RE: XP-SP2 "Feature"Sep 14 2004 04:50AM Laura A. Robinson (larobins bellatlantic net)
Do you have a reference for this, or a capture file?
Thanks,
Laura
> -----Original Message-----
> From: Cerga, Skerdi (C3) [mailto:Skerdi.Cerga (at) C3.CCAC-ONT (dot) CA [email concealed]]
> Sent: Friday, September 10, 2004 9:04 AM
> To: Zath, Linda A; Ian Miller
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: XP-SP2 "Feature"
>
>
>
> Yes Linda, you are quite right. For GPO to work, MS will use
> ICMP net testing to client with 2 kbps packets. It will
> become an issue in case that you are using DSL or Cable
> connection and the provider does not support large packet on
> his infrastructure. Mind you that quite often the packets
> supported are far smaller, some time down to 1390. To me this
> needs a better approach from MS.
>
> Skerdi
>
>
> We experienced problems with GPO's failing when ICMP was
> blocked at the
> FW. When ICMP traffic was allowed the GPO's worked fine. Annoying
> problem that took awhile to track down as on some settings in
> the GPO's failed.
>
> Linda Zath
>
> -----Original Message-----
> From: Ian Miller [mailto:miller (at) ucalgary (dot) ca [email concealed]]
> Sent: Wednesday, September 08, 2004 8:32 AM
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Re: XP-SP2 "Feature"
>
> What about Group Policy? Does anyone know if XP/2K Pro
> require ICMP to be open across firewalls? The reason I ask
> this is we have been told (but unable to confirm) by other
> sources that ICMP must be available in order for Group Policy
> to work. If ICMP is not required (could you please indicate
> in your response) what work-arounds are necessary in order
> for Group Policy (both Computer and User) to work across firewalls.
>
> >
> > Thanks.
> >
> >>
> >> Jordan Wiseman wrote:
> >>
> >>>I understand that ICMP is used to verify connectivity to a server
> >>>hosting a CIFS resource. The problem I have with how the
> WF [Windows
> >>>Firewall] handles this. If you enable File & Print
> Sharing (port 445
> >>>only/at least) on the exceptions tab, where you can limit
> the scope,
> it
> >>>still opens up ICMP for the world, not with a similarly limited
> scope.
> >>>
> >>>Even though ICMP is used by various clients to verify
> connectivity to
> a
> >>>CIFS server, it is not NECESSARY to do so. In this very situation,
> if
> >>>you manually configure port 445 on a specific interface (which
> >>>ironically doesn't force ICMP on the same interface)
> without allowing
> >>>ICMP you can still browse the shared resources on the XP-based
> server.
> >>>
> >>>I concede the fact that this is not a real vulnerability.
> However, I
> >>>still do not believe that it is necessary to force this
> setting on a
> >>>user. At the very least, it should be suggessted to the user (in
> help
> >>>for instance) that IF they are having problems connected after
> enabling
> >>>port 445, they should then try enabling ping. This would be in
> keeping
> >>>with the idea of "least access".
> >>>
> >>>Jordan
> >>>
> >>>-----Original Message-----
> >>>From: Thor [mailto:thor (at) hammerofgod (dot) com [email concealed]]
> >>>Sent: Saturday, September 04, 2004 6:08 AM
> >>>To: Jordan Wiseman; focus-ms (at) securityfocus (dot) com [email concealed]; Eric
> >>>Subject: Re: XP-SP2 "Feature"
> >>>
> >>>
> >>>I don't see where this is an issue... Different CIFS protocols use
> ICMP
> >>>to verify connectivity to DC's. If you choose to specify a CIFS
> >>>exception in WF, ICMP is enabled on the specified
> interface so that
> >>>CIFS-based processes/protocols operate as expected. Specifically
> >>>regarding the "server class" of DFS, though the service provided
> lives
> >>>at the host, it is the client that requests, and is subsequently
> >>>redirected to as required, the DFS resources. During that process,
> ICMP
> >>>is used to verify the DC providing that config via LDAP is
> reachable.
> >>>
> >>>It's not if the workstation was going to be managed- you
> can do that
> via
> >>>139/nb - it's if the workstation has CIFS bound to the interface,
> thus
> >>>indicating that it is configured to use CIFS supported
> protocols. If
> >>>one enables CIFS on an interface, then ICMP is enabled as well. In
> the
> >>>event that a CIFS bound interface is facing the public, I
> would hope
> >>>that *that* config would be the source for concern before worrying
> about
> >>>ICMP.
> >>>
> >>>AFA ICF in SP1 is concerned, I don't think that is a valid
> comparison--
> >>>there are no pre-defined "File & Print Sharing" rules
> available. ICF
> in
> >>>SP1 was not designed to be deployed on domain-member LAN
> interfaces.
> It
> >>>was a connection-based implementation with no remote
> config options,
> no
> >>>group policy options, and no central management.
> >>>
> >>>Again, if the binding exists, (which should not be the
> case for INet
> >>>facing systems anyway) that's the real problem; not ICMP.
> >>>
> >>>
> >>>T
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>----- Original Message -----
> >>>From: "Jordan Wiseman" <Jordan_Wiseman (at) Valleymed (dot) org [email concealed]>
> >>>To: "Thor" <thor (at) hammerofgod (dot) com [email concealed]>; <focus-ms (at) securityfocus (dot) com [email concealed]>;
> "Eric"
> >>><ews (at) tellurian (dot) com [email concealed]>
> >>>Sent: Friday, September 03, 2004 12:19 AM
> >>>Subject: RE: XP-SP2 "Feature"
> >>>
> >>>
> >>>It is true that DFS, as well as many other microsoft
> related services
> >>>have built-in dependancies on ping. But most of these services are
> only
> >>>installable/configurable (DFS included I think) for the
> server class
> >>>OS's. This setting is only forced on XP-SP2 workstations
> who enable
> >>>[except] port 445 for SMB over TCP (for now).
> >>>
> >>>I still don't see this as truly necessary. It seems it
> was done as a
> >>>matter of conveniance in the off chance the workstation might be
> managed
> >>>as part of a domain. Ironically...if you allow just port
> 445 through
> on
> >>>an SP1 system, it doesn't force pings to be allowed too.
> This means
> >>>that for most existing XP environments, this issue (having
> to turn on
> >>>ping if needed) likely had already been addressed
> (assuming of course
> >>>they have implemented the ICF in those environments in the first
> place).
> >>>
> >>>Jordan
> >>>
> >>>
> >>>-----Original Message-----
> >>>From: Thor [mailto:thor (at) hammerofgod (dot) com [email concealed]]
> >>>Sent: Thursday, September 02, 2004 5:44 PM
> >>>To: Jordan Wiseman; focus-ms (at) securityfocus (dot) com [email concealed]; Eric
> >>>Subject: Re: XP-SP2 "Feature"
> >>>
> >>>The CIFS implementation of SMB in Win2k supports many extended
> >>>protocols, one of which is DFS. Part of the referral process when
> >>>getting DFS configuration information includes verification of DC
> >>>connectivity via ICMP.
> >>>Similar startup/logon processes that use CIFS validate DC
> connectivity
> >>>using ICMP as well.
> >>>
> >>>That's why the firewall config allows ICMP when FS over
> 445 is bound
> to
> >>>the interface.
> >>>
> >>>T
> >>>
> >>>----- Original Message -----
> >>>From: "Eric" <ews (at) tellurian (dot) com [email concealed]>
> >>>To: "Jordan Wiseman" <Jordan_Wiseman (at) Valleymed (dot) org [email concealed]>;
> >>><focus-ms (at) securityfocus (dot) com [email concealed]>
> >>>Sent: Thursday, September 02, 2004 1:00 PM
> >>>Subject: Re: XP-SP2 "Feature"
> >>>
> >>>
> >>>
> >>>
> >>>>Yes, I noticed this too. I'm gathering MS did this
> because some of
> >>>>their apps that use 445 also use ICMP. I find it very
> frustrating
> >>>>that MS didn't give an option to disable this.
> >>>>
> >>>>You can, however, workaround this for many circumstances. Instead
> of
> >>>>using 445, use 139. If opening 139 only, ICMP is not
> force-enabled.
> >>>>139 will do almost all of what 445 does - you can do all your file
> and
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>>print sharing, systems management, etc. over 139, keeping 445 and
> ICMP
> >>>>
> >>>>
> >>>closed.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>DISCLAIMER:
> >>>This message is confidential, intended only for the named
> recipient(s)
> >>>and may contain information that is privileged or exempt from
> disclosure
> >>>under applicable law. If you are not the intended
> recipient(s), you
> are
> >>>notified that the dissemination, distribution or copying of this
> >>>information is strictly prohibited. If you received this
> message in
> >>>error, please notify the sender then delete this message.
> >>>
> >>>-----------------------------------------------------------
> ----------
> ---
> >>>---
> >>>-----------------------------------------------------------
> ----------
> ---
> >>>---
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>DISCLAIMER:
> >>>This message is confidential, intended only for the named
> recipient(s)
> >>>and may contain information that is privileged or exempt from
> disclosure
> >>>under applicable law. If you are not the intended
> recipient(s), you
> are
> >>>notified that the dissemination, distribution or copying of this
> >>>information is strictly prohibited. If you received this
> message in
> >>>error, please notify the sender then delete this message.
> >>>
> >>>-----------------------------------------------------------
> ----------
> ------
> >>>-----------------------------------------------------------
> ----------
> ------
> >>>
> >>>
> >>
> >>--
> >>=======================================
> >>D. Ian Miller }8-)
> >>Systems Analyst
> >>Information Technologies
> >>University of Calgary
> >>W: 403.220.8643
> >>M: 403.605.9856
> >>
> >>
> >>
> >
> >--
> >=======================================
> >D. Ian Miller }8-)
> >Systems Analyst
> >Information Technologies
> >University of Calgary
> >W: 403.220.8643
> >M: 403.605.9856
> >
> >
> >
>
> --
> =======================================
> D. Ian Miller }8-)
> Systems Analyst
> Information Technologies
> University of Calgary
> W: 403.220.8643
> M: 403.605.9856
>
>
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
Thanks,
Laura
> -----Original Message-----
> From: Cerga, Skerdi (C3) [mailto:Skerdi.Cerga (at) C3.CCAC-ONT (dot) CA [email concealed]]
> Sent: Friday, September 10, 2004 9:04 AM
> To: Zath, Linda A; Ian Miller
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: XP-SP2 "Feature"
>
>
>
> Yes Linda, you are quite right. For GPO to work, MS will use
> ICMP net testing to client with 2 kbps packets. It will
> become an issue in case that you are using DSL or Cable
> connection and the provider does not support large packet on
> his infrastructure. Mind you that quite often the packets
> supported are far smaller, some time down to 1390. To me this
> needs a better approach from MS.
>
> Skerdi
>
>
> We experienced problems with GPO's failing when ICMP was
> blocked at the
> FW. When ICMP traffic was allowed the GPO's worked fine. Annoying
> problem that took awhile to track down as on some settings in
> the GPO's failed.
>
> Linda Zath
>
> -----Original Message-----
> From: Ian Miller [mailto:miller (at) ucalgary (dot) ca [email concealed]]
> Sent: Wednesday, September 08, 2004 8:32 AM
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Re: XP-SP2 "Feature"
>
> What about Group Policy? Does anyone know if XP/2K Pro
> require ICMP to be open across firewalls? The reason I ask
> this is we have been told (but unable to confirm) by other
> sources that ICMP must be available in order for Group Policy
> to work. If ICMP is not required (could you please indicate
> in your response) what work-arounds are necessary in order
> for Group Policy (both Computer and User) to work across firewalls.
>
> >
> > Thanks.
> >
> >>
> >> Jordan Wiseman wrote:
> >>
> >>>I understand that ICMP is used to verify connectivity to a server
> >>>hosting a CIFS resource. The problem I have with how the
> WF [Windows
> >>>Firewall] handles this. If you enable File & Print
> Sharing (port 445
> >>>only/at least) on the exceptions tab, where you can limit
> the scope,
> it
> >>>still opens up ICMP for the world, not with a similarly limited
> scope.
> >>>
> >>>Even though ICMP is used by various clients to verify
> connectivity to
> a
> >>>CIFS server, it is not NECESSARY to do so. In this very situation,
> if
> >>>you manually configure port 445 on a specific interface (which
> >>>ironically doesn't force ICMP on the same interface)
> without allowing
> >>>ICMP you can still browse the shared resources on the XP-based
> server.
> >>>
> >>>I concede the fact that this is not a real vulnerability.
> However, I
> >>>still do not believe that it is necessary to force this
> setting on a
> >>>user. At the very least, it should be suggessted to the user (in
> help
> >>>for instance) that IF they are having problems connected after
> enabling
> >>>port 445, they should then try enabling ping. This would be in
> keeping
> >>>with the idea of "least access".
> >>>
> >>>Jordan
> >>>
> >>>-----Original Message-----
> >>>From: Thor [mailto:thor (at) hammerofgod (dot) com [email concealed]]
> >>>Sent: Saturday, September 04, 2004 6:08 AM
> >>>To: Jordan Wiseman; focus-ms (at) securityfocus (dot) com [email concealed]; Eric
> >>>Subject: Re: XP-SP2 "Feature"
> >>>
> >>>
> >>>I don't see where this is an issue... Different CIFS protocols use
> ICMP
> >>>to verify connectivity to DC's. If you choose to specify a CIFS
> >>>exception in WF, ICMP is enabled on the specified
> interface so that
> >>>CIFS-based processes/protocols operate as expected. Specifically
> >>>regarding the "server class" of DFS, though the service provided
> lives
> >>>at the host, it is the client that requests, and is subsequently
> >>>redirected to as required, the DFS resources. During that process,
> ICMP
> >>>is used to verify the DC providing that config via LDAP is
> reachable.
> >>>
> >>>It's not if the workstation was going to be managed- you
> can do that
> via
> >>>139/nb - it's if the workstation has CIFS bound to the interface,
> thus
> >>>indicating that it is configured to use CIFS supported
> protocols. If
> >>>one enables CIFS on an interface, then ICMP is enabled as well. In
> the
> >>>event that a CIFS bound interface is facing the public, I
> would hope
> >>>that *that* config would be the source for concern before worrying
> about
> >>>ICMP.
> >>>
> >>>AFA ICF in SP1 is concerned, I don't think that is a valid
> comparison--
> >>>there are no pre-defined "File & Print Sharing" rules
> available. ICF
> in
> >>>SP1 was not designed to be deployed on domain-member LAN
> interfaces.
> It
> >>>was a connection-based implementation with no remote
> config options,
> no
> >>>group policy options, and no central management.
> >>>
> >>>Again, if the binding exists, (which should not be the
> case for INet
> >>>facing systems anyway) that's the real problem; not ICMP.
> >>>
> >>>
> >>>T
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>----- Original Message -----
> >>>From: "Jordan Wiseman" <Jordan_Wiseman (at) Valleymed (dot) org [email concealed]>
> >>>To: "Thor" <thor (at) hammerofgod (dot) com [email concealed]>; <focus-ms (at) securityfocus (dot) com [email concealed]>;
> "Eric"
> >>><ews (at) tellurian (dot) com [email concealed]>
> >>>Sent: Friday, September 03, 2004 12:19 AM
> >>>Subject: RE: XP-SP2 "Feature"
> >>>
> >>>
> >>>It is true that DFS, as well as many other microsoft
> related services
> >>>have built-in dependancies on ping. But most of these services are
> only
> >>>installable/configurable (DFS included I think) for the
> server class
> >>>OS's. This setting is only forced on XP-SP2 workstations
> who enable
> >>>[except] port 445 for SMB over TCP (for now).
> >>>
> >>>I still don't see this as truly necessary. It seems it
> was done as a
> >>>matter of conveniance in the off chance the workstation might be
> managed
> >>>as part of a domain. Ironically...if you allow just port
> 445 through
> on
> >>>an SP1 system, it doesn't force pings to be allowed too.
> This means
> >>>that for most existing XP environments, this issue (having
> to turn on
> >>>ping if needed) likely had already been addressed
> (assuming of course
> >>>they have implemented the ICF in those environments in the first
> place).
> >>>
> >>>Jordan
> >>>
> >>>
> >>>-----Original Message-----
> >>>From: Thor [mailto:thor (at) hammerofgod (dot) com [email concealed]]
> >>>Sent: Thursday, September 02, 2004 5:44 PM
> >>>To: Jordan Wiseman; focus-ms (at) securityfocus (dot) com [email concealed]; Eric
> >>>Subject: Re: XP-SP2 "Feature"
> >>>
> >>>The CIFS implementation of SMB in Win2k supports many extended
> >>>protocols, one of which is DFS. Part of the referral process when
> >>>getting DFS configuration information includes verification of DC
> >>>connectivity via ICMP.
> >>>Similar startup/logon processes that use CIFS validate DC
> connectivity
> >>>using ICMP as well.
> >>>
> >>>That's why the firewall config allows ICMP when FS over
> 445 is bound
> to
> >>>the interface.
> >>>
> >>>T
> >>>
> >>>----- Original Message -----
> >>>From: "Eric" <ews (at) tellurian (dot) com [email concealed]>
> >>>To: "Jordan Wiseman" <Jordan_Wiseman (at) Valleymed (dot) org [email concealed]>;
> >>><focus-ms (at) securityfocus (dot) com [email concealed]>
> >>>Sent: Thursday, September 02, 2004 1:00 PM
> >>>Subject: Re: XP-SP2 "Feature"
> >>>
> >>>
> >>>
> >>>
> >>>>Yes, I noticed this too. I'm gathering MS did this
> because some of
> >>>>their apps that use 445 also use ICMP. I find it very
> frustrating
> >>>>that MS didn't give an option to disable this.
> >>>>
> >>>>You can, however, workaround this for many circumstances. Instead
> of
> >>>>using 445, use 139. If opening 139 only, ICMP is not
> force-enabled.
> >>>>139 will do almost all of what 445 does - you can do all your file
> and
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>>print sharing, systems management, etc. over 139, keeping 445 and
> ICMP
> >>>>
> >>>>
> >>>closed.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>DISCLAIMER:
> >>>This message is confidential, intended only for the named
> recipient(s)
> >>>and may contain information that is privileged or exempt from
> disclosure
> >>>under applicable law. If you are not the intended
> recipient(s), you
> are
> >>>notified that the dissemination, distribution or copying of this
> >>>information is strictly prohibited. If you received this
> message in
> >>>error, please notify the sender then delete this message.
> >>>
> >>>-----------------------------------------------------------
> ----------
> ---
> >>>---
> >>>-----------------------------------------------------------
> ----------
> ---
> >>>---
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>DISCLAIMER:
> >>>This message is confidential, intended only for the named
> recipient(s)
> >>>and may contain information that is privileged or exempt from
> disclosure
> >>>under applicable law. If you are not the intended
> recipient(s), you
> are
> >>>notified that the dissemination, distribution or copying of this
> >>>information is strictly prohibited. If you received this
> message in
> >>>error, please notify the sender then delete this message.
> >>>
> >>>-----------------------------------------------------------
> ----------
> ------
> >>>-----------------------------------------------------------
> ----------
> ------
> >>>
> >>>
> >>
> >>--
> >>=======================================
> >>D. Ian Miller }8-)
> >>Systems Analyst
> >>Information Technologies
> >>University of Calgary
> >>W: 403.220.8643
> >>M: 403.605.9856
> >>
> >>
> >>
> >
> >--
> >=======================================
> >D. Ian Miller }8-)
> >Systems Analyst
> >Information Technologies
> >University of Calgary
> >W: 403.220.8643
> >M: 403.605.9856
> >
> >
> >
>
> --
> =======================================
> D. Ian Miller }8-)
> Systems Analyst
> Information Technologies
> University of Calgary
> W: 403.220.8643
> M: 403.605.9856
>
>
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]