RE: Blocking NetBios

From: whirlow (admin_at_whirlow.plus.com)
Date: 06/11/04

  • Next message: Sifvion: "Tools to scan for subdomain" 
    To: <security-basics@securityfocus.com>
Date: Fri, 11 Jun 2004 21:38:37 +0100

    To follow on a bit from the other posts regarding your issue. Assuming
    that your clients network is solely running Win 2k/xp, you could use the
    following as there are four default ways to block NetBIOS on a Windows
    2000 system.

    1) IPSecurity Filtering (Unrelated to IPSec)
    Located: Control Panel - Administrative Tools - Local Security Policy -
    IPSecurity Policies
    Use: Define a rule for destination ports tcp139 and 445 from any source
    port / source address to 'My IPAddress'. Create and assign a blocker
    rule
    to this filter.
    Pro: ports 139 and 445 will not respond to a port scan. Filters are
    granular per protocol, and source and destination ports and addresses.
    Con: Tricky to setup the first time. Blocker rule must be manually
    defined
    Reboot Required?: NO

    2) Advanced TCP/IP filtering
    Located: Control Panel - Network - Internet Protocol (TCP/IP) Properties
    -
    Advanced - Options - TCP/IP Filtering Properties
    Use: Permit Only specific protocols. Do Not permit tcp (protocol 6)
    ports
    139 or 445
    Pro: ports 139 and 445 will not respond to a port scan
    Con: Permit Only mechanism means you have to specify each allowed
    protocol,
    including RPC ports. (also: ICMP will be permitted even if you specify
    to
    'permit only' and leave permitted fields blank)
    Reboot Required?: YES

    3) Disable NetBIOS over TCP/IP (suggested in other posts)
    Located: Control Panel - Network - Internet Protocol (TCP/IP) Properties
    -
    Advanced - WINS
    Use: Click radio button to "Disable NetBIOS over TCP/IP"
    Pro: tcp 139 will not respond to port scans
    Con: tcp 445 will still accept connections and process NetBIOS
    Reboot Required: NO
    **WARNING: This method gives a false sense of security and should not be

    used as tcp 445 is still open and will accept connections**

    4) Unbind File and Printer Sharing for Microsoft Networks
    Located: Control Panel - Network - Advanced (from menu bar) - Advanced
    Settings
    Use: Select Network Card to unbind NetBIOS - Uncheck File Sharing for
    Microsoft Networks
    Pro: Will disable all incoming requests to tcp 139 and 445
    Con: tcp 139 will appear on a port scan, but will not respond to
    requests
    Reboot Required: NO

    I find options 1 and 4 preferable depending on requirements.

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Sifvion: "Tools to scan for subdomain"