RE: Using Messenger Service for 'Net Send' Functionality --- Dangerous?Why?

From: Jim Harrison (ISA) (jmharr_at_microsoft.com)
Date: 06/24/05

  • Next message: Kern, Tom: "RE: Using Messenger Service for 'Net Send' Functionality --- Dangerous?Why?"
    Date: Fri, 24 Jun 2005 13:27:55 -0700
    To: "Kern, Tom" <tkern@CHARMER.COM>, "Thor (Hammer of God)" <thor@hammerofgod.com>
    
    

    Correct, but not all systems use SMB (W9x, for instance).
    It's almost always a layer-8 issue when someone wants / needs this sort
    of path opened.

    Jim Harrison
    Security Business Unit (ISA SE)
    "When you come to a fork in the road, take it."
    --Yogi Berra

    -----Original Message-----
    From: Kern, Tom [mailto:tkern@CHARMER.COM]
    Sent: Friday, June 24, 2005 1:20 PM
    To: Jim Harrison (ISA); Thor (Hammer of God)
    Cc: focus-ms@securityfocus.com
    Subject: RE: Using Messenger Service for 'Net Send' Functionality ---
    Dangerous?Why?

    why do you need netbios for file transfer?
    smb/cifs operates over tcp/ip on port 445(which i would NEVER open to
    the outside world), it doesn't need netbios. For name resolution use an
    ip or a fqdn.

    Jim Harrison (ISA) wrote:
    > I've spoken to quite a few folks that believe allowing NetBIOS across
    > your firewall is perfectly reasonable for file transfer functionality.
    > I clearly don't agree with this proposition, but because SSH/FTPS is
    > "unfamiliar", it's what they wanted.
    >
    > Jim Harrison
    > Security Business Unit (ISA SE)
    > "When you come to a fork in the road, take it."
    > --Yogi Berra
    >
    >
    > -----Original Message-----
    > From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
    > Sent: Friday, June 24, 2005 8:38 AM
    > To: Jesse Weigert; Nick Duda
    > Cc: focus-ms@securityfocus.com
    > Subject: Re: Using Messenger Service for 'Net Send' Functionality ---
    > Dangerous?Why?
    >
    > "Net send" first tries a netbios connection to deliver the message,
    > and will
    > then attempt delivery via UDP 135 (the endpoint mapper.)
    >
    > There is no functional reason why a firewall should be allowing
    > netbios/f&p
    > traffic or UDP135 into your network.
    >
    > T
    >
    > ------
    > *Secure your infrastructure*
    > Microsoft Ninjitsu: Securely Deploying MS Technologies
    > security training delivered by Timothy Mullen.
    > Registration now open for Blackhat Vegas 2005:
    > http://www.blackhat.com/html/bh-usa-05/train-bh-usa-05-tm.html
    >
    >
    >
    >
    >
    >
    >
    >
    > ----- Original Message -----
    > From: "Jesse Weigert" <weigert@gravitec.com>
    > To: "Nick Duda" <nduda@VistaPrint.com>
    > Cc: <kurt.buff@gmail.com>; <michael.mailinglist@securityfocus.com>;
    > "at"
    >
    > <gmail.com@securityfocus.com>; <focus-ms@securityfocus.com>
    > Sent: Thursday, June 23, 2005 8:33 PM
    > Subject: Re: Using Messenger Service for 'Net Send' Functionality ---
    > Dangerous?Why?
    >
    >
    >> I would like to add that there is malware which does just this.
    >> Which is why sometimes even blocking the service at the firewall
    >> doesn't stop the messenger spam.
    >>
    >> Nick Duda wrote:
    >>> FYI, It's very easy to write a short VB app that:
    >>>
    >>> A. doesn't record net sends to event viewer
    >>> B. can spoof the sending name of the computer (NetBIOS)
    >>>
    >>> - Nick
    >
    >
    >
    ------------------------------------------------------------------------
    > ---
    >
    ------------------------------------------------------------------------
    > ---
    >
    >
    >
    ------------------------------------------------------------------------

    ---
    >
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Kern, Tom: "RE: Using Messenger Service for 'Net Send' Functionality --- Dangerous?Why?"

    Relevant Pages

    • RE: Using Messenger Service for Net Send Functionality --- Dangerous?Why?
      ... I've spoken to quite a few folks that believe allowing NetBIOS across ... your firewall is perfectly reasonable for file transfer functionality. ... Using Messenger Service for 'Net Send' Functionality --- ...
      (Focus-Microsoft)
    • Re: AD Auth for standalone ISA in DMZ
      ... configure using he Edge Firewall template (or Back-end Firewall if they ... Jim Harrison (ISA SE) ... but when I try to add them to the access rule I get the ...
      (microsoft.public.isa.configuration)
    • Re: ISA2KExport return (0x.08X)-s
      ... Use the built-in export functionality of ISA2004 instead. ... Jim Harrison [ISASE] ... Read the help, books and articles! ...
      (microsoft.public.isa)