/at least) on the exceptions tab, where you can limit
> the scope,
> it
> >>>still opens up ICMP for the world, not with a similarly limited
> scope.
> >>>
> >>>Even though ICMP is used by various clients to verify
> connectivity to
> a
> >>>CIFS server, it is not NECESSARY to do so. In this very situation,
> if
> >>>you manually configure port 445 on a specific interface (which
> >>>ironically doesn't force ICMP on the same interface)
> without allowing
> >>>ICMP you can still browse the shared resources on the XP-based
> server.
> >>>
> >>>I concede the fact that this is not a real vulnerability.
> However, I
> >>>still do not believe that it is necessary to force this
> setting on a
> >>>user. At the very least, it should be suggessted to the user (in
> help
> >>>for instance) that IF they are having problems connected after
> enabling
> >>>port 445, they should then try enabling ping. This would be in
> keeping
> >>>with the idea of "least access".
> >>>
> >>>Jordan
> >>>
> >>>-----Original Message-----
> >>>From: Thor [mailto:thorhammerofgod.com]
> >>>Sent: Saturday, September 04, 2004 6:08 AM
> >>>To: Jordan Wiseman; focus-mssecurityfocus.com; Eric
> >>>Subject: Re: XP-SP2 "Feature"
> >>>
> >>>
> >>>I don't see where this is an issue... Different CIFS protocols use
> ICMP
> >>>to verify connectivity to DC's. If you choose to specify a CIFS
> >>>exception in WF, ICMP is enabled on the specified
> interface so that
> >>>CIFS-based processes/protocols operate as expected. Specifically
> >>>regarding the "server class" of DFS, though the service provided
> lives
> >>>at the host, it is the client that requests, and is subsequently
> >>>redirected to as required, the DFS resources. During that process,
> ICMP
> >>>is used to verify the DC providing that config via LDAP is
> reachable.
> >>>
> >>>It's not if the workstation was going to be managed- you
> can do that
> via
> >>>139/nb - it's if the workstation has CIFS bound to the interface,
> thus
> >>>indicating that it is configured to use CIFS supported
> protocols. If
> >>>one enables CIFS on an interface, then ICMP is enabled as well. In
> the
> >>>event that a CIFS bound interface is facing the public, I
> would hope
> >>>that *that* config would be the source for concern before worrying
> about
> >>>ICMP.
> >>>
> >>>AFA ICF in SP1 is concerned, I don't think that is a valid
> comparison--
> >>>there are no pre-defined "File & Print Sharing" rules
> available. ICF
> in
> >>>SP1 was not designed to be deployed on domain-member LAN
> interfaces.
> It
> >>>was a connection-based implementation with no remote
> config options,
> no
> >>>group policy options, and no central management.
> >>>
> >>>Again, if the binding exists, (which should not be the
> case for INet
> >>>facing systems anyway) that's the real problem; not ICMP.
> >>>
> >>>
> >>>T
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>----- Original Message -----
> >>>From: "Jordan Wiseman" <Jordan_WisemanValleymed.org>
> >>>To: "Thor" <thorhammerofgod.com>; <focus-mssecurityfocus.com>;
> "Eric"
> >>><ewstellurian.com>
> >>>Sent: Friday, September 03, 2004 12:19 AM
> >>>Subject: RE: XP-SP2 "Feature"
> >>>
> >>>
> >>>It is true that DFS, as well as many other microsoft
> related services
> >>>have built-in dependancies on ping. But most of these services are
> only
> >>>installable/configurable (DFS included I think) for the
> server class
> >>>OS's. This setting is only forced on XP-SP2 workstations
> who enable
> >>>[except] port 445 for SMB over TCP (for now).
> >>>
> >>>I still don't see this as truly necessary. It seems it
> was done as a
> >>>matter of conveniance in the off chance the workstation might be
> managed
> >>>as part of a domain. Ironically...if you allow just port
> 445 through
> on
> >>>an SP1 system, it doesn't force pings to be allowed too.
> This means
> >>>that for most existing XP environments, this issue (having
> to turn on
> >>>ping if needed) likely had already been addressed
> (assuming of course
> >>>they have implemented the ICF in those environments in the first
> place).
> >>>
> >>>Jordan
> >>>
> >>>
> >>>-----Original Message-----
> >>>From: Thor [mailto:thorhammerofgod.com]
> >>>Sent: Thursday, September 02, 2004 5:44 PM
> >>>To: Jordan Wiseman; focus-mssecurityfocus.com; Eric
> >>>Subject: Re: XP-SP2 "Feature"
> >>>
> >>>The CIFS implementation of SMB in Win2k supports many extended
> >>>protocols, one of which is DFS. Part of the referral process when
> >>>getting DFS configuration information includes verification of DC
> >>>connectivity via ICMP.
> >>>Similar startup/logon processes that use CIFS validate DC
> connectivity
> >>>using ICMP as well.
> >>>
> >>>That's why the firewall config allows ICMP when FS over
> 445 is bound
> to
> >>>the interface.
> >>>
> >>>T
> >>>
> >>>----- Original Message -----
> >>>From: "Eric" <ewstellurian.com>
> >>>To: "Jordan Wiseman" <Jordan_WisemanValleymed.org>;
> >>><focus-mssecurityfocus.com>
> >>>Sent: Thursday, September 02, 2004 1:00 PM
> >>>Subject: Re: XP-SP2 "Feature"
> >>>
> >>>
> >>>
> >>>
> >>>>Yes, I noticed this too. I'm gathering MS did this
> because some of
> >>>>their apps that use 445 also use ICMP. I find it very
> frustrating
> >>>>that MS didn't give an option to disable this.
> >>>>
> >>>>You can, however, workaround this for many circumstances. Instead
> of
> >>>>using 445, use 139. If opening 139 only, ICMP is not
> force-enabled.
> >>>>139 will do almost all of what 445 does - you can do all your file
> and
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>>print sharing, systems management, etc. over 139, keeping 445 and
> ICMP
> >>>>
> >>>>
> >>>closed.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>DISCLAIMER:
> >>>This message is confidential, intended only for the named
> recipient(s)
> >>>and may contain information that is privileged or exempt from
> disclosure
> >>>under applicable law. If you are not the intended
> recipient(s), you
> are
> >>>notified that the dissemination, distribution or copying of this
> >>>information is strictly prohibited. If you received this
> message in
> >>>error, please notify the sender then delete this message.
> >>>
> >>>-----------------------------------------------------------
> ----------
> ---
> >>>---
> >>>-----------------------------------------------------------
> ----------
> ---
> >>>---
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>DISCLAIMER:
> >>>This message is confidential, intended only for the named
> recipient(s)
> >>>and may contain information that is privileged or exempt from
> disclosure
> >>>under applicable law. If you are not the intended
> recipient(s), you
> are
> >>>notified that the dissemination, distribution or copying of this
> >>>information is strictly prohibited. If you received this
> message in
> >>>error, please notify the sender then delete this message.
> >>>
> >>>-----------------------------------------------------------
> ----------
> ------
> >>>-----------------------------------------------------------
> ----------
> ------
> >>>
> >>>
> >>
> >>--
> >>=======================================
> >>D. Ian Miller }8-)
> >>Systems Analyst
> >>Information Technologies
> >>University of Calgary
> >>W: 403.220.8643
> >>M: 403.605.9856
> >>
> >>
> >>
> >
> >--
> >=======================================
> >D. Ian Miller }8-)
> >Systems Analyst
> >Information Technologies
> >University of Calgary
> >W: 403.220.8643
> >M: 403.605.9856
> >
> >
> >
>
> --
> =======================================
> D. Ian Miller }8-)
> Systems Analyst
> Information Technologies
> University of Calgary
> W: 403.220.8643
> M: 403.605.9856
>
>
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]