Vmware-microsoft-exchange-server-2016-on-vsphere-best-practices-guide.pdf - Download as PDF File (.pdf), Text File (.txt) or read online. FortiGate VM evaluation license. FortiGate VM includes a limited embedded 15-day trial license that supports: 1 CPU maximum; 1024 MB memory maximum; low encryption only (no HTTPS administrative access); all features except FortiGuard updates. You cannot upgrade the firmware, doing so will lock the Web-based.

Refer to the above. Not sure if there's surefire answer ultimately but putting a firewall in front of the server is not an option currently. Q1: I tried the PowerShell command given in the url above using administrator but got syntax error below, so what's the exact syntax: PS C: Windows system32>Set-netTCPsetting -SettingName InternetCustom -Timestamps disabled term 'Set-netTCPsetting' is not recognized as the name of a cmdlet, function, script file, or operable program. Che the spelling of the name, or if a path was included, verify that the path is correct and try again.

Line:1 char:18 et-netTCPsetting. Are different from Could you please share exhibit text from your scanner? It is hard to guess which is at fault A1: run netsh in interactive mode, you may find where tcpip options are A2: windows firewall does not filter TCP options A3: default windows firewall can block it 'netsh firewall set icmpsetting 13 disable' A4: Might be true indeed then 'netsh int tcp global timestamps=disabled' may disable TCP timestamps A5: Tcp1323Opts=1 is more adequate Sure reboot is needed after each change, and in some forums it says TCP timestamps still are not completely disabled. A1/A4/A5 - Powershell for 'Set-NetTCPSetting' is only in Win2012 R2 and Win8.1 only and not on other Windows Server verison including Win2008R2/2012.

The PS 3.0 update will not include them even if you try to upgrade your PS as these cmdlet module is specifically bind onto the supported OS version only. I also see that the syntax for disabling is as what stated and in specific '-Timestamps Disabled'. See To list all the cmdlets that are available, use the Get-Command –Module NetTCPIP cmdlet.

For more detailed information, you can run any of the following cmdlets: ● Get-Help -Detailed ● Get-Help -Examples ● Get-Help -Full A2 - For FW rule, supposed to be able to be disabled RFC 1323 Timestamps via 'netsh int tcp set global timestamps=disabled', but so far it has not be an reliable actions though. It is to set the values (e.g. Tcp1323Opts) in the registry (e.g. HKLM SYSTEM CurrentControl Set Servic es Tcpip P arameters) as per stated in technet A3 - for Linux - Disable TCP timestamps on Linux via 'Sysctl' (e.g.

>please share exhibit text from your scanner? I can't as this is done by external security consultants engaged by our customers: the customers won't share the reports & honestly, they have yet to receive the reports but the customers are highlighting this Tcp timestamp issue specifically for Windows VMs hosted in our environment.

Noted with thanks the sharing from BTan but currently we could address for Solaris & Linux VMs in our environment; it's only the Windows VMs that we have concern. Our hardware LB principal/vendor advised against disabling Tcp timestamp on the LB.

Guess, I have to resort to doing this on the firewalls which is not my preferred option: Windows Firewall is still my preferred option so that the tenants manage this instead of us. Check that there is no intermediary device scanned and surfacjbg this timestamp instead of the original target. The uptime guess is accurate much of the time for most operating systems, so it is printed when available, but only in verbose mode. The uptime guess is omitted if the target gives zeros or no timestamp options in its SYN/ACK packets, or if it does not reply at all. If you do a packet capture to check timestamp as verification of setting The timestamp option in a TCP packet contains two values: TSval (the source’s time) and TSecr (an echo of the time the destination last sent).

The best filter I found to look for positive timestamps was ip.src == && tcp.options.timestamp.tsva l &&!(tcp.options.timestamp.ts val == 0). The second part ensures that a TSval value is there since the third will return TRUE if the field isn’t there as well as when it’s non-zero. In this case, the filter returned no packets, as expected. Iptable blocking is rather based on below iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP good to confirm if the Windows server is really still sending the timestamps (after disabling those registry) by capturing the traffic as advised by gheist. You can find all TCP packets with timestamp option (in Wireshark use following display filter: tcp.options.time_stamp); you should check in the second packet (after the server packet) to see if timestamp bit is set. See the capture has something like '. TSval= TSecr=.'

Under the 'Timestamps' in the info column for the packets. Note Syn need to be set since it is part of the SYN packet. Just checked again & the D_Word(32) Tcp1323Opts was already set to 0 (not setting to 1 as one link indicated value 1 is not supported) under CurrentControlSet, ControlSet001 & ControlSet002 Used nmap to scan (as I can't get hping & rsysinfo even on RHEL anymore) & it showed the 'Uptime' indicated by nmap -v -O 172.21.x.y Starting Nmap 4. Autocad Lisp Steel Sections Catalogue. 62 ( ) at 2015-10-29 18:59 Initiating Ping Scan at 18:59 Scanning 172.21.x.y [2 ports] Completed Ping Scan at 18:59, 0.48s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. At 18:59 Completed Parallel DNS resolution of 1 host. At 19:00, 0.41s elapsed Initiating SYN Stealth Scan at 19:00 Scanning 172.21.x. Cheat Code Editor For R4 Ds Games. y [1715 ports] Discovered open port 3389/tcp on 172.21.128.90... Device type: general purpose Running (JUST GUESSING): Microsoft Windows Vista 2008 (90%), FreeBSD 6.X (88%) Aggressive OS guesses: Microsoft Windows Vista (90%), Microsoft Windows Server 2 008 Beta 3 (89%), FreeBSD 6.2-RELEASE (88%) No exact OS matches for host (test conditions non-ideal).

Uptime: 25.343 days (since Sun Oct 04 05:). Suspecting this reg setting is deprecated With Windows 2008 and Windows 2008 R2, a number of the registry parameters used in previous OS's have been deprecated and all of these configurations are now autotuned by the OS. This includes TCP Receive Window Scaling which necessitated adding Tcp1323Opts in the registry to enable it on older OS's. Further check into MS tuning guide also did not shed anything close except this. TCP Parameters The following registry keywords in Windows Server 2003 are no longer supported and are ignored in Windows Server 2008 and Windows Server 2008 R2: • TcpWindowSize HKLM System CurrentControl Set Servic es Tcpip P arameters • NumTcbTablePartitions HKLM system CurrentControl Set Servic es Tcpip P arameters • MaxHashTableSize HKLM system CurrentControl Set Servic es Tcpip P arameters maybe good to check the dump as shared earlier in the posts. Can someone provide me a link to upload the Wireshark dump (about 100MB)? Ran into NSF driver issue with that Win2008 R2 server so I've chosen another Win2008 R2 server (17x.20.3.72): without setting those values in the registry, ran the nmap to it while Wireshark is capturing Not too sure how to do filtering so I've captured the full dump: when prompted for password, unzip using my EE id Based on the dump, can recommend what type of Windows Firewall rules I could create to block these Tcp timestamp & prevent uptime information from being made known?

Btw, Fortigate replied that Tcp Timestamp should not be disabled in their firewall (& possibly other firewalls) as doing so will cause PAWS (PROTECT AGAINST WRAPPED SEQUENCE NUMBERS) not to work, any truth in this? Doubt you can have the Windows FW to perform the filtering effectively. It will eventually has to drill into the packet (for those optional TCP field) to identify and drop the packet. See Do also see the earlier mentioned of the use of iptable and systctl. Review some FW rule to filter as well e.g. PAN Create a zone protection profile that is configured to protect against packet-based attacks: – Remove TCP timestamps on SYN packets before the firewall forwards the packet—When you remove the TCP timestamp option in a SYN packet, the TCP stack on both ends of the TCP connection will not support TCP timestamps.

Therefore, by disabling the TCP timestamp for a SYN packet, you can prevent an attack that uses different timestamps on multiple packets for the same sequence number. And including the FW itself Enable the following CLI commands for checking the TCP timestamp. The TCP timestamp records when the segment was sent and allows the firewall to verify that the timestamp is valid for that session. Packets with invalid timestamps are dropped with this setting is enabled.

Set deviceconfig setting tcp check-timestamp-option yes. >use of iptable and sysctl The above is for Linux only which I've implemented & it appears to work effectively ie the same nmap command can't obtain the 'uptime' info anymore of the RHEL server that I implemented it If iptables' rules alone are sufficient, perhaps we can scout around if there's an iptables version that's been ported over to run on Win 2008 R2/Win2012? >set deviceconfig setting tcp check-timestamp-option yes Is the above something I issue on the Fortigate firewall to disable tcp timestamp? Yup, I've just issued again the command below using administrator on the Win2008 R2 server & it came back with an 'Ok' message, indicating the command went thru fine: c: >netsh int tcp set global timestamps=disabled Ok. But running nmap against that server (or back to itself), still gives the uptime (guessed rather accurately): C: Program Files Nmap>nmap -v -O 17X.2X.128.90 find/i 'uptime' Uptime guess: 10.098 days (since Thu Oct 29 21:) Will check out the Fortigate with my colleagues who administer it but the link doesn't appear to be providing firewall rules to filter out timestamp info in the outgoing traffic but it appears to be a setting: How does the Wireshark dump help achieve this objective of stopping the uptime /tcp timestamp from being sent out? Pls see the below as another mean to check if offloaded is make not available after disabling So how do we see if traffic is offloaded? You run netstat -nt, the 't' dumps their current offload state.

I used findstr just to grab the offloaded connections. C: >netstat -nt findstr /i offloaded TCP 110.100.44.52:445 10.5.17.2:1369 ESTABLISHED Offloaded TCP 10.100.44.52:445 1.56. ESTABLISHED Offloaded TCP 10.100.7 1.198.5.2:2444 ESTABLISHED Offloaded TCP 10.100.7 1.100.4.219:2255 ESTABLISHED Offloaded TCP 10.100.7 1.58.6.50:54620 ESTABLISHED Offloaded TCP 10.100.7 1.58.2 ESTABLISHED Offloaded TCP 10.100.7 1.58. ESTABLISHED Offloaded TCP 10.100.7 1.148.8.6:58308 ESTABLISHED Offloaded TCP 10.100.9 1.10.3.2:1025 ESTABLISHED Offloaded. The given command 'netstat -nt findstr offloaded'.

Shows that it doesn't work on both my Win2008 R2 as well as Win7 despite after reboot & 'netsh int tcp show global' shows the settings are in effect: C: Windows system32>netsh int tcp show global Querying active state. TCP Global Parameters -------------------------- ---------- ---------- Receive-Side Scaling State: enabled Chimney Offload State: disabled. I'll install a Win2008 R2 on my laptop as alternate boot to test it this weekend.

Meanwhile, allow me to deviate: governance has questioned me, referencing the above: 1. In disabling tcp timestamp on a server (ie in Linux & Solaris' cases which works), does it then make the system vulnerable in another way as PAWS got disabled? Above URL says 'Tcp timestamp is an Extension to provide PAWS and improved RTTM' 2. F5 & firewall principal advised that disabling Tcp timestamp will have performance impact & would disable PAWS as well (ie giving rise to another security concern): in what way disabling this at servers' OS level different or better than disabling it in F5 LB/firewalls? Between tcp timestamp & PAWS: which of the 2 is a bigger evil? The loss of PAWS is not totally security but support that since TCP can be unstable and can be tampered with. It comes down knowing its existence clearly.

It is to extend TCP reliability to transfer rates well beyond the foreseeable upper limit of network bandwidths. It uses timestamp to reject old duplicate segments (like if it is received with a timestamp SEG.TSval less than some timestamp recently received on this connection) that might corrupt an open TCP connection. Hence, it indirectly also protects against errors due to sequence number wrap-around on high-speed connection. The key is it removed such 'duplicate' whether it is well intended or not from earlier incarnations of the single connection. You make the choice whether to forsake this. As long as you deemed your connection is stable and guarded, I do not see the 'threat' though 2.

F5 posted their backing for not disabling timestamp, mainly due to a performance penalty would occur without RTTM too. They further allude the point on missing PAWS, potential attacker needs only the IP addresses and port numbers of the connection endpoints to reset the connection. Risk level of the uptime threat to F5 is deemed low as compared to the gain of having it enabled.

Make your choice performance as status quo vs disabled. I do not see great difference if no worst off but since your internal faced dilemma, I believe you are going for disabling too - the slides say likewise but note security via obscurity is not total secure. There are better means to fingerprint machine and users too.if I am the attacker, I need to be pretty savvy on the clock skew and uptime per se to gather enough to fingerprint the user and machine. I do not have such luxury of time - it can be more well spent to go other means to understand the environment. The segment can be complex with intermediary making it harder to fully and correctly map the segments.

The Load balancing make it tougher. I see the point is this - 'There are other ways to gather the same intel'-excuse. If so serious since long time, why there is no action. Compared to heartbleed that can be exploited, which is more severe. Make a risk assessment judgment call. You cannot close everything and expect system security to work off.

Last - disable at OS as that is the root cause, you still faced internal threat. More intermediary devices means you need to disable them too, all contributing even if they are proxy. Would the following be logical / correct to say: disabling tcp timestamp has the least impact on performance as server's LAN speed is much higher & PAWS/RTTM are not relevant in servers/VMs' context, more for WAN & possibly congested LANs.

By disabling tcp timestamp on network devices, the risk is on network which will affect the network (something that's shared by many servers) while if it's only a servers/VMs, the risk of performance impact is more localized to specific servers/VMs (say during high traffic congestion/utilization). I won't be testing these on physical servers as ultimately it's on Win2008 R2 VMs that I need to fix this tcp timestamp. >There should be security devices to monitor for anomalous activities and malformed packet Are you referring to PAWS or Tcp timestamp in the above anomalous activities or malformed packets? I'm still interested in exactly how Gheist did it on Win 7. This unreliable disabling of Tcp timestamp was reported on both Win 7 & Win2008 so if only we could pin-point the differences between what Gheist & I have done, may shed some light. Doubt so for windows as it should be working with those registry already set but the test still yearn finding of the timestamp value return. Even the setting of the NIC card did not show significant difference in your case.

The block will then have to rely on the ext FW or proxy to filter off but if anyone has concerns - system owner on risk or security vendor or contractor fearing deteriorated services, then it comes down to an informed risk based decision by owner. Security is driver to support business running and not the main business derivatives though avoiding damages is indirectly saving cost to handle any lapses.

Strike a balance. As a whole, I see the risk is not high since a cyber kill chain requires more than just knowing the uptime and knowing it for a prolonged period to further any malicious long term penetration or damages. Otherwise consider other non windows system to helm critical service while the performance play a backstage which may even include refurnished the server and segregate the traffic reachable via authorised internal-only segments.

Pardon me if I digress But we do want to close uptime cases if it does exist and due to application installed like this recent one regarding Up.time agent for Windows contains multiple vulnerabilities due to unsecured and anonymous connection that can cause DDoS and/or information gathering attempts.

UpdateStar is compatible with Windows platforms. UpdateStar has been tested to meet all of the technical requirements to be compatible with Windows 10, 8.1, Windows 8, Windows 7, Windows Vista, Windows Server 2003, 2008, and Windows XP, 32 bit and 64 bit editions. Simply double-click the downloaded file to install it. UpdateStar Free and UpdateStar Premium come with the same installer. UpdateStar includes such as English, German, French, Italian, Hungarian, Russian and. You can choose your language settings from within the program.