1.2.1.1.1.1.1 Configure 'Windows Firewall: Allow ICMP exceptions - AllowOutboundDestinationUnreachable'

Information

This policy setting defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks.

Solution

Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization-

Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\Windows Firewall- Allow ICMP exceptions

Impact- If you configure the Windows Firewall- Allow ICMP exceptions setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you configure this policy setting to Disabled, Windows Firewall blocks all unsolicited inbound ICMP message types and the listed outbound ICMP message types. As a result, utilities that rely on ICMP may fail. Some applications require some ICMP messages in order to function properly. Also, ICMP messages are used to estimate network performance when Group Policy is downloaded and processed; if ICMP messages are blocked, Group Policy may not be applied to affected systems. Note If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall- Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall- Allow inbound file and printer sharing exception, Windows Firewall- Allow inbound remote administration exception, and Windows Firewall- Define inbound port exceptions.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(16), CCE|CCE-17102-5

Plugin: Windows

Control ID: 7cbf7dadd192d9c13a6e70741da33d155a09962a66375b0fe5025278678c2562