Disabling ICMP echo requests from Windows Firewall

Discussion in 'Windows Vista Security' started by AChung, Jul 23, 2007.

  1. AChung

    AChung Guest

    Is it possible to configure Windows Firewall, thus disabling it to have ICMP
    echo requests (Ping) following the online scan by ShieldsUP (Gibson Research
    Corporation)? Unfortunately, my existing 1-port ADSL ethernet modem has no
    option to disable Ping. Is it required to edit any Inbound Rules and/or
    Outbound Rules on "Windows Firewall with Advanced Security"? I look forward
    to having any expert advice on how to proceed with.
     
    AChung, Jul 23, 2007
    #1
    1. Advertisements

  2. Mike Brannigan, Jul 23, 2007
    #2
    1. Advertisements

  3. AChung

    Mr. Arnold Guest

    <coppied right from Vista O/S *Help*>
    What happened to the ICMP and logging settings in Windows Firewall?
    You must be logged on as an administrator to perform these steps.

    To find ICMP and logging settings, open Windows Firewall with Advanced
    Security.

    1.. Click to open Administrative Tools.‌ If you are prompted for an
    administrator password or confirmation, type the password or provide
    confirmation.

    2.. Double-click Windows Firewall with Advanced Security.

    To change logging settings:

    1.. Under Public Profile, click Windows Firewall Properties.

    2.. Click the tab for the profile that you want to change.

    3.. Under Logging, click Customize.

    4.. In the dialog box that appears, change the settings you want to
    change, and then click OK.

    You can specify ICMP settings by creating inbound or outbound rules using
    the ICMPv4 or ICMPv6 protocol.

    <end copy>
     
    Mr. Arnold, Jul 23, 2007
    #3
  4. AChung

    AChung Guest

    Dear Mike

    Thank you for giving me the following link, which is applicable to Windows
    2000/XP/2003 computers as indicated. I am not sure if same configuration can
    be applied to Windows Vista Home Basic, where IPv4 and IPv6 are being used.
    Please advise further, if possible, because Windows Vista Home Basic is quite
    new to me.

    Regards.
     
    AChung, Jul 24, 2007
    #4
  5. AChung

    AChung Guest

    Dear Mr Arnold

    Thank you for your guidance.

    It seems to me that my home PC is using IPv4 mainly for Internet. Can you
    please show me how to edit a filter rule, whether Inbound or Outbound, to
    block ICMP echo requests (PING) as desirable?

    Is it required to configure my home home PC because I have installed a
    third-party software firewall to replace the built-in Windows Firewall?

    Please let me have your further advice.

    Regards.
     
    AChung, Jul 24, 2007
    #5
  6. AChung

    Mr. Arnold Guest

    Just follow the link that was given to you about IPsec. The information in
    those screens will show you how to filter the ping traffic in any FW, if the
    FW has the ability to set the rules.
     
    Mr. Arnold, Jul 24, 2007
    #6
  7. AChung

    Mr. Arnold Guest

    Vista is just another NT based O/S like Win 2k, XP and 2k3. IPsec is part of
    the Vista O/S(s) at least on Vista Home Premium and Ultimate that I have
    used. And the rules for IPsec can be applied to all four NT based platforms,
    even though you don't see Vista being mentioned.

    I use IPsec to supplement Vista's FW, XP's FW and any 3rd party FW solution
    I have used on the NT based O/S, for a machine that will have a direct
    connection to the modem and therefore a direct connection to the Internet.

    I implement/enable the client side AnalogX IPsec policy rules and disable
    the server side rules, as I don't have anything on the server side being
    exposed to the Internet.

    http://www.analogx.com/CONTENTS/articles/ipsec.htm
    http://support.microsoft.com/kb/813878
     
    Mr. Arnold, Jul 24, 2007
    #7
  8. AChung

    Charlie42 Guest

    Do keep in mind that your modem may influence the ShieldsUp! ping test.
    Blocking ICMP echo requests in Windows Firewall won't necessarily keep your
    modem quiet.

    Also keep in mind that generally, a 'block all incoming pings' option should
    be selected with care. It might cause trouble for your DSL connection.

    Charlie42
     
    Charlie42, Jul 24, 2007
    #8
  9. AChung

    AChung Guest

    Hi, Charlie

    Thank you for your good advice.

    Regards.
     
    AChung, Jul 25, 2007
    #9
  10. AChung

    AChung Guest

    Dear Mr Arnold

    Thank you for your guidance.

    Regards.
     
    AChung, Jul 25, 2007
    #10
  11. AChung

    AChung Guest

    Hi Mr Arnold

    Shall I use the same configuration on my Windows Vista Home Basic as yours?

    Cheers.
     
    AChung, Jul 25, 2007
    #11
  12. AChung

    Mr. Arnold Guest

    Yes, all you have to do is implement the AnalogX IPsec policies, which I
    have used the same ones for my Win 2K, XP and now Vista machines, in a
    supplement role to the firewall application.

    I did have to make the adjustment for the client side SMTP service as my
    ISP's SMTP didn't work on port 25 the standard, because it was on another
    port.

    You can learn from the AnalogX IPsec rules, which you can apply those types
    of rule making to other firewalls in the concepts of making rules.
     
    Mr. Arnold, Jul 25, 2007
    #12
  13. AChung

    AChung Guest

    Dear Mr Arnold

    Thank you for your confirmation.

    Are you using a third party firewall? I have a query - whether Network
    Discovery and File Sharing are turned on, after Windows Firewall has been
    replaced by a third party firewall. I wish that they were turned off because
    of security.

    Do you have such experience? Any remedy available?

    Regards.
     
    AChung, Jul 26, 2007
    #13
  14. AChung

    Mr. Arnold Guest

    I use the Vista FW. Well, if you don't want the machine to be in a
    networking situation, then you remove Client for MS Network and File and
    Print Sharing for MS Network off of the NIC - Network Interface Card or the
    dial-up connection, and the machine can never be in a networking situation.

    However a 3rd party FW solution should by default have the Windows
    Networking Ports closed. There is an automatic setting in 3rd party
    solutions to open or close the WNP(s) on the FW. You should call the FW
    vendor about how to do it.

    What are the WNP(s), which are the same on Vista as they are for Win 2k and
    XP.

    http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm


    You'll also notice that the link about AnalogX IPsec policy rules is talking
    about those WNP(s), with a rule for those ports that can be enabled or
    disabled to allow or disallow the machine to network.

    http://www.analogx.com/CONTENTS/articles/ipsec.htm

    Look, if you're concerned about the protection of the machine from the
    Internet, then put the machine behind a NAT router, which will give the
    machine protection from the Internet with unsolicited scans and attacks. All
    ports on the router are closed by default, and those WNP(s) on the router
    will be closed by default so the machine cannot network on the Internet.

    http://www.homenethelp.com/web/explain/about-NAT.asp
     
    Mr. Arnold, Jul 26, 2007
    #14
  15. AChung

    AChung Guest

    Mr Arnold

    Thank you for your details. You're very resourceful and helpful.

    Actually, I have "unchecked" Client for MS Network and File Sharing for MS
    Network on my Intel PRO connection. Do I have to remove them from the list?
    However, Network Discovery and File Sharing are still shown on the Network
    and Sharing Center. Puzzled?

    I wonder if AnalogX Public Server IPSec Configuration v1.00 is
    Vista-compatible. As you have it installed into your Vista computer, I guess
    it is feasible. Am I right?

    My modem/router has NAT but it is a basic version and cannot be configured
    to disable ICMP echo requests (PING) as confirmed by the manufacturer.
    Please advise on how to put my machine behind a NAT router. Is there any
    configuration required?

    My apologies for troubling you further.

    Regards.
     
    AChung, Jul 27, 2007
    #15
  16. AChung

    Mr. Arnold Guest

    Why do you even care? The computer is behind your router. A machine cannot
    network with your machine over the Internet the WAN (Wide Area Network),
    because the router is sitting there and those Windows Network Ports on the
    router are closed to the outside world. Your machine can only network with
    another one of your machines behind the router on the LAN (Local Area
    Network). The machine is protected from the Internet due to the router
    sitting there in front of the machine.
    Your modem/router is a NAT router. A ping is being dealt with by the router,
    from what I understand. It's the router that's responding to it. If a SMURF
    or Ping attack is being ran against you, it's directed at the router.

    If you have a machine that has been compromised behind the router and it
    started doing ping attacks on IP(s)/machine on the LAN, this is where you
    should be concerned about the machine and its operating system responding
    to pings. And if a compromise of this type has happened behind the router,
    then you got other problems other than worrying about some ping attack.

    I didn't know that your machine was behind a NAT modem/router. That Gibson
    junk only applies to when the machine has a direct connection to a
    standalone modem, which is a situation of a router NOT being between the
    modem and the computer.

    If a router is NOT between the modem and the computer, then the computer has
    a direct connection to the Internet, and THAT is the condition where you
    should be concerned about all the things that have been talked about between
    you and I with these posts.

    Your machine is behind a router, and in the grand reality of things, you are
    very, very, very, very, very, very small potatoes. You can implement what we
    have talked about to your own satisfaction behind the router.

    Yes, IPsec with the AnalogX version we have been talking about in the links
    I am using on this laptop running Vista, a FW 3rd party personal FW or not,
    protecting the WNP(s), un-checking networking services off of the NIC or
    dialup connection etc, etc only applies when the laptop has a direct
    connection to the Internet. The laptop at this time is connected directly to
    the Internet on dialup, so the solutions are implemented to the fullest.

    When the laptop is connected to my FW appliance or at one point when I was
    using a NAT router and the laptop is connected to the FW appliance or
    router, all of the solutions we are talking about are disabled, and none of
    the other computers on the LAN have these solutions enabled, because they
    are not needed behind either device.

    You can use the PFW for outbound protection, as most do that, but all this
    other stuff you are concerned about do not apply, because that NAT
    modem/router is setting there, and in the grand realilty of things, you are
    small potatoes and there is no need for it behind the router.
     
    Mr. Arnold, Jul 27, 2007
    #16
  17. AChung

    AChung Guest

    Dear Mr Arnold

    Thank you for your full details.

    The existing desktop PC belongs to my daughter, who uses it both for
    business and leisure. It is my duty to maintain it working properly though
    my IT knowledge is very limited.

    If you don't mind, here's my last question. Should I be able to block ICMP
    with AnalogX Public Server IPSec Configuration, I am not sure if the
    following configuration should also be applied:

    1. Disable NetBIOS over TCP/IP on Local Area Connection > Internet Protocol
    Version 4 (TCP/IPv4) > Properties > Advanced > WINS tab.

    2. Disable TCP/IP NetBIOS Helper Service on Control Panel > Administrative
    Tools > Services.

    3. Set Yes for Exempt ICMP for IPSec on Windows Firewall with Advanced
    Setting > Windows Firewall Properties > IPSec Settings.

    I am grateful for your prompt responses to my queries. You really let me
    share your experience on using the new operating system.

    Regards.
     
    AChung, Jul 28, 2007
    #17
  18. AChung

    Mr. Arnold Guest

    ----- Original Message -----
    From: "AChung" <>
    Newsgroups: microsoft.public.windows.vista.security
    Sent: Friday, July 27, 2007 10:32 PM
    Subject: Re: Disabling ICMP echo requests from Windows Firewall

    Have you ran the AnalogX Ipsec Server v 1.00 zip and implemented the
    policies on Vista?

    Can you go to the Run Box on Vista and enter MMC, setup a MMC console, go
    to IPsec, you can see the IPsec policy for AnalogX, you can edit the AnalogX
    policy, see the ICMP Server Deny policy, enable that policy for deny and
    enable the Analogx IPsec policies for the computer?

    If you can do all of that, then go to the site below and run the ping test.
    Now of course, the computer must be directly connected to the modem or the
    computer is using a dial-up connection to a dial-up ISP for the test, and
    the IP the machine is using from the ISP must be known. That's the only way
    it's going to be a valid test.

    The ping test for the computer cannot be ran from behind the router, because
    all that's going to happen is the router is responding to the pings and not
    the computer.

    You can run the ping test against the router too, if you know what the
    router's or external IP form the ISP the router is using, which should be on
    one of the router's Admin screens.

    http://www.websitepulse.com/help/testtools.ping-test.html

    Keep this in mind when you're looking at client verses server side rules.
    Your computer is the *client* in 99.9% of the cases.

    The client mode for the computer will be when you use your browser to
    contact a Web site using HTTP or you are making contact with a news group
    reader to a news group server using NNTP. You never want to enable *server*
    side rules, as nothing or no program, in your case, should be in a server
    role on your computer.

    However, one case that server side rules should be implemented is on the
    ICMP
    to permit or deny, because a *client* machine using the *ping* is trying to
    make contact with your machine, which will be in a server role.

    HTH -- good luck
     
    Mr. Arnold, Jul 28, 2007
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.