1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disabling Netbios in the network

Discussion in 'Computer Security' started by nugget, Mar 2, 2010.

  1. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Hi all. I've been reading through my security+ book and came across some little tidbit that tells me I should consider blocking ports 135 and 137-139, ie Netbios (and DCOM). Now, as we all know, MS deprecated Netbios in favour of DNS (which begs me to ask why the hell they still put it in windows 7).

    I remember trying this on a win2k system quite a few years ago and the system couldn't do anything on the network. At the time I was new to IT and it was a real headscratcher for me until I realised that we ran a SuSE 7.2 server as 'DC' and file srver.

    The thing is, I know the why and how to do this and I also agree with it. My question is, is there anyone that has disabled Netbios completely in their network and if so what are the effects?
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  2. SimonD

    SimonD Terabyte Poster Moderator

    3,463
    397
    199
    There are still going to be legacy apps that require netbios name resolution somewhere out there, even as recently as Exchange 2003 (I don't know about 2007 or 2010). Netbios simply won't die fully.

    I think as an organisation you have to know fully whether any of your applications require netbios or dns name resolution, if you can't say for sure then you may have some unexplained headaches if you do block it off.
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  3. jk2447

    jk2447 Petabyte Poster Moderator

    5,481
    352
    249
    I always find its because of some ancient Windows 98 machine on finance or accounts where a legacy app hasn't been updated or replaced :rolleyes: In an ideal world we would all have the latest technology deployed and disable the ports used by the outdated stuff, so I think thats where they are going with that statement Nugget. That if you upgrade your software, infrastructure or what ever, you should check if the old stuff used a port that will otherwise remain open forever and therefore open to attack. Kinda like good house keeping. I'm tired, ignore me ha
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  4. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    In my experience, it's not been worth messing with. My policy is this: as long as things are working, don't mess with it.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  5. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Exactly, unless you are having network problems or a moving to a more secure networking environment why give yourself the hassle?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  6. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Shouldn't we all be working towards that? :twisted:
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  7. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    ...true.

    But do you want the network to be so secure that nothing works? :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  8. jk2447

    jk2447 Petabyte Poster Moderator

    5,481
    352
    249
    I think one Security manager I know does ha ha
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  9. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224

    If it means less problems.......then of course. :twisted:
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  10. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    That's just the problem. If you;re running anything, anywhere, that needs NetBIOS, it doesn't mean less problems - it means more problems. The days of NetBIOS vulnerabilities bringing networks to their knees are (or, at least should be) over. The need to eliminate the chattiness has also disappeared (that argument might have held true in the days of 10mb hubs, but not with most places now running at least 100mb switched environments).

    Provided you aren't exposing file shares to the Internet (and if you are, you need taking outside and shooting anyway), NetBIOS presents no risk to you. If you KNOW you have no apps that need it, aren't running Exchange 2003 anywhere (and you should double DOUBLE check to make sure E2K7 doesn't need it), then disable it using a DHCP option. otherwise, relax - there are more important things to worry about.
     
    Certifications: A few
    WIP: None - f*** 'em
  11. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224

    No problem zeb. I wasn't really looking to do anything about it, it was just something that's nagged at me for a long time. We've all heard for many years about the problems caused by the netbios ports being open and I was just wondering what anyone has really done about the problem in their networks.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  12. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Just as a quick edit to this thread. I have just received multiple users with the same report. I might have it all wrong but to it looks like an attempted scan on port 139.

    [​IMG]
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  13. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Nug - the remote address is private. what is 192.168.34.255
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  14. supernova

    supernova Gigabyte Poster

    1,422
    21
    80
    and NETBIOS is broadcast based
     
    Certifications: Loads
    WIP: Lots
  15. supernova

    supernova Gigabyte Poster

    1,422
    21
    80
    networks broadcast address i would guess
     
    Last edited: Mar 8, 2010
    Certifications: Loads
    WIP: Lots

Share This Page

Loading...