Disabling Netbios in the network

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi all. I've been reading through my security+ book and came across some little tidbit that tells me I should consider blocking ports 135 and 137-139, ie Netbios (and DCOM). Now, as we all know, MS deprecated Netbios in favour of DNS (which begs me to ask why the hell they still put it in windows 7).

I remember trying this on a win2k system quite a few years ago and the system couldn't do anything on the network. At the time I was new to IT and it was a real headscratcher for me until I realised that we ran a SuSE 7.2 server as 'DC' and file srver.

The thing is, I know the why and how to do this and I also agree with it. My question is, is there anyone that has disabled Netbios completely in their network and if so what are the effects?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

There are still going to be legacy apps that require netbios name resolution somewhere out there, even as recently as Exchange 2003 (I don't know about 2007 or 2010). Netbios simply won't die fully.

I think as an organisation you have to know fully whether any of your applications require netbios or dns name resolution, if you can't say for sure then you may have some unexplained headaches if you do block it off.

 

In my experience, it's not been worth messing with. My policy is this: as long as things are working, don't mess with it.

 

Shouldn't we all be working towards that?

 

If it means less problems.......then of course.

 

That's just the problem. If you;re running anything, anywhere, that needs NetBIOS, it doesn't mean less problems - it means more problems. The days of NetBIOS vulnerabilities bringing networks to their knees are (or, at least should be) over. The need to eliminate the chattiness has also disappeared (that argument might have held true in the days of 10mb hubs, but not with most places now running at least 100mb switched environments).

Provided you aren't exposing file shares to the Internet (and if you are, you need taking outside and shooting anyway), NetBIOS presents no risk to you. If you KNOW you have no apps that need it, aren't running Exchange 2003 anywhere (and you should double DOUBLE check to make sure E2K7 doesn't need it), then disable it using a DHCP option. otherwise, relax - there are more important things to worry about.

 

No problem zeb. I wasn't really looking to do anything about it, it was just something that's nagged at me for a long time. We've all heard for many years about the problems caused by the netbios ports being open and I was just wondering what anyone has really done about the problem in their networks.

 

Just as a quick edit to this thread. I have just received multiple users with the same report. I might have it all wrong but to it looks like an attempted scan on port 139.

 

Nug - the remote address is private. what is 192.168.34.255

 

and NETBIOS is broadcast based

 

networks broadcast address i would guess