locked
How to disable TCP SYN/ACK time stamps on Windows 2012 R2 in 2018 RRS feed

  • Question

  • To address penetration tests findings against our Windows 2012 R2 servers, we were asked to disable TCP SYN/ACK time stamps because it allows an attacker to know the system uptime and figure out if a security patch that requires a reboot has not been installed.

    Please note, this is not the same thing as disabling the ICMP timestamp request (icmptype=13) that can be filtered with the Windows firewall.

    We tried both the recommended fixes from Microsoft, and neither one works (see below).

    ***Does not work***
     [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
      "Tcp1323Opts"=dword:00000000 (Off)
      "Tcp1323Opts"=dword:00000002 (On)
       0 (disable RFC 1323 options)
       1 (window scaling enabled only)
       2 (timestamps enabled only)
       3 (both options enabled)

    ***Does not work***
     To set using netsh:
     netsh int tcp set global timestamps=disabled
     netsh int tcp show global

     TCP Global Parameters
     ----------------------------------------------
     RFC 1323 Timestamps                 : disabled

    ***Does not work***
     Or to set using PowerShell cmdlets:
     Set-NetTCPSetting -SettingName InternetCustom -Timestamps Disabled
     Get-NetTCPSetting -SettingName InternetCustom

     SettingName                     : InternetCustom
     Timestamps                      : Disabled

    And the systems were rebooted after making the change.

    We used nmap to check for TCP timestamps
    nmap -d -v -O server.domain.com
      Uptime guess: 1.067 days (since Mon Feb 26 08:16:48 2018)

    Confirmed with tcpdump
    tcpdump -vvv -X -i any 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0'

    16:19:03.361564 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
        server1.domain.com > server2.domain.com.47470: Flags [S.], cksum 0x529b (correct), seq 1584745091, ack 1655497867, win 28960, options [mss 1460,sackOK,TS val 1888795568 ecr 4294967295,nop,wscale 7], length 0

    Thank You!

    Tuesday, February 27, 2018 2:56 PM

Answers

  • Hi,

    I logged a support call with Microsoft, here is their answer:

    "Disabling TCP Timestamp only affects the outgoing traffic, for incoming traffic Microsoft has to honor it if the other side requests it."

    So it is not possible to disable TCP SYN/ACK timestamps on Windows.

    • Marked as answer by Mark D UGA Wednesday, March 7, 2018 7:46 PM
    Wednesday, March 7, 2018 7:23 PM

All replies

  • This is the description I have from my security scanner AlienVault:

    To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to   /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.    To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'    Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.    The default behavior of the TCP/IP stack on this Systems is to not use the   Timestamp options when initiating TCP connections, but use them if the TCP peer   that is initiating communication includes them in their synchronize (SYN) segment.

    I have not found a way previously to completely disable it including trying the following: https://social.technet.microsoft.com/Forums/windows/en-US/43a9bf3f-e995-4014-91ee-c8fa605097fb/block-tcp-timestamp-in-windows-server-2012?forum=winserver8gen


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, February 27, 2018 3:10 PM
  • Hi,

    Thanks for your question.

    I agree with MVP’s suggestion. Please refer to RFC1323 about TCP Extensions for High Performance and the link: https://social.technet.microsoft.com/Forums/windows/en-US/43a9bf3f-e995-4014-91ee-c8fa605097fb/block-tcp-timestamp-in-windows-server-2012?forum=winserver8gen

    Hope the information above helpful to you.

    Please let us know if you would like further assistance.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, February 28, 2018 6:46 AM
  • Hi,

    How are things going on? Was your issue resolved?

    Please let us know if you would like further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 6, 2018 10:59 AM
  • Hi,

    I logged a support call with Microsoft, here is their answer:

    "Disabling TCP Timestamp only affects the outgoing traffic, for incoming traffic Microsoft has to honor it if the other side requests it."

    So it is not possible to disable TCP SYN/ACK timestamps on Windows.

    • Marked as answer by Mark D UGA Wednesday, March 7, 2018 7:46 PM
    Wednesday, March 7, 2018 7:23 PM
  • Hi Mark,

    Thanks for your posting here and sharing the resolution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 9, 2018 11:42 AM