Filtering ICMP requests v.IIS/Windows 2003

Discussion in 'OT Technology' started by 95vr4, Dec 3, 2008.

  1. 95vr4

    95vr4 OT Supporter

    Joined:
    Oct 6, 2004
    Messages:
    2,513
    Likes Received:
    0
    Location:
    Weddington, NC
    Trying to get our IIS/Windows 03 web server locked down to satisfy all these "Low threat" vulnerabilities in Mcafee's hackersafe scans :)hsugh:)

    Here's what I need to do .....

    Filter out the ICMP timestamp requests (ICMP type 13), the outgoing ICMP timestamp replies (ICMP type 14), the address mask request (ICMP type 17), and the address mask reply (ICMP type 18).

    Does this need to be done @ the external firewall? How would I go about filtering out the different types of ICMP requests?

    A little confused here and can't find much help on Google.
     
  2. BlazinBlazer Guy

    BlazinBlazer Guy Witness to The De-Evolution of Mankind.

    Joined:
    Jul 24, 2002
    Messages:
    18,783
    Likes Received:
    0
    Location:
    Lansing, MI USA
    Do you have a hardware FW? If so you can filter ICMP requests there. Otherwise, you'll need to do it via the Windows Firewall, assuming your server has it enabled. On an '03 box, RDP in and go Start>Settings>Control Panel>Windows Firewall. In the Firewall menu, go to the Advanced tab. There should be a list of ICMP settings there for you to restrict them down.

    Where do you host? I am a Windows admin for a large hosting company... I deal with this crap all day long :hs:
     
  3. 95vr4

    95vr4 OT Supporter

    Joined:
    Oct 6, 2004
    Messages:
    2,513
    Likes Received:
    0
    Location:
    Weddington, NC
    We've got a couple dedicated machines with rackspace (which imo are way overkill for our needs and way overpriced as well :o).

    Yes we've got a HW firewall (Cisco PIX ?). Problem is, in it's web control interface, the first few rules are grayed out and unmodifiable. One of them is permit icmp to any IP's. I think they're all setup by rackspace for server monitoring etc since the rest are things such as permit from source "object-group rackspace-monitoring" etc. Is blocking everything on icmp the best practice? I'm sure our monitoring services use it at the very least.

    ....hate "fixing" 1 thing that's not a really even a problem and creating real problems in the process :o
     
    Last edited: Dec 3, 2008
  4. 95vr4

    95vr4 OT Supporter

    Joined:
    Oct 6, 2004
    Messages:
    2,513
    Likes Received:
    0
    Location:
    Weddington, NC
    btw- what hosting company do you work for?
     
  5. BlazinBlazer Guy

    BlazinBlazer Guy Witness to The De-Evolution of Mankind.

    Joined:
    Jul 24, 2002
    Messages:
    18,783
    Likes Received:
    0
    Location:
    Lansing, MI USA
    Honestly in that case, what I'd recommend is asking rackspace to limit the scope on ICMP to whatever IP range their monitoring servers use (I'm going to guess they're probably just running nagios boxes, for which the IP range is defined in that object-group you mentioned).

    All they should really have to do is remove any ICMP rules that allow requests from anywhere other than that one group and/or other external monitoring services you may be using. That should satisfy the McAfee scan since it's mainly looking for potential outside threats -- not things within a controlled environment that are open intentionally.

    With that said, however, you initially specified you needed to filter out ICMP types 13, 14, 17, and 18 specifically. For server monitoring purposes, there really shouldn't be much need to allow anything beyond ICMP echo requests (ICMP type 8) and ICMP echo replies (ICMP type 0). That would probably be the preferable route to go if you're working toward PCI compliance or anything of that sort, since it provides the bare minimum of data about the host to anything that is monitoring it externally.

    It all depends on what data rackspace's monitoring services check for or log; there isn't really much cause to do anything beyond ping monitor over ICMP in most cases as far as I'm concerned. You'll just have to ask them about it and see what they say.
     
  6. 95vr4

    95vr4 OT Supporter

    Joined:
    Oct 6, 2004
    Messages:
    2,513
    Likes Received:
    0
    Location:
    Weddington, NC
    Yea I spoke with them today and that's about verbatim what they said. Turns out it was pretty easy to do on their end...I guess we only have access to the "for idiots" interface to the firewall on our end :hsugh:.

    I think the whole PCI thing is pretty retarded for the most part anyway. People have been handing over their credit cards to random waiter/waitresses/clerks etc for decades without thinking twice about it, but heaven forbid they enter their credit card into a web server that will accept an ssl2.0 connection, or worse yet, reply to a timestamp request :noes:.

    Of course nowadays all u have to do is drive into an apartment complex and you have access to 100 cheap and mostly wide open routers anyway...who's gonna even bother messing with web servers anymore? :o

    ...anyways, thanks for your help :wavey:.
     

Share This Page