|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 | Vista - Disabling ICMP echo requests from Windows Firewall |
 |
| |
| 07-24-2007 | #11 |
| | Re: Disabling ICMP echo requests from Windows Firewall Hi Mr Arnold Shall I use the same configuration on my Windows Vista Home Basic as yours? Cheers. "Mr. Arnold" wrote: > > "AChung" <AChung@discussions.microsoft.com> wrote in message > news:06874032-DC53-4E23-8549-24C7082214E6@microsoft.com... > > Dear Mike > > > > Thank you for giving me the following link, which is applicable to Windows > > 2000/XP/2003 computers as indicated. I am not sure if same configuration > > can > > be applied to Windows Vista Home Basic, where IPv4 and IPv6 are being > > used. > > Please advise further, if possible, because Windows Vista Home Basic is > > quite > > new to me. > > > > Vista is just another NT based O/S like Win 2k, XP and 2k3. IPsec is part of > the Vista O/S(s) at least on Vista Home Premium and Ultimate that I have > used. And the rules for IPsec can be applied to all four NT based platforms, > even though you don't see Vista being mentioned. > > I use IPsec to supplement Vista's FW, XP's FW and any 3rd party FW solution > I have used on the NT based O/S, for a machine that will have a direct > connection to the modem and therefore a direct connection to the Internet. > > I implement/enable the client side AnalogX IPsec policy rules and disable > the server side rules, as I don't have anything on the server side being > exposed to the Internet. > > http://www.analogx.com/CONTENTS/articles/ipsec.htm > http://support.microsoft.com/kb/813878 > > |
My System Specs |
| 07-24-2007 | #12 |
| | Re: Disabling ICMP echo requests from Windows Firewall "AChung" <AChung@discussions.microsoft.com> wrote in message news:973885E1-C00F-415D-A471-DDB9F6EB364B@microsoft.com... > Hi Mr Arnold > > Shall I use the same configuration on my Windows Vista Home Basic as > yours? Yes, all you have to do is implement the AnalogX IPsec policies, which I have used the same ones for my Win 2K, XP and now Vista machines, in a supplement role to the firewall application. I did have to make the adjustment for the client side SMTP service as my ISP's SMTP didn't work on port 25 the standard, because it was on another port. You can learn from the AnalogX IPsec rules, which you can apply those types of rule making to other firewalls in the concepts of making rules. |
| My System Specs |
| 07-26-2007 | #13 |
| | Re: Disabling ICMP echo requests from Windows Firewall Dear Mr Arnold Thank you for your confirmation. Are you using a third party firewall? I have a query - whether Network Discovery and File Sharing are turned on, after Windows Firewall has been replaced by a third party firewall. I wish that they were turned off because of security. Do you have such experience? Any remedy available? Regards. "Mr. Arnold" wrote: > > "AChung" <AChung@discussions.microsoft.com> wrote in message > news:973885E1-C00F-415D-A471-DDB9F6EB364B@microsoft.com... > > Hi Mr Arnold > > > > Shall I use the same configuration on my Windows Vista Home Basic as > > yours? > > Yes, all you have to do is implement the AnalogX IPsec policies, which I > have used the same ones for my Win 2K, XP and now Vista machines, in a > supplement role to the firewall application. > > I did have to make the adjustment for the client side SMTP service as my > ISP's SMTP didn't work on port 25 the standard, because it was on another > port. > > You can learn from the AnalogX IPsec rules, which you can apply those types > of rule making to other firewalls in the concepts of making rules. > > > > |
| My System Specs |
| 07-26-2007 | #14 |
| | Re: Disabling ICMP echo requests from Windows Firewall "AChung" <AChung@discussions.microsoft.com> wrote in message news:EABADC1D-AA1A-41E3-935B-D2E36761788B@microsoft.com... > Dear Mr Arnold > > Thank you for your confirmation. > > Are you using a third party firewall? I have a query - whether Network > Discovery and File Sharing are turned on, after Windows Firewall has been > replaced by a third party firewall. I wish that they were turned off > because > of security. I use the Vista FW. Well, if you don't want the machine to be in a networking situation, then you remove Client for MS Network and File and Print Sharing for MS Network off of the NIC - Network Interface Card or the dial-up connection, and the machine can never be in a networking situation. However a 3rd party FW solution should by default have the Windows Networking Ports closed. There is an automatic setting in 3rd party solutions to open or close the WNP(s) on the FW. You should call the FW vendor about how to do it. What are the WNP(s), which are the same on Vista as they are for Win 2k and XP. http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm You'll also notice that the link about AnalogX IPsec policy rules is talking about those WNP(s), with a rule for those ports that can be enabled or disabled to allow or disallow the machine to network. http://www.analogx.com/CONTENTS/articles/ipsec.htm Look, if you're concerned about the protection of the machine from the Internet, then put the machine behind a NAT router, which will give the machine protection from the Internet with unsolicited scans and attacks. All ports on the router are closed by default, and those WNP(s) on the router will be closed by default so the machine cannot network on the Internet. http://www.homenethelp.com/web/explain/about-NAT.asp |
| My System Specs |
| 07-27-2007 | #15 |
| | Re: Disabling ICMP echo requests from Windows Firewall Mr Arnold Thank you for your details. You're very resourceful and helpful. Actually, I have "unchecked" Client for MS Network and File Sharing for MS Network on my Intel PRO connection. Do I have to remove them from the list? However, Network Discovery and File Sharing are still shown on the Network and Sharing Center. Puzzled? I wonder if AnalogX Public Server IPSec Configuration v1.00 is Vista-compatible. As you have it installed into your Vista computer, I guess it is feasible. Am I right? My modem/router has NAT but it is a basic version and cannot be configured to disable ICMP echo requests (PING) as confirmed by the manufacturer. Please advise on how to put my machine behind a NAT router. Is there any configuration required? My apologies for troubling you further. Regards. "Mr. Arnold" wrote: > > "AChung" <AChung@discussions.microsoft.com> wrote in message > news:EABADC1D-AA1A-41E3-935B-D2E36761788B@microsoft.com... > > Dear Mr Arnold > > > > Thank you for your confirmation. > > > > Are you using a third party firewall? I have a query - whether Network > > Discovery and File Sharing are turned on, after Windows Firewall has been > > replaced by a third party firewall. I wish that they were turned off > > because > > of security. > > I use the Vista FW. Well, if you don't want the machine to be in a > networking situation, then you remove Client for MS Network and File and > Print Sharing for MS Network off of the NIC - Network Interface Card or the > dial-up connection, and the machine can never be in a networking situation. > > However a 3rd party FW solution should by default have the Windows > Networking Ports closed. There is an automatic setting in 3rd party > solutions to open or close the WNP(s) on the FW. You should call the FW > vendor about how to do it. > > What are the WNP(s), which are the same on Vista as they are for Win 2k and > XP. > > http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm > > > You'll also notice that the link about AnalogX IPsec policy rules is talking > about those WNP(s), with a rule for those ports that can be enabled or > disabled to allow or disallow the machine to network. > > http://www.analogx.com/CONTENTS/articles/ipsec.htm > > Look, if you're concerned about the protection of the machine from the > Internet, then put the machine behind a NAT router, which will give the > machine protection from the Internet with unsolicited scans and attacks. All > ports on the router are closed by default, and those WNP(s) on the router > will be closed by default so the machine cannot network on the Internet. > > http://www.homenethelp.com/web/explain/about-NAT.asp > > > |
| My System Specs |
| 07-27-2007 | #16 |
| | Re: Disabling ICMP echo requests from Windows Firewall "AChung" <AChung@discussions.microsoft.com> wrote in message news:F134846F-9FA0-42DD-B907-89790BF55D57@microsoft.com... > Mr Arnold > > Thank you for your details. You're very resourceful and helpful. > > Actually, I have "unchecked" Client for MS Network and File Sharing for MS > Network on my Intel PRO connection. Do I have to remove them from the > list? > However, Network Discovery and File Sharing are still shown on the Network > and Sharing Center. Puzzled? Why do you even care? The computer is behind your router. A machine cannot network with your machine over the Internet the WAN (Wide Area Network), because the router is sitting there and those Windows Network Ports on the router are closed to the outside world. Your machine can only network with another one of your machines behind the router on the LAN (Local Area Network). The machine is protected from the Internet due to the router sitting there in front of the machine. > > I wonder if AnalogX Public Server IPSec Configuration v1.00 is > Vista-compatible. As you have it installed into your Vista computer, I > guess > it is feasible. Am I right? > > My modem/router has NAT but it is a basic version and cannot be configured > to disable ICMP echo requests (PING) as confirmed by the manufacturer. > Please advise on how to put my machine behind a NAT router. Is there any > configuration required? Your modem/router is a NAT router. A ping is being dealt with by the router, from what I understand. It's the router that's responding to it. If a SMURF or Ping attack is being ran against you, it's directed at the router. If you have a machine that has been compromised behind the router and it started doing ping attacks on IP(s)/machine on the LAN, this is where you should be concerned about the machine and its operating system responding to pings. And if a compromise of this type has happened behind the router, then you got other problems other than worrying about some ping attack. I didn't know that your machine was behind a NAT modem/router. That Gibson junk only applies to when the machine has a direct connection to a standalone modem, which is a situation of a router NOT being between the modem and the computer. If a router is NOT between the modem and the computer, then the computer has a direct connection to the Internet, and THAT is the condition where you should be concerned about all the things that have been talked about between you and I with these posts. Your machine is behind a router, and in the grand reality of things, you are very, very, very, very, very, very small potatoes. You can implement what we have talked about to your own satisfaction behind the router. Yes, IPsec with the AnalogX version we have been talking about in the links I am using on this laptop running Vista, a FW 3rd party personal FW or not, protecting the WNP(s), un-checking networking services off of the NIC or dialup connection etc, etc only applies when the laptop has a direct connection to the Internet. The laptop at this time is connected directly to the Internet on dialup, so the solutions are implemented to the fullest. When the laptop is connected to my FW appliance or at one point when I was using a NAT router and the laptop is connected to the FW appliance or router, all of the solutions we are talking about are disabled, and none of the other computers on the LAN have these solutions enabled, because they are not needed behind either device. You can use the PFW for outbound protection, as most do that, but all this other stuff you are concerned about do not apply, because that NAT modem/router is setting there, and in the grand realilty of things, you are small potatoes and there is no need for it behind the router. |
| My System Specs |
| 07-27-2007 | #17 |
| | Re: Disabling ICMP echo requests from Windows Firewall Dear Mr Arnold Thank you for your full details. The existing desktop PC belongs to my daughter, who uses it both for business and leisure. It is my duty to maintain it working properly though my IT knowledge is very limited. If you don't mind, here's my last question. Should I be able to block ICMP with AnalogX Public Server IPSec Configuration, I am not sure if the following configuration should also be applied: 1. Disable NetBIOS over TCP/IP on Local Area Connection > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced > WINS tab. 2. Disable TCP/IP NetBIOS Helper Service on Control Panel > Administrative Tools > Services. 3. Set Yes for Exempt ICMP for IPSec on Windows Firewall with Advanced Setting > Windows Firewall Properties > IPSec Settings. I am grateful for your prompt responses to my queries. You really let me share your experience on using the new operating system. Regards. "Mr. Arnold" wrote: > > "AChung" <AChung@discussions.microsoft.com> wrote in message > news:F134846F-9FA0-42DD-B907-89790BF55D57@microsoft.com... > > Mr Arnold > > > > Thank you for your details. You're very resourceful and helpful. > > > > Actually, I have "unchecked" Client for MS Network and File Sharing for MS > > Network on my Intel PRO connection. Do I have to remove them from the > > list? > > However, Network Discovery and File Sharing are still shown on the Network > > and Sharing Center. Puzzled? > > Why do you even care? The computer is behind your router. A machine cannot > network with your machine over the Internet the WAN (Wide Area Network), > because the router is sitting there and those Windows Network Ports on the > router are closed to the outside world. Your machine can only network with > another one of your machines behind the router on the LAN (Local Area > Network). The machine is protected from the Internet due to the router > sitting there in front of the machine. > > > > > I wonder if AnalogX Public Server IPSec Configuration v1.00 is > > Vista-compatible. As you have it installed into your Vista computer, I > > guess > > it is feasible. Am I right? > > > > My modem/router has NAT but it is a basic version and cannot be configured > > to disable ICMP echo requests (PING) as confirmed by the manufacturer. > > Please advise on how to put my machine behind a NAT router. Is there any > > configuration required? > > Your modem/router is a NAT router. A ping is being dealt with by the router, > from what I understand. It's the router that's responding to it. If a SMURF > or Ping attack is being ran against you, it's directed at the router. > > If you have a machine that has been compromised behind the router and it > started doing ping attacks on IP(s)/machine on the LAN, this is where you > should be concerned about the machine and its operating system responding > to pings. And if a compromise of this type has happened behind the router, > then you got other problems other than worrying about some ping attack. > > I didn't know that your machine was behind a NAT modem/router. That Gibson > junk only applies to when the machine has a direct connection to a > standalone modem, which is a situation of a router NOT being between the > modem and the computer. > > If a router is NOT between the modem and the computer, then the computer has > a direct connection to the Internet, and THAT is the condition where you > should be concerned about all the things that have been talked about between > you and I with these posts. > > Your machine is behind a router, and in the grand reality of things, you are > very, very, very, very, very, very small potatoes. You can implement what we > have talked about to your own satisfaction behind the router. > > Yes, IPsec with the AnalogX version we have been talking about in the links > I am using on this laptop running Vista, a FW 3rd party personal FW or not, > protecting the WNP(s), un-checking networking services off of the NIC or > dialup connection etc, etc only applies when the laptop has a direct > connection to the Internet. The laptop at this time is connected directly to > the Internet on dialup, so the solutions are implemented to the fullest. > > When the laptop is connected to my FW appliance or at one point when I was > using a NAT router and the laptop is connected to the FW appliance or > router, all of the solutions we are talking about are disabled, and none of > the other computers on the LAN have these solutions enabled, because they > are not needed behind either device. > > You can use the PFW for outbound protection, as most do that, but all this > other stuff you are concerned about do not apply, because that NAT > modem/router is setting there, and in the grand realilty of things, you are > small potatoes and there is no need for it behind the router. > > > > > > > > |
| My System Specs |
| 07-28-2007 | #18 |
| | Re: Disabling ICMP echo requests from Windows Firewall ----- Original Message ----- From: "AChung" <AChung@discussions.microsoft.com> Newsgroups: microsoft.public.windows.vista.security Sent: Friday, July 27, 2007 10:32 PM Subject: Re: Disabling ICMP echo requests from Windows Firewall > Dear Mr Arnold > > Thank you for your full details. > > The existing desktop PC belongs to my daughter, who uses it both for > business and leisure. It is my duty to maintain it working properly > though > my IT knowledge is very limited. > > If you don't mind, here's my last question. Should I be able to block > ICMP > with AnalogX Public Server IPSec Configuration, I am not sure if the > following configuration should also be applied: > Have you ran the AnalogX Ipsec Server v 1.00 zip and implemented the policies on Vista? Can you go to the Run Box on Vista and enter MMC, setup a MMC console, go to IPsec, you can see the IPsec policy for AnalogX, you can edit the AnalogX policy, see the ICMP Server Deny policy, enable that policy for deny and enable the Analogx IPsec policies for the computer? If you can do all of that, then go to the site below and run the ping test. Now of course, the computer must be directly connected to the modem or the computer is using a dial-up connection to a dial-up ISP for the test, and the IP the machine is using from the ISP must be known. That's the only way it's going to be a valid test. The ping test for the computer cannot be ran from behind the router, because all that's going to happen is the router is responding to the pings and not the computer. You can run the ping test against the router too, if you know what the router's or external IP form the ISP the router is using, which should be on one of the router's Admin screens. http://www.websitepulse.com/help/tes...ping-test.html Keep this in mind when you're looking at client verses server side rules. Your computer is the *client* in 99.9% of the cases. The client mode for the computer will be when you use your browser to contact a Web site using HTTP or you are making contact with a news group reader to a news group server using NNTP. You never want to enable *server* side rules, as nothing or no program, in your case, should be in a server role on your computer. However, one case that server side rules should be implemented is on the ICMP to permit or deny, because a *client* machine using the *ping* is trying to make contact with your machine, which will be in a server role. HTH -- good luck |
| My System Specs |
|
 |
| Thread Tools | |
| |
| Similar Threads for: Disabling ICMP echo requests from Windows Firewall | ||||
| Thread | Forum | |||
| How to disable ICMP echo requests (Ping) on Windows Vista Home Bas | Vista security | |||
| how to enable ICMP echo request | Vista security | |||
| Problem on ICMP Echo : all ip checked reply when firewall is disable. | Vista networking & sharing | |||
| Problem on ICMP Echo : all ip checked reply when firewall is disable. | Vista security | |||
| ICMP and Windows Vista Firewall | Vista security | |||
