ICMP timestamp request is allowed from arbitrary hosts

[Guest]

Our IA staff is running network scans and this (ICMP timestamp request is
allowed from arbitrary hosts) is one of the things we are taking a hit on.
Now we know we're blocking ICMP at the numerous firewalls. The problem I
believe is just internally due to a setting in the XP registry. We disable
the Windows XP firewall as we dont have a need for it. However I'm guessing
there is either a key that needs to be modified or created to rectify this so
it stops showing up on scans. Most of the articles I read on this talk about
blocking at your external firewalls which is what we are doing. This
particular hit we are taking seems to be related possibly to Windows and/or
the Windows XP firewall being disabled. We definitely do not want to enable
the Windows XP firewall. I'm figuring there has to be a key within the
registry to rectify this problem within the XP Operating System.

 

[MowGreen [MVP]]

Ric,

See if this sheds any light on the issue:

Prevent hacker probing: Block bad ICMP messages
http://articles.techrepublic.com.com/5100-1035_11-5087087.html

My wireless home network blocks ICMP at the router's hardware firewall.
There is no domain nor is anything administered remotely on the network.
Your mileage *will* vary.


MowGreen [MVP 2003-2007]
===============
*-343-* FDNY
Never Forgotten
===============

 

[Guest]

Not sure if you understand what I am asking. In reality we are blocking ICMP
at numerous hardware firewalls which is fine. Point is Windows XP has the
built in software firewall and because we are a government entity we are
constantly under
security standards and scans that we we must meet and pass. One of the
vulnerabilities that is coming up on their scans is that ICMP timestamp
request is allowed from arbitrary hosts. Since we are blocking ICMP at the
hardware level we are operationally good because of this we disable winxp's
firewall. We are told that this is what is causing this hit to come up. And
even though it is not an external vulnerability they are looking at it as an
internal vulnerability. Now does that give a clearer picture? We are
basically figuring there has to be a way to change, or create a registry
entry that will help mitigate the situation.

Ric,

See if this sheds any light on the issue:

Prevent hacker probing: Block bad ICMP messages
http://articles.techrepublic.com.com/5100-1035_11-5087087.html

My wireless home network blocks ICMP at the router's hardware firewall.
There is no domain nor is anything administered remotely on the network.
Your mileage *will* vary.


MowGreen [MVP 2003-2007]
===============
*-343-* FDNY
Never Forgotten
===============

Our IA staff is running network scans and this (ICMP timestamp request is
allowed from arbitrary hosts) is one of the things we are taking a hit on.
Now we know we're blocking ICMP at the numerous firewalls. The problem I
believe is just internally due to a setting in the XP registry. We disable
the Windows XP firewall as we dont have a need for it. However I'm guessing
there is either a key that needs to be modified or created to rectify this so
it stops showing up on scans. Most of the articles I read on this talk about
blocking at your external firewalls which is what we are doing. This
particular hit we are taking seems to be related possibly to Windows and/or
the Windows XP firewall being disabled. We definitely do not want to enable
the Windows XP firewall. I'm figuring there has to be a key within the
registry to rectify this problem within the XP Operating System.

 

[Rob Burnett]

There is no registry entry that specifically blocks individual ICMP types on
XP. In order to specifically block only timestamp requests, you will need to
enable the Windows Firewall on the XP machines and configure the rules to do
so.

Not sure if you understand what I am asking. In reality we are blocking ICMP
at numerous hardware firewalls which is fine. Point is Windows XP has the
built in software firewall and because we are a government entity we are
constantly under
security standards and scans that we we must meet and pass. One of the
vulnerabilities that is coming up on their scans is that ICMP timestamp
request is allowed from arbitrary hosts. Since we are blocking ICMP at the
hardware level we are operationally good because of this we disable winxp's
firewall. We are told that this is what is causing this hit to come up. And
even though it is not an external vulnerability they are looking at it as an
internal vulnerability. Now does that give a clearer picture? We are
basically figuring there has to be a way to change, or create a registry
entry that will help mitigate the situation.

Ric,

See if this sheds any light on the issue:

Prevent hacker probing: Block bad ICMP messages
http://articles.techrepublic.com.com/5100-1035_11-5087087.html

My wireless home network blocks ICMP at the router's hardware firewall.
There is no domain nor is anything administered remotely on the network.
Your mileage *will* vary.


MowGreen [MVP 2003-2007]
===============
*-343-* FDNY
Never Forgotten
===============

Our IA staff is running network scans and this (ICMP timestamp request is
allowed from arbitrary hosts) is one of the things we are taking a hit on.
Now we know we're blocking ICMP at the numerous firewalls. The problem I
believe is just internally due to a setting in the XP registry. We disable
the Windows XP firewall as we dont have a need for it. However I'm guessing
there is either a key that needs to be modified or created to rectify this so
it stops showing up on scans. Most of the articles I read on this talk about
blocking at your external firewalls which is what we are doing. This
particular hit we are taking seems to be related possibly to Windows and/or
the Windows XP firewall being disabled. We definitely do not want to enable
the Windows XP firewall. I'm figuring there has to be a key within the
registry to rectify this problem within the XP Operating System.

 

[Steve Riley [MSFT]]

Ric, there are two ways to interpret what you said ("ICMP timestamp request is allowed from arbitrary hosts"):
a.. the auditors are complaining that your computers are allowed to send outgoing ICMP timestamp requests
b.. the auditors are complaining that your computers will respond to incoming ICMP timestamp requests from any host
If it's the former, then even if you enabled the Windows firewall, it won't stop the computers from generating the traffic -- timestamp request isn't one of the four outbound ICMP types that the firewall can be configured to stop.

If it's the latter, then the firewall could block that -- but you said you don't want to use it.

I'm pretty sure that your auditors are simply following a checklist which contains the item "prohibit ICMP timestamps" (or similar wording). ICMP has historically been used for various kinds of system fingerprinting; for instance, Windows 9x and NT4 didn't reply to timestamp requests, while Windows 2000 and later do.

Blocking ICMP at a network's border is generally a good idea, because it just isn't necessary to have all those information messages floating around the Internet. But on the inside? I really don't see the risk. I mean, people are already going to to know what you're running, or they can easily find out by, say, walking down the hallway and looking in the offices. Honestly, there's nothing to worry about here -- other than trying to explain to the auditors why their checklist is no good.

And I gotta ask...why don't you want to use the Windows firewall? Just because you've got firewalls at the edges, you're still unprotected from internal attacks. If someone gets malware in a password-protected ZIP attachment to an email, and they open the ZIP (because the email says "the password is 1234") and run the malware, it could spread internally. Really, these days, each individual computer on a network is its own "perimeter" and must take responsibility for its own security. Go ahead, switch the firewall on.

______________________________________________________
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


There is no registry entry that specifically blocks individual ICMP types on
XP. In order to specifically block only timestamp requests, you will need to
enable the Windows Firewall on the XP machines and configure the rules to do
so.

Not sure if you understand what I am asking. In reality we are blocking ICMP
at numerous hardware firewalls which is fine. Point is Windows XP has the
built in software firewall and because we are a government entity we are
constantly under
security standards and scans that we we must meet and pass. One of the
vulnerabilities that is coming up on their scans is that ICMP timestamp
request is allowed from arbitrary hosts. Since we are blocking ICMP at the
hardware level we are operationally good because of this we disable winxp's
firewall. We are told that this is what is causing this hit to come up. And
even though it is not an external vulnerability they are looking at it as an
internal vulnerability. Now does that give a clearer picture? We are
basically figuring there has to be a way to change, or create a registry
entry that will help mitigate the situation.

Ric,

See if this sheds any light on the issue:

Prevent hacker probing: Block bad ICMP messages
http://articles.techrepublic.com.com/5100-1035_11-5087087.html

My wireless home network blocks ICMP at the router's hardware firewall.
There is no domain nor is anything administered remotely on the network.
Your mileage *will* vary.


MowGreen [MVP 2003-2007]
===============
*-343-* FDNY
Never Forgotten
===============

Our IA staff is running network scans and this (ICMP timestamp request is
allowed from arbitrary hosts) is one of the things we are taking a hit on.
Now we know we're blocking ICMP at the numerous firewalls. The problem I
believe is just internally due to a setting in the XP registry. We disable
the Windows XP firewall as we dont have a need for it. However I'm guessing
there is either a key that needs to be modified or created to rectify this so
it stops showing up on scans. Most of the articles I read on this talk about
blocking at your external firewalls which is what we are doing. This
particular hit we are taking seems to be related possibly to Windows and/or
the Windows XP firewall being disabled. We definitely do not want to enable
the Windows XP firewall. I'm figuring there has to be a key within the
registry to rectify this problem within the XP Operating System.

 

[Guest]

Rob and Steve thanks for the good gouge.

Steve we are actually running numerous firewalls both internal and
external thats why. And actually after researching this for two days our IA
folks came and said "Oh sorry we got a new scan engine update for our network
scanner and you guys aren't taking that hit anymore." I shake my head
sometimes. But yeah it was supposedly the second one Steve.

Thanks again guys

Ric

Ric, there are two ways to interpret what you said ("ICMP timestamp request is allowed from arbitrary hosts"):
a.. the auditors are complaining that your computers are allowed to send outgoing ICMP timestamp requests
b.. the auditors are complaining that your computers will respond to incoming ICMP timestamp requests from any host
If it's the former, then even if you enabled the Windows firewall, it won't stop the computers from generating the traffic -- timestamp request isn't one of the four outbound ICMP types that the firewall can be configured to stop.

If it's the latter, then the firewall could block that -- but you said you don't want to use it.

I'm pretty sure that your auditors are simply following a checklist which contains the item "prohibit ICMP timestamps" (or similar wording). ICMP has historically been used for various kinds of system fingerprinting; for instance, Windows 9x and NT4 didn't reply to timestamp requests, while Windows 2000 and later do.

Blocking ICMP at a network's border is generally a good idea, because it just isn't necessary to have all those information messages floating around the Internet. But on the inside? I really don't see the risk. I mean, people are already going to to know what you're running, or they can easily find out by, say, walking down the hallway and looking in the offices. Honestly, there's nothing to worry about here -- other than trying to explain to the auditors why their checklist is no good.

And I gotta ask...why don't you want to use the Windows firewall? Just because you've got firewalls at the edges, you're still unprotected from internal attacks. If someone gets malware in a password-protected ZIP attachment to an email, and they open the ZIP (because the email says "the password is 1234") and run the malware, it could spread internally. Really, these days, each individual computer on a network is its own "perimeter" and must take responsibility for its own security. Go ahead, switch the firewall on.

______________________________________________________
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


There is no registry entry that specifically blocks individual ICMP types on
XP. In order to specifically block only timestamp requests, you will need to
enable the Windows Firewall on the XP machines and configure the rules to do
so.

Not sure if you understand what I am asking. In reality we are blocking ICMP
at numerous hardware firewalls which is fine. Point is Windows XP has the
built in software firewall and because we are a government entity we are
constantly under
security standards and scans that we we must meet and pass. One of the
vulnerabilities that is coming up on their scans is that ICMP timestamp
request is allowed from arbitrary hosts. Since we are blocking ICMP at the
hardware level we are operationally good because of this we disable winxp's
firewall. We are told that this is what is causing this hit to come up. And
even though it is not an external vulnerability they are looking at it as an
internal vulnerability. Now does that give a clearer picture? We are
basically figuring there has to be a way to change, or create a registry
entry that will help mitigate the situation.

Ric,

See if this sheds any light on the issue:

Prevent hacker probing: Block bad ICMP messages
http://articles.techrepublic.com.com/5100-1035_11-5087087.html

My wireless home network blocks ICMP at the router's hardware firewall.
There is no domain nor is anything administered remotely on the network.
Your mileage *will* vary.


MowGreen [MVP 2003-2007]
===============
*-343-* FDNY
Never Forgotten
===============


RicNagy wrote:

Our IA staff is running network scans and this (ICMP timestamp request is
allowed from arbitrary hosts) is one of the things we are taking a hit on.
Now we know we're blocking ICMP at the numerous firewalls. The problem I
believe is just internally due to a setting in the XP registry. We disable
the Windows XP firewall as we dont have a need for it. However I'm guessing
there is either a key that needs to be modified or created to rectify this so
it stops showing up on scans. Most of the articles I read on this talk about
blocking at your external firewalls which is what we are doing. This
particular hit we are taking seems to be related possibly to Windows and/or
the Windows XP firewall being disabled. We definitely do not want to enable
the Windows XP firewall. I'm figuring there has to be a key within the
registry to rectify this problem within the XP Operating System

 

[Steve Riley [MSFT]]

Um, let's see. They got a new scanning tool, and suddenly the problem goes away? Astonishing.

I'm thinking that it's time for me to develop a TechEd presentation for auditors -- far too often they're tasked with judging the state of systems using procedures they know nothing about and lack the scientific knowledge to comprehend.

______________________________________________________
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


Rob and Steve thanks for the good gouge.

Steve we are actually running numerous firewalls both internal and
external thats why. And actually after researching this for two days our IA
folks came and said "Oh sorry we got a new scan engine update for our network
scanner and you guys aren't taking that hit anymore." I shake my head
sometimes. But yeah it was supposedly the second one Steve.

Thanks again guys

Ric

Ric, there are two ways to interpret what you said ("ICMP timestamp request is allowed from arbitrary hosts"):
a.. the auditors are complaining that your computers are allowed to send outgoing ICMP timestamp requests
b.. the auditors are complaining that your computers will respond to incoming ICMP timestamp requests from any host
If it's the former, then even if you enabled the Windows firewall, it won't stop the computers from generating the traffic -- timestamp request isn't one of the four outbound ICMP types that the firewall can be configured to stop.

If it's the latter, then the firewall could block that -- but you said you don't want to use it.

I'm pretty sure that your auditors are simply following a checklist which contains the item "prohibit ICMP timestamps" (or similar wording). ICMP has historically been used for various kinds of system fingerprinting; for instance, Windows 9x and NT4 didn't reply to timestamp requests, while Windows 2000 and later do.

Blocking ICMP at a network's border is generally a good idea, because it just isn't necessary to have all those information messages floating around the Internet. But on the inside? I really don't see the risk. I mean, people are already going to to know what you're running, or they can easily find out by, say, walking down the hallway and looking in the offices. Honestly, there's nothing to worry about here -- other than trying to explain to the auditors why their checklist is no good.

And I gotta ask...why don't you want to use the Windows firewall? Just because you've got firewalls at the edges, you're still unprotected from internal attacks. If someone gets malware in a password-protected ZIP attachment to an email, and they open the ZIP (because the email says "the password is 1234") and run the malware, it could spread internally. Really, these days, each individual computer on a network is its own "perimeter" and must take responsibility for its own security. Go ahead, switch the firewall on.

______________________________________________________
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


There is no registry entry that specifically blocks individual ICMP types on
XP. In order to specifically block only timestamp requests, you will need to
enable the Windows Firewall on the XP machines and configure the rules to do
so.

Not sure if you understand what I am asking. In reality we are blocking ICMP
at numerous hardware firewalls which is fine. Point is Windows XP has the
built in software firewall and because we are a government entity we are
constantly under
security standards and scans that we we must meet and pass. One of the
vulnerabilities that is coming up on their scans is that ICMP timestamp
request is allowed from arbitrary hosts. Since we are blocking ICMP at the
hardware level we are operationally good because of this we disable winxp's
firewall. We are told that this is what is causing this hit to come up. And
even though it is not an external vulnerability they are looking at it as an
internal vulnerability. Now does that give a clearer picture? We are
basically figuring there has to be a way to change, or create a registry
entry that will help mitigate the situation.

Ric,

See if this sheds any light on the issue:

Prevent hacker probing: Block bad ICMP messages
http://articles.techrepublic.com.com/5100-1035_11-5087087.html

My wireless home network blocks ICMP at the router's hardware firewall.
There is no domain nor is anything administered remotely on the network.
Your mileage *will* vary.


MowGreen [MVP 2003-2007]
===============
*-343-* FDNY
Never Forgotten
===============


RicNagy wrote:

Our IA staff is running network scans and this (ICMP timestamp request is
allowed from arbitrary hosts) is one of the things we are taking a hit on.
Now we know we're blocking ICMP at the numerous firewalls. The problem I
believe is just internally due to a setting in the XP registry. We disable
the Windows XP firewall as we dont have a need for it. However I'm guessing
there is either a key that needs to be modified or created to rectify this so
it stops showing up on scans. Most of the articles I read on this talk about
blocking at your external firewalls which is what we are doing. This
particular hit we are taking seems to be related possibly to Windows and/or
the Windows XP firewall being disabled. We definitely do not want to enable
the Windows XP firewall. I'm figuring there has to be a key within the
registry to rectify this problem within the XP Operating System