1.2.1.1.1.2.7 Configure 'Windows Firewall: Allow ICMP exceptions' - AllowOutboundTimeExceeded

Information

This policy setting defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If you configure the Windows Firewall: Allow ICMP exceptions setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you configure this policy setting to Disabled, Windows Firewall blocks all unsolicited inbound ICMP message types and the listed outbound ICMP message types. As a result, utilities that rely on ICMP may fail. Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks. However, some applications require some ICMP messages in order to function properly. Also, ICMP messages are used to estimate network performance when Group Policy is downloaded and processed; if ICMP messages are blocked, Group Policy may not be applied to affected systems. For that reason, it is recommended that you configure the Windows Firewall: Allow ICMP exceptions setting to Disabled whenever possible. If your environment requires some ICMP messages to get through Windows Firewall, configure this policy setting with the appropriate message types. Whenever the computer is on an untrusted network, the Windows Firewall: Allow ICMP exceptions setting should be configured to Disabled. Note If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow inbound file and printer sharing exception, Windows Firewall: Allow inbound remote administration exception, and Windows Firewall: Define inbound port exceptions. Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks.

Solution

Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization-

Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall- Allow ICMP exceptions

Impact- If you configure the Windows Firewall- Allow ICMP exceptions setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you configure this policy setting to Disabled, Windows Firewall blocks all unsolicited inbound ICMP message types and the listed outbound ICMP message types. As a result, utilities that rely on ICMP may fail. Some applications require some ICMP messages in order to function properly. Also, ICMP messages are used to estimate network performance when Group Policy is downloaded and processed; if ICMP messages are blocked, Group Policy may not be applied to affected systems. Note If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall- Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall- Allow inbound file and printer sharing exception, Windows Firewall- Allow inbound remote administration exception, and Windows Firewall- Define inbound port exceptions.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(16), CCE|CCE-16671-0

Plugin: Windows

Control ID: 3d8691a4f182b2cdea17fb109674359f0c304eeb7868459a2daaf06d5ccf9a11