Bugtraq mailing list archives
Re: BUG: Win NT TCP/IP Security filters does not get enforced
From: bstackpole () ORMINC COM (Bill Stackpole)
Date: Tue, 12 Oct 1999 09:39:59 -0700
Number reason why security mechanism fail are directly related to configuration errors. This is a great example. The GUI is confusing, the help file minimal and the documentation. . .unclear, non-existent, ??? To make matters worst, it appears: The software enforces the LEAST restrictive rather than the MOST restrictive rule. Refuses to enforce the rule for certain protocols. Ignores the rules and transmits certain core Microsoft protocols unless you unbind them from the card. I couldn't understand why the servers at the company we share our Internet connection with kept sending packets to my NT server until I realized that dispite the "security" filters the NT box was still sending out NETBIOS "management" packets.
-----Original Message----- From: Stefan Norberg [SMTP:stnor () SWEDEN HP COM] Sent: Sunday, October 10, 1999 6:22 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: BUG: Win NT TCP/IP Security filters does not get enforced Todd Sabin writes:Apparently, the way it works is that for UDP and TCP, you completely disable them by changing their setting to "Permit Only", and don't permit any ports, rather than with the IP protocols box. Since you left UDP at permit all ports, your netcat test got through. The IP Protocols box is protocols other than UDP and TCP. Except for ICMP. You can't disable that at all, as you noticed. Not being able to disable ICMP was discussed on NTBugtraq a little while ago.It seems that you are right. I used PPTP (GRE) to test it and the RAS server did send an ICMP message back: 14:49:19.769569 gre-proto-0x880B (gre encap) 14:49:19.769647 RASSERVER > CLIENT: icmp: RASSERVER protocol 47 unreachable However, I still consider it a bug. The GUI is misleading. If I configure the TCP/IP security using the GUI to "Permit *only* IP protocols: 6 (TCP)". Then EVERYTHING including ICMP and UDP (regardless of other settings) should be denied and NT should send an ICMP unreachable. /stefan
Current thread:
- Re: The old "." problem, (continued)
- Re: The old "." problem David Zverina (Oct 14)
- Re: The old "." problem S.Faust (Oct 16)
- Gauntlet 5.0 BSDI warning Keith Young (Oct 18)
- Re: Gauntlet 5.0 BSDI warning Strange (Oct 18)
- Re: Gauntlet 5.0 BSDI warning Keith Young (Oct 18)
- Email virus on the prowel Albert Hopkins (Oct 19)
- Another Microsoft Java Flaw Disovered Gary McGraw (Oct 14)
- Administrivia Elias Levy (Oct 14)
- SCO OpenServer 5.0.5 cancel overflow Brock Tellier (Oct 12)