Yes Linda, you are quite right. For GPO to work, MS will use ICMP net
testing to client with 2 kbps packets. It will become an issue in case that
you are using DSL or Cable connection and the provider does not support
large packet on his infrastructure. Mind you that quite often the packets
supported are far smaller, some time down to 1390. To me this needs a better
approach from MS.
Skerdi
We experienced problems with GPO's failing when ICMP was blocked at the
FW. When ICMP traffic was allowed the GPO's worked fine. Annoying
problem that took awhile to track down as on some settings in the GPO's
failed.
Linda Zath
-----Original Message-----
From: Ian Miller [mailto:miller (at) ucalgary (dot) ca [email concealed]]
Sent: Wednesday, September 08, 2004 8:32 AM
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: XP-SP2 "Feature"
What about Group Policy? Does anyone know if XP/2K Pro require ICMP to
be open across firewalls? The reason I ask this is we have been told
(but unable to confirm) by other sources that ICMP must be available in
order for Group Policy to work. If ICMP is not required (could you
please indicate in your response) what work-arounds are necessary in
order for Group Policy (both Computer and User) to work across
firewalls.
>
> Thanks.
>
>>
>> Jordan Wiseman wrote:
>>
>>>I understand that ICMP is used to verify connectivity to a server
>>>hosting a CIFS resource. The problem I have with how the WF [Windows
>>>Firewall] handles this. If you enable File & Print Sharing (port 445
>>>only/at least) on the exceptions tab, where you can limit the scope,
it
>>>still opens up ICMP for the world, not with a similarly limited
scope.
>>>
>>>Even though ICMP is used by various clients to verify connectivity to
a
>>>CIFS server, it is not NECESSARY to do so. In this very situation,
if
>>>you manually configure port 445 on a specific interface (which
>>>ironically doesn't force ICMP on the same interface) without allowing
>>>ICMP you can still browse the shared resources on the XP-based
server.
>>>
>>>I concede the fact that this is not a real vulnerability. However, I
>>>still do not believe that it is necessary to force this setting on a
>>>user. At the very least, it should be suggessted to the user (in
help
>>>for instance) that IF they are having problems connected after
enabling
>>>port 445, they should then try enabling ping. This would be in
keeping
>>>with the idea of "least access".
>>>
>>>Jordan
>>>
>>>-----Original Message-----
>>>From: Thor [mailto:thor (at) hammerofgod (dot) com [email concealed]]
>>>Sent: Saturday, September 04, 2004 6:08 AM
>>>To: Jordan Wiseman; focus-ms (at) securityfocus (dot) com [email concealed]; Eric
>>>Subject: Re: XP-SP2 "Feature"
>>>
>>>
>>>I don't see where this is an issue... Different CIFS protocols use
ICMP
>>>to verify connectivity to DC's. If you choose to specify a CIFS
>>>exception in WF, ICMP is enabled on the specified interface so that
>>>CIFS-based processes/protocols operate as expected. Specifically
>>>regarding the "server class" of DFS, though the service provided
lives
>>>at the host, it is the client that requests, and is subsequently
>>>redirected to as required, the DFS resources. During that process,
ICMP
>>>is used to verify the DC providing that config via LDAP is reachable.
>>>
>>>It's not if the workstation was going to be managed- you can do that
via
>>>139/nb - it's if the workstation has CIFS bound to the interface,
thus
>>>indicating that it is configured to use CIFS supported protocols. If
>>>one enables CIFS on an interface, then ICMP is enabled as well. In
the
>>>event that a CIFS bound interface is facing the public, I would hope
>>>that *that* config would be the source for concern before worrying
about
>>>ICMP.
>>>
>>>AFA ICF in SP1 is concerned, I don't think that is a valid
comparison--
>>>there are no pre-defined "File & Print Sharing" rules available. ICF
in
>>>SP1 was not designed to be deployed on domain-member LAN interfaces.
It
>>>was a connection-based implementation with no remote config options,
no
>>>group policy options, and no central management.
>>>
>>>Again, if the binding exists, (which should not be the case for INet
>>>facing systems anyway) that's the real problem; not ICMP.
>>>
>>>
>>>T
>>>
>>>
>>>
>>>
>>>
>>>----- Original Message -----
>>>From: "Jordan Wiseman" <Jordan_Wiseman (at) Valleymed (dot) org [email concealed]>
>>>To: "Thor" <thor (at) hammerofgod (dot) com [email concealed]>; <focus-ms (at) securityfocus (dot) com [email concealed]>;
"Eric"
>>><ews (at) tellurian (dot) com [email concealed]>
>>>Sent: Friday, September 03, 2004 12:19 AM
>>>Subject: RE: XP-SP2 "Feature"
>>>
>>>
>>>It is true that DFS, as well as many other microsoft related services
>>>have built-in dependancies on ping. But most of these services are
only
>>>installable/configurable (DFS included I think) for the server class
>>>OS's. This setting is only forced on XP-SP2 workstations who enable
>>>[except] port 445 for SMB over TCP (for now).
>>>
>>>I still don't see this as truly necessary. It seems it was done as a
>>>matter of conveniance in the off chance the workstation might be
managed
>>>as part of a domain. Ironically...if you allow just port 445 through
on
>>>an SP1 system, it doesn't force pings to be allowed too. This means
>>>that for most existing XP environments, this issue (having to turn on
>>>ping if needed) likely had already been addressed (assuming of course
>>>they have implemented the ICF in those environments in the first
place).
>>>
>>>Jordan
>>>
>>>
>>>-----Original Message-----
>>>From: Thor [mailto:thor (at) hammerofgod (dot) com [email concealed]]
>>>Sent: Thursday, September 02, 2004 5:44 PM
>>>To: Jordan Wiseman; focus-ms (at) securityfocus (dot) com [email concealed]; Eric
>>>Subject: Re: XP-SP2 "Feature"
>>>
>>>The CIFS implementation of SMB in Win2k supports many extended
>>>protocols, one of which is DFS. Part of the referral process when
>>>getting DFS configuration information includes verification of DC
>>>connectivity via ICMP.
>>>Similar startup/logon processes that use CIFS validate DC
connectivity
>>>using ICMP as well.
>>>
>>>That's why the firewall config allows ICMP when FS over 445 is bound
to
>>>the interface.
>>>
>>>T
>>>
>>>----- Original Message -----
>>>From: "Eric" <ews (at) tellurian (dot) com [email concealed]>
>>>To: "Jordan Wiseman" <Jordan_Wiseman (at) Valleymed (dot) org [email concealed]>;
>>><focus-ms (at) securityfocus (dot) com [email concealed]>
>>>Sent: Thursday, September 02, 2004 1:00 PM
>>>Subject: Re: XP-SP2 "Feature"
>>>
>>>
>>>
>>>
>>>>Yes, I noticed this too. I'm gathering MS did this because some of
>>>>their apps that use 445 also use ICMP. I find it very frustrating
>>>>that MS didn't give an option to disable this.
>>>>
>>>>You can, however, workaround this for many circumstances. Instead
of
>>>>using 445, use 139. If opening 139 only, ICMP is not force-enabled.
>>>>139 will do almost all of what 445 does - you can do all your file
and
>>>>
>>>>
>>>
>>>
>>>
>>>>print sharing, systems management, etc. over 139, keeping 445 and
ICMP
>>>>
>>>>
>>>closed.
>>>
>>>
>>>
>>>
>>>
>>>
>>>DISCLAIMER:
>>>This message is confidential, intended only for the named
recipient(s)
>>>and may contain information that is privileged or exempt from
disclosure
>>>under applicable law. If you are not the intended recipient(s), you
are
>>>notified that the dissemination, distribution or copying of this
>>>information is strictly prohibited. If you received this message in
>>>error, please notify the sender then delete this message.
>>>
>>>---------------------------------------------------------------------
---
>>>---
>>>
>>>
>>>
>>>
>>>
>>>
>>>DISCLAIMER:
>>>This message is confidential, intended only for the named
recipient(s)
>>>and may contain information that is privileged or exempt from
disclosure
>>>under applicable law. If you are not the intended recipient(s), you
are
>>>notified that the dissemination, distribution or copying of this
>>>information is strictly prohibited. If you received this message in
>>>error, please notify the sender then delete this message.
>>>
>>>---------------------------------------------------------------------
------
>>>
>>>
>>
>>--
>>=======================================
>>D. Ian Miller }8-)
>>Systems Analyst
>>Information Technologies
>>University of Calgary
>>W: 403.220.8643
>>M: 403.605.9856
>>
>>
>>
>
>--
>=======================================
>D. Ian Miller }8-)
>Systems Analyst
>Information Technologies
>University of Calgary
>W: 403.220.8643
>M: 403.605.9856
>
>
>
--
=======================================
D. Ian Miller }8-)
Systems Analyst
Information Technologies
University of Calgary
W: 403.220.8643
M: 403.605.9856
Yes Linda, you are quite right. For GPO to work, MS will use ICMP net
testing to client with 2 kbps packets. It will become an issue in case that
you are using DSL or Cable connection and the provider does not support
large packet on his infrastructure. Mind you that quite often the packets
supported are far smaller, some time down to 1390. To me this needs a better
approach from MS.
Skerdi
We experienced problems with GPO's failing when ICMP was blocked at the
FW. When ICMP traffic was allowed the GPO's worked fine. Annoying
problem that took awhile to track down as on some settings in the GPO's
failed.
Linda Zath
-----Original Message-----
From: Ian Miller [mailto:miller (at) ucalgary (dot) ca [email concealed]]
Sent: Wednesday, September 08, 2004 8:32 AM
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: XP-SP2 "Feature"
What about Group Policy? Does anyone know if XP/2K Pro require ICMP to
be open across firewalls? The reason I ask this is we have been told
(but unable to confirm) by other sources that ICMP must be available in
order for Group Policy to work. If ICMP is not required (could you
please indicate in your response) what work-arounds are necessary in
order for Group Policy (both Computer and User) to work across
firewalls.
>
> Thanks.
>
>>
>> Jordan Wiseman wrote:
>>
>>>I understand that ICMP is used to verify connectivity to a server
>>>hosting a CIFS resource. The problem I have with how the WF [Windows
>>>Firewall] handles this. If you enable File & Print Sharing (port 445
>>>only/at least) on the exceptions tab, where you can limit the scope,
it
>>>still opens up ICMP for the world, not with a similarly limited
scope.
>>>
>>>Even though ICMP is used by various clients to verify connectivity to
a
>>>CIFS server, it is not NECESSARY to do so. In this very situation,
if
>>>you manually configure port 445 on a specific interface (which
>>>ironically doesn't force ICMP on the same interface) without allowing
>>>ICMP you can still browse the shared resources on the XP-based
server.
>>>
>>>I concede the fact that this is not a real vulnerability. However, I
>>>still do not believe that it is necessary to force this setting on a
>>>user. At the very least, it should be suggessted to the user (in
help
>>>for instance) that IF they are having problems connected after
enabling
>>>port 445, they should then try enabling ping. This would be in
keeping
>>>with the idea of "least access".
>>>
>>>Jordan
>>>
>>>-----Original Message-----
>>>From: Thor [mailto:thor (at) hammerofgod (dot) com [email concealed]]
>>>Sent: Saturday, September 04, 2004 6:08 AM
>>>To: Jordan Wiseman; focus-ms (at) securityfocus (dot) com [email concealed]; Eric
>>>Subject: Re: XP-SP2 "Feature"
>>>
>>>
>>>I don't see where this is an issue... Different CIFS protocols use
ICMP
>>>to verify connectivity to DC's. If you choose to specify a CIFS
>>>exception in WF, ICMP is enabled on the specified interface so that
>>>CIFS-based processes/protocols operate as expected. Specifically
>>>regarding the "server class" of DFS, though the service provided
lives
>>>at the host, it is the client that requests, and is subsequently
>>>redirected to as required, the DFS resources. During that process,
ICMP
>>>is used to verify the DC providing that config via LDAP is reachable.
>>>
>>>It's not if the workstation was going to be managed- you can do that
via
>>>139/nb - it's if the workstation has CIFS bound to the interface,
thus
>>>indicating that it is configured to use CIFS supported protocols. If
>>>one enables CIFS on an interface, then ICMP is enabled as well. In
the
>>>event that a CIFS bound interface is facing the public, I would hope
>>>that *that* config would be the source for concern before worrying
about
>>>ICMP.
>>>
>>>AFA ICF in SP1 is concerned, I don't think that is a valid
comparison--
>>>there are no pre-defined "File & Print Sharing" rules available. ICF
in
>>>SP1 was not designed to be deployed on domain-member LAN interfaces.
It
>>>was a connection-based implementation with no remote config options,
no
>>>group policy options, and no central management.
>>>
>>>Again, if the binding exists, (which should not be the case for INet
>>>facing systems anyway) that's the real problem; not ICMP.
>>>
>>>
>>>T
>>>
>>>
>>>
>>>
>>>
>>>----- Original Message -----
>>>From: "Jordan Wiseman" <Jordan_Wiseman (at) Valleymed (dot) org [email concealed]>
>>>To: "Thor" <thor (at) hammerofgod (dot) com [email concealed]>; <focus-ms (at) securityfocus (dot) com [email concealed]>;
"Eric"
>>><ews (at) tellurian (dot) com [email concealed]>
>>>Sent: Friday, September 03, 2004 12:19 AM
>>>Subject: RE: XP-SP2 "Feature"
>>>
>>>
>>>It is true that DFS, as well as many other microsoft related services
>>>have built-in dependancies on ping. But most of these services are
only
>>>installable/configurable (DFS included I think) for the server class
>>>OS's. This setting is only forced on XP-SP2 workstations who enable
>>>[except] port 445 for SMB over TCP (for now).
>>>
>>>I still don't see this as truly necessary. It seems it was done as a
>>>matter of conveniance in the off chance the workstation might be
managed
>>>as part of a domain. Ironically...if you allow just port 445 through
on
>>>an SP1 system, it doesn't force pings to be allowed too. This means
>>>that for most existing XP environments, this issue (having to turn on
>>>ping if needed) likely had already been addressed (assuming of course
>>>they have implemented the ICF in those environments in the first
place).
>>>
>>>Jordan
>>>
>>>
>>>-----Original Message-----
>>>From: Thor [mailto:thor (at) hammerofgod (dot) com [email concealed]]
>>>Sent: Thursday, September 02, 2004 5:44 PM
>>>To: Jordan Wiseman; focus-ms (at) securityfocus (dot) com [email concealed]; Eric
>>>Subject: Re: XP-SP2 "Feature"
>>>
>>>The CIFS implementation of SMB in Win2k supports many extended
>>>protocols, one of which is DFS. Part of the referral process when
>>>getting DFS configuration information includes verification of DC
>>>connectivity via ICMP.
>>>Similar startup/logon processes that use CIFS validate DC
connectivity
>>>using ICMP as well.
>>>
>>>That's why the firewall config allows ICMP when FS over 445 is bound
to
>>>the interface.
>>>
>>>T
>>>
>>>----- Original Message -----
>>>From: "Eric" <ews (at) tellurian (dot) com [email concealed]>
>>>To: "Jordan Wiseman" <Jordan_Wiseman (at) Valleymed (dot) org [email concealed]>;
>>><focus-ms (at) securityfocus (dot) com [email concealed]>
>>>Sent: Thursday, September 02, 2004 1:00 PM
>>>Subject: Re: XP-SP2 "Feature"
>>>
>>>
>>>
>>>
>>>>Yes, I noticed this too. I'm gathering MS did this because some of
>>>>their apps that use 445 also use ICMP. I find it very frustrating
>>>>that MS didn't give an option to disable this.
>>>>
>>>>You can, however, workaround this for many circumstances. Instead
of
>>>>using 445, use 139. If opening 139 only, ICMP is not force-enabled.
>>>>139 will do almost all of what 445 does - you can do all your file
and
>>>>
>>>>
>>>
>>>
>>>
>>>>print sharing, systems management, etc. over 139, keeping 445 and
ICMP
>>>>
>>>>
>>>closed.
>>>
>>>
>>>
>>>
>>>
>>>
>>>DISCLAIMER:
>>>This message is confidential, intended only for the named
recipient(s)
>>>and may contain information that is privileged or exempt from
disclosure
>>>under applicable law. If you are not the intended recipient(s), you
are
>>>notified that the dissemination, distribution or copying of this
>>>information is strictly prohibited. If you received this message in
>>>error, please notify the sender then delete this message.
>>>
>>>---------------------------------------------------------------------
---
>>>---
>>>---------------------------------------------------------------------
---
>>>---
>>>
>>>
>>>
>>>
>>>
>>>
>>>DISCLAIMER:
>>>This message is confidential, intended only for the named
recipient(s)
>>>and may contain information that is privileged or exempt from
disclosure
>>>under applicable law. If you are not the intended recipient(s), you
are
>>>notified that the dissemination, distribution or copying of this
>>>information is strictly prohibited. If you received this message in
>>>error, please notify the sender then delete this message.
>>>
>>>---------------------------------------------------------------------
------
>>>---------------------------------------------------------------------
------
>>>
>>>
>>
>>--
>>=======================================
>>D. Ian Miller }8-)
>>Systems Analyst
>>Information Technologies
>>University of Calgary
>>W: 403.220.8643
>>M: 403.605.9856
>>
>>
>>
>
>--
>=======================================
>D. Ian Miller }8-)
>Systems Analyst
>Information Technologies
>University of Calgary
>W: 403.220.8643
>M: 403.605.9856
>
>
>
--
=======================================
D. Ian Miller }8-)
Systems Analyst
Information Technologies
University of Calgary
W: 403.220.8643
M: 403.605.9856
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]