Disabling ICMP echo requests from Windows Firewall

[Guest]

Is it possible to configure Windows Firewall, thus disabling it to have ICMP
echo requests (Ping) following the online scan by ShieldsUP (Gibson Research
Corporation)? Unfortunately, my existing 1-port ADSL ethernet modem has no
option to disable Ping. Is it required to edit any Inbound Rules and/or
Outbound Rules on "Windows Firewall with Advanced Security"? I look forward
to having any expert advice on how to proceed with.

 

[Mike Brannigan]

See
http://www.petri.co.il/block_ping_traffic_with_ipsec.htm

 

[Mr. Arnold]

Is it possible to configure Windows Firewall, thus disabling it to have
ICMP
echo requests (Ping) following the online scan by ShieldsUP (Gibson
Research
Corporation)? Unfortunately, my existing 1-port ADSL ethernet modem has
no
option to disable Ping. Is it required to edit any Inbound Rules and/or
Outbound Rules on "Windows Firewall with Advanced Security"? I look
forward
to having any expert advice on how to proceed with.

<coppied right from Vista O/S *Help*>
What happened to the ICMP and logging settings in Windows Firewall?
You must be logged on as an administrator to perform these steps.

To find ICMP and logging settings, open Windows Firewall with Advanced
Security.

1.. Click to open Administrative Tools.‌ If you are prompted for an
administrator password or confirmation, type the password or provide
confirmation.

2.. Double-click Windows Firewall with Advanced Security.

To change logging settings:

1.. Under Public Profile, click Windows Firewall Properties.

2.. Click the tab for the profile that you want to change.

3.. Under Logging, click Customize.

4.. In the dialog box that appears, change the settings you want to
change, and then click OK.

You can specify ICMP settings by creating inbound or outbound rules using
the ICMPv4 or ICMPv6 protocol.

<end copy>

 

[Guest]

Dear Mike

Thank you for giving me the following link, which is applicable to Windows
2000/XP/2003 computers as indicated. I am not sure if same configuration can
be applied to Windows Vista Home Basic, where IPv4 and IPv6 are being used.
Please advise further, if possible, because Windows Vista Home Basic is quite
new to me.

Regards.

 

[Guest]

Dear Mr Arnold

Thank you for your guidance.

It seems to me that my home PC is using IPv4 mainly for Internet. Can you
please show me how to edit a filter rule, whether Inbound or Outbound, to
block ICMP echo requests (PING) as desirable?

Is it required to configure my home home PC because I have installed a
third-party software firewall to replace the built-in Windows Firewall?

Please let me have your further advice.

Regards.

 

[Mr. Arnold]

Dear Mr Arnold

Thank you for your guidance.

It seems to me that my home PC is using IPv4 mainly for Internet. Can you
please show me how to edit a filter rule, whether Inbound or Outbound, to
block ICMP echo requests (PING) as desirable?

Is it required to configure my home home PC because I have installed a
third-party software firewall to replace the built-in Windows Firewall?

Please let me have your further advice.

Just follow the link that was given to you about IPsec. The information in
those screens will show you how to filter the ping traffic in any FW, if the
FW has the ability to set the rules.

 

[Mr. Arnold]

Dear Mike

Thank you for giving me the following link, which is applicable to Windows
2000/XP/2003 computers as indicated. I am not sure if same configuration
can
be applied to Windows Vista Home Basic, where IPv4 and IPv6 are being
used.
Please advise further, if possible, because Windows Vista Home Basic is
quite
new to me.

Vista is just another NT based O/S like Win 2k, XP and 2k3. IPsec is part of
the Vista O/S(s) at least on Vista Home Premium and Ultimate that I have
used. And the rules for IPsec can be applied to all four NT based platforms,
even though you don't see Vista being mentioned.

I use IPsec to supplement Vista's FW, XP's FW and any 3rd party FW solution
I have used on the NT based O/S, for a machine that will have a direct
connection to the modem and therefore a direct connection to the Internet.

I implement/enable the client side AnalogX IPsec policy rules and disable
the server side rules, as I don't have anything on the server side being
exposed to the Internet.

http://www.analogx.com/CONTENTS/articles/ipsec.htm
http://support.microsoft.com/kb/813878

 

[Charlie42]

disabling it to have ICMP echo requests (Ping) following the
online scan by ShieldsUP (Gibson Research Corporation)?
Unfortunately, my existing 1-port ADSL ethernet modem has
no option to disable Ping.

Do keep in mind that your modem may influence the ShieldsUp! ping test.
Blocking ICMP echo requests in Windows Firewall won't necessarily keep your
modem quiet.

Also keep in mind that generally, a 'block all incoming pings' option should
be selected with care. It might cause trouble for your DSL connection.

Charlie42

 

[Guest]

Hi, Charlie

Thank you for your good advice.

Regards.

 

[Guest]

Dear Mr Arnold

Thank you for your guidance.

Regards.

 

[Guest]

Hi Mr Arnold

Shall I use the same configuration on my Windows Vista Home Basic as yours?

Cheers.

 

[Mr. Arnold]

Hi Mr Arnold

Shall I use the same configuration on my Windows Vista Home Basic as
yours?

Yes, all you have to do is implement the AnalogX IPsec policies, which I
have used the same ones for my Win 2K, XP and now Vista machines, in a
supplement role to the firewall application.

I did have to make the adjustment for the client side SMTP service as my
ISP's SMTP didn't work on port 25 the standard, because it was on another
port.

You can learn from the AnalogX IPsec rules, which you can apply those types
of rule making to other firewalls in the concepts of making rules.

 

[Guest]

Dear Mr Arnold

Thank you for your confirmation.

Are you using a third party firewall? I have a query - whether Network
Discovery and File Sharing are turned on, after Windows Firewall has been
replaced by a third party firewall. I wish that they were turned off because
of security.

Do you have such experience? Any remedy available?

Regards.

 

[Mr. Arnold]

Dear Mr Arnold

Thank you for your confirmation.

Are you using a third party firewall? I have a query - whether Network
Discovery and File Sharing are turned on, after Windows Firewall has been
replaced by a third party firewall. I wish that they were turned off
because
of security.

I use the Vista FW. Well, if you don't want the machine to be in a
networking situation, then you remove Client for MS Network and File and
Print Sharing for MS Network off of the NIC - Network Interface Card or the
dial-up connection, and the machine can never be in a networking situation.

However a 3rd party FW solution should by default have the Windows
Networking Ports closed. There is an automatic setting in 3rd party
solutions to open or close the WNP(s) on the FW. You should call the FW
vendor about how to do it.

What are the WNP(s), which are the same on Vista as they are for Win 2k and
XP.

http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm


You'll also notice that the link about AnalogX IPsec policy rules is talking
about those WNP(s), with a rule for those ports that can be enabled or
disabled to allow or disallow the machine to network.

http://www.analogx.com/CONTENTS/articles/ipsec.htm

Look, if you're concerned about the protection of the machine from the
Internet, then put the machine behind a NAT router, which will give the
machine protection from the Internet with unsolicited scans and attacks. All
ports on the router are closed by default, and those WNP(s) on the router
will be closed by default so the machine cannot network on the Internet.

http://www.homenethelp.com/web/explain/about-NAT.asp

 

[Guest]

Mr Arnold

Thank you for your details. You're very resourceful and helpful.

Actually, I have "unchecked" Client for MS Network and File Sharing for MS
Network on my Intel PRO connection. Do I have to remove them from the list?
However, Network Discovery and File Sharing are still shown on the Network
and Sharing Center. Puzzled?

I wonder if AnalogX Public Server IPSec Configuration v1.00 is
Vista-compatible. As you have it installed into your Vista computer, I guess
it is feasible. Am I right?

My modem/router has NAT but it is a basic version and cannot be configured
to disable ICMP echo requests (PING) as confirmed by the manufacturer.
Please advise on how to put my machine behind a NAT router. Is there any
configuration required?

My apologies for troubling you further.

Regards.

 

[Mr. Arnold]

Mr Arnold

Thank you for your details. You're very resourceful and helpful.

Actually, I have "unchecked" Client for MS Network and File Sharing for MS
Network on my Intel PRO connection. Do I have to remove them from the
list?
However, Network Discovery and File Sharing are still shown on the Network
and Sharing Center. Puzzled?

Why do you even care? The computer is behind your router. A machine cannot
network with your machine over the Internet the WAN (Wide Area Network),
because the router is sitting there and those Windows Network Ports on the
router are closed to the outside world. Your machine can only network with
another one of your machines behind the router on the LAN (Local Area
Network). The machine is protected from the Internet due to the router
sitting there in front of the machine.

I wonder if AnalogX Public Server IPSec Configuration v1.00 is
Vista-compatible. As you have it installed into your Vista computer, I
guess
it is feasible. Am I right?

My modem/router has NAT but it is a basic version and cannot be configured
to disable ICMP echo requests (PING) as confirmed by the manufacturer.
Please advise on how to put my machine behind a NAT router. Is there any
configuration required?

Your modem/router is a NAT router. A ping is being dealt with by the router,
from what I understand. It's the router that's responding to it. If a SMURF
or Ping attack is being ran against you, it's directed at the router.

If you have a machine that has been compromised behind the router and it
started doing ping attacks on IP(s)/machine on the LAN, this is where you
should be concerned about the machine and its operating system responding
to pings. And if a compromise of this type has happened behind the router,
then you got other problems other than worrying about some ping attack.

I didn't know that your machine was behind a NAT modem/router. That Gibson
junk only applies to when the machine has a direct connection to a
standalone modem, which is a situation of a router NOT being between the
modem and the computer.

If a router is NOT between the modem and the computer, then the computer has
a direct connection to the Internet, and THAT is the condition where you
should be concerned about all the things that have been talked about between
you and I with these posts.

Your machine is behind a router, and in the grand reality of things, you are
very, very, very, very, very, very small potatoes. You can implement what we
have talked about to your own satisfaction behind the router.

Yes, IPsec with the AnalogX version we have been talking about in the links
I am using on this laptop running Vista, a FW 3rd party personal FW or not,
protecting the WNP(s), un-checking networking services off of the NIC or
dialup connection etc, etc only applies when the laptop has a direct
connection to the Internet. The laptop at this time is connected directly to
the Internet on dialup, so the solutions are implemented to the fullest.

When the laptop is connected to my FW appliance or at one point when I was
using a NAT router and the laptop is connected to the FW appliance or
router, all of the solutions we are talking about are disabled, and none of
the other computers on the LAN have these solutions enabled, because they
are not needed behind either device.

You can use the PFW for outbound protection, as most do that, but all this
other stuff you are concerned about do not apply, because that NAT
modem/router is setting there, and in the grand realilty of things, you are
small potatoes and there is no need for it behind the router.

 

[Guest]

Dear Mr Arnold

Thank you for your full details.

The existing desktop PC belongs to my daughter, who uses it both for
business and leisure. It is my duty to maintain it working properly though
my IT knowledge is very limited.

If you don't mind, here's my last question. Should I be able to block ICMP
with AnalogX Public Server IPSec Configuration, I am not sure if the
following configuration should also be applied:

1. Disable NetBIOS over TCP/IP on Local Area Connection > Internet Protocol
Version 4 (TCP/IPv4) > Properties > Advanced > WINS tab.

2. Disable TCP/IP NetBIOS Helper Service on Control Panel > Administrative
Tools > Services.

3. Set Yes for Exempt ICMP for IPSec on Windows Firewall with Advanced
Setting > Windows Firewall Properties > IPSec Settings.

I am grateful for your prompt responses to my queries. You really let me
share your experience on using the new operating system.

Regards.

 

[Mr. Arnold]

----- Original Message -----
From: "AChung" <[email protected]>
Newsgroups: microsoft.public.windows.vista.security
Sent: Friday, July 27, 2007 10:32 PM
Subject: Re: Disabling ICMP echo requests from Windows Firewall

Dear Mr Arnold

Thank you for your full details.

The existing desktop PC belongs to my daughter, who uses it both for
business and leisure. It is my duty to maintain it working properly
though
my IT knowledge is very limited.

If you don't mind, here's my last question. Should I be able to block
ICMP
with AnalogX Public Server IPSec Configuration, I am not sure if the
following configuration should also be applied:

Have you ran the AnalogX Ipsec Server v 1.00 zip and implemented the
policies on Vista?

Can you go to the Run Box on Vista and enter MMC, setup a MMC console, go
to IPsec, you can see the IPsec policy for AnalogX, you can edit the AnalogX
policy, see the ICMP Server Deny policy, enable that policy for deny and
enable the Analogx IPsec policies for the computer?

If you can do all of that, then go to the site below and run the ping test.
Now of course, the computer must be directly connected to the modem or the
computer is using a dial-up connection to a dial-up ISP for the test, and
the IP the machine is using from the ISP must be known. That's the only way
it's going to be a valid test.

The ping test for the computer cannot be ran from behind the router, because
all that's going to happen is the router is responding to the pings and not
the computer.

You can run the ping test against the router too, if you know what the
router's or external IP form the ISP the router is using, which should be on
one of the router's Admin screens.

http://www.websitepulse.com/help/testtools.ping-test.html

Keep this in mind when you're looking at client verses server side rules.
Your computer is the *client* in 99.9% of the cases.

The client mode for the computer will be when you use your browser to
contact a Web site using HTTP or you are making contact with a news group
reader to a news group server using NNTP. You never want to enable *server*
side rules, as nothing or no program, in your case, should be in a server
role on your computer.

However, one case that server side rules should be implemented is on the
ICMP
to permit or deny, because a *client* machine using the *ping* is trying to
make contact with your machine, which will be in a server role.

HTH -- good luck