Disabling NETBIOS

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

i remember reading this thread not long ago... i reached my MS press book and they have a section on Disabling NetBIOS for security reasons if you are not running pre 2k machines. So will DNS run the whole show if you totally disable NetBIOS - and i understand some features like browsing the network will not but what other implications would one face?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

http://www.petri.co.il/disable_netbios_in_w2k_xp_2003.htm

Any good Zim?

 

Thanks si!
something i dont get is why disable it in the first place?

 

I guess if you were using a Windows workstation in a predominately non-Windows environment (eg. in a Netware server network), there would be no need having it installed.

 

Because it is fundamentally insecure Zimbo.

More here..
http://infosec.vasc.com.vn/pls/wcm/show(0,162,456)

 

thanks pete!

 

Surely that's only if you're using NetBIOS over TCP/IP?

Also, you could use protocol isolation, which is talked about at the bottom of Bluerinse's link.

 

I thought BetBIOS soley was a good security measure due to it being a non routable protocol? I assume we are referring to BetBIOS over TCP/IP?

Si

 

Anyone that makes a NetBIOS connection to your computer can easily get a full accounting of usernames, groups, shares, permissions, policies, services and more.

Example:

C:\>net use \\192.168.3.2 \IPC$ "" /u:""

This syntax connects to the hidden InterProcess Communication (IPC$) at IP 192.168.3.2 with the built-in anonymous user (/u:"") with ("") null password

A communication channel is now established for an attacker to use.

The CIFS/SMB and NetBIOS standards in Windows 2000 include APIs that return information TCP port 139 even without authenticating.

If the above command completes successfully further exploitation can be brought to bare on the system.

One thing that a person could use is a tool called NBTscan to scan IP networks for any NetBIOS name information. For each found host it will then list the IP address, NetBIOS computer name, logged-in user name as well as MAC address.

Usually, an attacker will try to get a list of hosts attached to the wire.

> c:\>net wiew /domain
> c:\>nbstat -A <IP Address>

Of course Windows 2003 has more security against NetBIOS attacks, Windows 2000 was a good OS to exploit for NetBIOS attackers.

GW

 

Thanks, a great post.

Si

 

Thanks for that! So it would be good to disable NetBIOS in this case?

 

Will do a search, but hasn't this come up before where if you disable NetBIOS it causes all sorts of problems?

Si

 

Yes that is the caveat, many so called legacy apps (old applications) still require it and so they won't work without it.

The gist I get is that Microsoft are trying to move away from NetBIOS by using such things as Active Directory to publish shared resources but at the moment the vast majority of organisations need and rely on it