How to disable windows server 2008 timestamp response

timestampwindows-server-2008

Posted this question on stackoverflow but then got instructed to post it here:

I was using Rapid7's Nexpose to scan one of our web servers (windows server 2008), and got a vulnerability for timestamp response.

According to Rapid7, timestamp response shall be disabled: http://www.rapid7.com/db/vulnerabilities/generic-tcp-timestamp

So far I have tried several things:

  1. Edit the registry, add a "Tcp1323Opts" key to HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, and set it to 0. http://technet.microsoft.com/en-us/library/cc938205.aspx

  2. Use this command: netsh int tcp set global timestamps=disabled

  3. Tried powershell command: Set-netTCPsetting -SettingName InternetCustom -Timestamps disabled (got error: Set-netTCPsetting : The term 'Set-netTCPsetting' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.)
    None of above attempts was successful, after re-scan we still got the same alert.

Rapid7 suggested using a firewall that's capable of blocking it, but we want to know if there is a setting on windows to achieve it.

Is it through a specific port? If yes, what is the port number? If not, could you suggest a 3rd party firewall that is capable of blocking it?

Thank you very much.

Best Answer

I suppose you've misunderstood the recommendation. It does not say "disable TCP timestamp responses", it just says "you might want to disable TCP timestamp responses". Unless you have declared the uptime of your hosts as confidential information, you really should not bother. As for fingerprinting, there are plenty other sources providing more detailed information than the TCP timestamp.

But concerning your questions: no, the timestamp response is not a service available through a TCP port, it is an option available in TCP itself and requested and answered through TCP headers of an existing connection. Disabling TCP timestamps might break some TCP optimizations.

It is not a good idea to just filter timestamp request packets as it might break connections. The only sane way to help this would be manipulating TCP headers to either fake the appropriate responses or make sure that RFC 1323 extensions are not negotiated upon connection setup. I have no idea which products do this.

It appears that the parameter Tcp1323Opts has been deprecated and is no longer evaluated. The Rapid7 site itself is stating for Windows Server 2008:

TCP timestamps cannot be reliably disabled on this OS.

Related Topic