none
TCP1323Opts question - TCP Timestamps

    Question

  • Hi,

     

    We have to be PCI-DSS compliant and have several Windows servers running ISA and TMG.

    We have:

    Win 2K with ISA 2000 (on it's way out)

    Win 2K3 with ISA 2006

    Win 2K8 R2 with TMG 2010

     

    All of these servers, in the registry have TCP1323Opts set to '0' as per http://technet.microsoft.com/en-us/library/cc938205.aspx to disable TCP Timestamps.

    This is confirmed using Netsh where RFC 1323 Timestamps : disabled

     

    However, for PCI-DSS compliance we have to run vulnerability scans.

    Although only informational, all these servers come back as giving Timestamp replies.

     

    Although vulnerabilities due to this are minimal, from the timestamp is can be calculated how long a server has been running and therefore you can work out if it is missing the latest patches due to a lack of a reboot.

     

    I'm mainly puzzled as to why this is showing up when it is meant to be disabled.

    I've searched high and low across the Internet and can't find anything apart from the instructions as to how to change that reg entry.

    Do I need to do anything extra for the driver or something?

     

    Any help appreciated,

     

    Adrian

    Friday, October 22, 2010 7:44 AM

Answers

  • Hi,

    Thanks for the post.

    Please check if you add the Tcp1323Opts registry key as follows:

    Tcp1323Opts

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—number (flags)

    Valid Range: 0 or 2

    0 (disable the use of the TCP timestamps option)
    2 (enable the use of the TCP timestamps option)


    Default: No value.

    Description: This value controls the use of the RFC 1323 TCP Timestamp option. The default behavior of the TCP/IP stack is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment.

    For more information about TCP/IP Registry Values, you could access this link:

    http://download.microsoft.com/download/c/2/6/c26893a6-46c7-4b5c-b287-830216597340/tcpip_reg.doc

    Hope this helps.

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, October 25, 2010 7:52 AM
    Moderator

All replies

  • Hi,

    Thanks for the post.

    Please check if you add the Tcp1323Opts registry key as follows:

    Tcp1323Opts

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—number (flags)

    Valid Range: 0 or 2

    0 (disable the use of the TCP timestamps option)
    2 (enable the use of the TCP timestamps option)


    Default: No value.

    Description: This value controls the use of the RFC 1323 TCP Timestamp option. The default behavior of the TCP/IP stack is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment.

    For more information about TCP/IP Registry Values, you could access this link:

    http://download.microsoft.com/download/c/2/6/c26893a6-46c7-4b5c-b287-830216597340/tcpip_reg.doc

    Hope this helps.

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, October 25, 2010 7:52 AM
    Moderator
  • Hi,


    Sorry about the late reply, I've been on holiday.

     

    Unfortunately I've got the Tcp1323Opts option set to 0 but the PCI-DSS vulnerability tests we have done still show timestamps.

     

    I'm stumped...

    Tuesday, November 02, 2010 1:24 PM
  • Any progress on this issue? I am seeing the same results with the registry entry set to 0 and netsh results show it as disabled but the PCI scan is showing it enabled. Any insight would be appreciated.
    Wednesday, March 23, 2011 8:35 PM
  • Sounds stupid, but verify/set the Tcp1323Opts=0 in CurrentControlSet001, 002, etc as well.  I've seen weird stuff like that before
    Thursday, March 24, 2011 2:35 AM
  • Sorry to jump on someone else's thread but i'm also having this issue. I've verified Tcp1323Opts=0 is set in all CurrentControlSets correctly, and using netsh it's showing as disabled but our PCI scans are still reporting it's enabled (as are our Nessus scans).

    Any information anyone can give would be very helpful

    Thanks

    Friday, April 08, 2011 9:16 AM
  • This answer does not seem adequate when several of us have the same issue and still have a flag reported by the PCI compliance scan.  Someone suggested setting the parameters in the other control sets (beyond current control set).  No one has mentioned also setting the parameters for IPv6, does it matter?  I have added it to all these places and will let you know the result of my next scan.
    Friday, April 15, 2011 4:12 PM
  • Failed again... any other registry settings we need to change related to this?

    Thursday, April 21, 2011 3:26 PM
  • I'm having this same issue.  Any updates on this thread?
    Friday, July 08, 2011 5:10 PM
  • We never succeeded with an automated PCI compliance scan even after making all the suggested changes by the vendor and Microsoft.  We finally got resolution by contacting the vendor running the scan for us and making a manual exception to override the results and we passed.  So I can only suggest you do the same and hopefully your compliance vendor will give you approval.
    Friday, July 08, 2011 5:58 PM
  • Could it be the scanner is getting the timestamp response from an intermediary device (firewall, router, load balancer, etc..) that it is scanning through? The scanner should give the timestamp that it is receiving back (system uptime usually). Seems odd that netsh is showing that it is already disabled on the device. Is it getting flagged on all your devices, or just that one?
    Monday, July 18, 2011 7:12 PM
  • Just chiming in to let you know we are seeing the same issues.  Our XP boxes will take the netsh command to disable icmp timestamp response and it will correct the issue.  However, any OS newer than XP/2003, we see the same issue as all of you with the scans showing a "fail" on the 1323 TimeStamp Response, when every setting possible is already modified with disable or 0.

    Like, Boys Ranch Tech, since the CVSS score is 0, we are going to make the same manual exception. 

    Thursday, March 22, 2012 8:29 PM
  • While not official Microsoft documentation, this Symantec page seems to indicate that Tcp1323Opts is deprecated in Windows Server 2008 and Windows Server 2008 R2. So I guess the question is - what has it been replaced by?

    http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=HOWTO56222


    NightOwl888

    Monday, July 16, 2012 1:22 PM
  • While researching similar things, I came across this thread, and this possible reference:

    http://technet.microsoft.com/en-us/library/cc731258(WS.10).aspx#BKMK_6

    netsh int tcp set global timestamps=enabled

    Looks like it might be worth a try.

    (Post provided as-is and without warranty. Your mileage may vary. Some geese may like chalk.)

    Tuesday, October 23, 2012 11:53 PM
  • Hi

    Did anyone get this resolved, I still cannot disable timestamps on 2012 Server.

    This is running on a VM in the Azure Cloud, could that have an effect?

    Wednesday, October 16, 2013 2:13 PM
  • Hi

    Did anyone get this resolved, I still cannot disable timestamps on 2012 Server.

    This is running on a VM in the Azure Cloud, could that have an effect?

    Look into Powershell cmdlets since Microsoft is deprecating commands from the prompt in current and future version of Windows. Powershell is the new Command Prompt and once you learn it, its MUCH easier to understand as the commands are more literally worded than commands in the DOS Prompt. No more going into Sub-section prompts like netsh interface tcp.

    All you type is   Set-netTCPsetting -SettingName InternetCustom -Timestamps disabled

    This will actually change all the valid SettingName's (Datacenter, Internet, Local, etc.) Timestamps value to your preference.

    Run Powershell in Administrator mode (Server 2012 is x64 only so no x86 version to worry about) to be allowed access to internal system values. Microsoft did well with tightening security of changes in Windows 8 and Server 2012.





    • Edited by MDA400 Monday, November 04, 2013 12:25 AM
    Monday, November 04, 2013 12:19 AM
  • The scanner I use states that this cannot be reliably done on Operating Systems Windows Vista or newer.  I've had several vendors suggest the registry change to TCP1323Opts, and the "netsh int tcp set global timestamps=disabled" changes, and neither change stuck when scanning.  I dont have any Vista machines, so I cant confirm it on those, but everything newer doesnt seem to stay disabled - even though they show they are.
    Tuesday, April 15, 2014 1:43 AM