Re: MS patch-scanner for Win-NT, 2K, IIS, SQL

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 08/16/01


Message-ID: <024201c125eb$426e4630$0b00010a@lauradominion.com>
From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "Adcock, Matt" <Matthew.Adcock@GSCCCA.ORG>, "'Stadler, Brian T'" <bstadler@ukans.edu>, <flynngn@jmu.edu>
Subject: Re: MS patch-scanner for Win-NT, 2K, IIS, SQL
Date: Wed, 15 Aug 2001 20:34:48 -0400


*Sorry*, but you did not read what I wrote. *Workstation logon
restrictions*, clusters and applications require NetBIOS. This has nothing
to do with the kerberos authentication process; it has to do with the
workstation restriction attribute on the user account in AD where and how
this information is stored.

From:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/s
ecurity_properties.asp

"
userWorkstations
The userWorkstations property is a single-valued property containing the
NetBIOS names of the computers running Windows NT Workstation/Windows 2000
Professional from which the user can log on. Each NetBIOS name is separated
by a comma. The NetBIOS name of a computer is the sAMAccountName property of
a computer object.
If there are no values set, it indicates that there is no restriction. To
disable logons from all computers running Windows NT Workstation/Windows
2000 Professional to this account, set the UF_ACCOUNTDISABLE value in
userAccountControl property.

This value is defined in LMACCESS.H."

I know what I am talking about on this one.

Laura A. Robinson
Technical Instructor/Consultant
MCT, MCSE, CLI, PCLP
IntelliMark Pennsylvania Division
http://www.intellimark-it.com
lrobinson@intellimark-it.com
----- Original Message -----
From: "Adcock, Matt" <Matthew.Adcock@GSCCCA.ORG>
To: "'Laura A. Robinson'" <larobins@bellatlantic.net>; "Adcock, Matt"
<Matthew.Adcock@GSCCCA.ORG>; "'Stadler, Brian T'" <bstadler@ukans.edu>;
<flynngn@jmu.edu>
Cc: "Focus on Microsoft Mailing List" <FOCUS-MS@SECURITYFOCUS.COM>;
<bugtraq@SECURITYFOCUS.COM>
Sent: Wednesday, August 15, 2001 6:13 PM
Subject: RE: MS patch-scanner for Win-NT, 2K, IIS, SQL

> Sorry, but logons don't require NetBIOS in Win2K. As I stated before, the
> directory and OS don't need it at all in a pure 2K environment. Win2K
> DNS/LDAP can completely replace WINS in a pure environment. WINS was a
> failed implementation of internal DNS, and MS has gone back to a more pure
> directory services implementaion with Win2K DNS/LDAP. From
> http://support.microsoft.com/support/kb/articles/Q299/9/77.ASP:
>
> <quote>
> Windows 2000 uses NetBIOS over TCP/IP to communicate with prior versions
of
> Windows NT and other clients, such as Microsoft Windows 95. Careful
testing
> should be done before disabling NetBIOS over TCP/IP in any production
> environment. Programs and services that depend on NetBIOS no longer
function
> after you disable NetBT services, so it is important that you verify that
> your clients and programs no longer need NetBIOS support before you
disable
> it.
> </quote>
>
> I did not mean to imply that it's necessarily a good idea to remove it
> completely. See
>
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS
> 2000/en/server/help/sag_WINS_und_NetbiosConceptsNode.htm for a discussion
of
> where disabling NetBIOS is appropriate and how it affects Win2K machines.
>
> You're right about the apps, but as far as the OS is concerned, NetBIOS is
> just for backwards compatibility and completely unnecessary.
>
> Sorry,
> Matt
>
> -----Original Message-----
> From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
> Sent: Wednesday, August 15, 2001 6:00 PM
> To: Adcock, Matt; 'Stadler, Brian T'; flynngn@jmu.edu
> Cc: Focus on Microsoft Mailing List; bugtraq@SECURITYFOCUS.COM
> Subject: Re: MS patch-scanner for Win-NT, 2K, IIS, SQL
>
>
> Actually, workstation logon restrictions, clusters and some applications
> require NetBIOS, even in a pure Windows 2000 environment. You can disable
> NetBIOS as long as you have none of these things.
>
> Laura A. Robinson
> Technical Instructor/Consultant
> MCT, MCSE, CLI, PCLP
> IntelliMark Pennsylvania Division
> http://www.intellimark-it.com
> lrobinson@intellimark-it.com
> ----- Original Message -----
> From: "Adcock, Matt" <Matthew.Adcock@GSCCCA.ORG>
> To: "'Stadler, Brian T'" <bstadler@ukans.edu>; <flynngn@jmu.edu>
> Cc: <focus-ms@securityfocus.com>; <bugtraq@securityfocus.com>
> Sent: Wednesday, August 15, 2001 3:51 PM
> Subject: RE: MS patch-scanner for Win-NT, 2K, IIS, SQL
>
>
> > You can't disable NetBIOS in an NT4 directory. Among **many** other
> things,
> > NetBIOS resolution is required for domain communications, including
> logons.
> > If you're running Active Directory, you can disable NetBIOS, since AD is
> > dependent on DNS, not NetBIOS. I think you mean you hope we all disable
> > NetBEUI, and I agree with you.
> >
> > -----Original Message-----
> > From: Stadler, Brian T [mailto:bstadler@ukans.edu]
> > Sent: Wednesday, August 15, 2001 12:35 PM
> > To: 'Gary Flynn'; Thomas C. Greene
> > Cc: focus-ms@securityfocus.com; bugtraq@securityfocus.com
> > Subject: RE: MS patch-scanner for Win-NT, 2K, IIS, SQL
> >
> >
> > No, NetBIOS has to be enabled for this to work. I hope all of you
> disable
> > NetBIOS.
> >
> >
> > -----Original Message-----
> > From: Gary Flynn [mailto:flynngn@jmu.edu]
> > Sent: Wednesday, August 15, 2001 10:51 AM
> > To: Thomas C. Greene
> > Cc: focus-ms@securityfocus.com; bugtraq@securityfocus.com
> > Subject: Re: MS patch-scanner for Win-NT, 2K, IIS, SQL
> >
> >
> > "Thomas C. Greene" wrote:
> > >
> > > which will scan all NT and/or 2K machines in a network from a single
> > > location
> > >
> > > information such as the files in each patch and their file versions
> > > and checksums, registry keys that would be applied by the hotfix,
> >
> > Is it safe to assume that the scanning machine must have remote
> > administrative access to the machines to be checked in order to
> > check those files and registry settings?
> >
> > --
> > Gary Flynn
> > Security Engineer - Technical Services
> > James Madison University
> >
> > Please R.U.N.S.A.F.E.
> > http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
>



Relevant Pages

  • Re: Name resolution order in Windows 7
    ... I disabled netBIOS and IPV6, flushed DNS ... disabled in Windows without disabling ... ... Description of the Microsoft Computer Browser Service ...
    (microsoft.public.windows.server.dns)
  • Re: Browsing over VPN/Multiple domians
    ... it didn't disable NetBIOS on RRAS interface. ... manual disabling NetBIOS over TCPIP - VPN client NetBIOS ... Status of PPP adapter RAS server interface: ...
    (microsoft.public.win2000.ras_routing)
  • Re: Browsing over VPN/Multiple domians
    ... one interface is building a browse list for the segment. ... the RRAS addresses in a different subnet from the LAN machines. ... > it didn't disable NetBIOS on RRAS interface. ... > manual disabling NetBIOS over TCPIP - VPN client NetBIOS ...
    (microsoft.public.win2000.ras_routing)
  • Re: NetBios over TCP/IP
    ... and see if you have NetBIOS over TCP/IP connectivity. ... (disabling the wirelees which I do not use at home). ... I can see other computers on my network, but they can not see me. ...
    (microsoft.public.windowsxp.network_web)
  • Re: NetBios over TCP/IP
    ... laptop (the one that has NetBios over Tcp/IP disabled. ... (disabling the wirelees which I do not use at home). ... I have enable NetBIOS over TCP/IP but ipconfig /all shows NetBIOS over ...
    (microsoft.public.windowsxp.network_web)