Re: netbios question

From: NeoSadist (neos@dist)
Date: 10/30/02 

From: "NeoSadist" <neos@dist>
Date: Wed, 30 Oct 2002 02:25:53 -0700

"DX" <007@sxu.cjb.net> wrote in message
news:apnu5e$ioj$1@woodrow.ucdavis.edu...
> I have a web server running IIS with Win2k, and currently with netbios
> enabled. I have heard someone from this newsgroup said before that I
should
> "disable netbios on the web server."
>
> my questions are:
> 1). Is netbios bad in general? By enabling netbios, will it create
security
> holes?
>
> 2). Should I disable netbios on my web server without hesitance?
>
> 3). Should I also disable netbios for all my computers in our department's
> LAN?
>
> 4). What's the reason to leave netbios on?
>
> Thank you for your comments.
>
>
>

No, netbios over tcp/ip is good, but on the LAN, not WAN. The internet has
no need to share your files, trust me. Enabling netbios doesn't create a
security hole in and of itself. Not blocking these ports across WAN (NOT
YOUR LAN) is a risk.
Therefore, on your firewall, make sure you're blocking inbound and outbound
tcp and udp on ports 137-139 for all IP addresses except that of your local
LAN.
Yeah, I'd harden your web server, since the internet has NO NEED to share
your files.
No, you don't need to disable netbios on all your computers on your LAN.
Leave the LAN out of this.
Netbios over tcp/ip is for networking and file/print sharing. You want to
leave it enabled (ON THE LAN ONLY) so that you can share files and printers.

A simple firewall like this would be fine (if it processes packets from top
to bottom):
1. Enable all ports over tcp, udp, and icmp on local LAN (192.168.1.0 -
192.168.1.255 for example)
2. Disable ALL netbios over tcp/ip (tcp and udp over ports 137 - 139).

Remember, with firewalls, you want to start with a "brick wall" (i.e. no
access) and then poke holes for what you need:

Ok, people need the internet, so I open port 80...
Ok, people need file downloading, so open 23 (ftp)...
Ok, people need newsgroups, so open 119...
Ok, people need email, so open 110...

Etc. But those are internet only. LAN IP's (insert your IP class here)
should be allowed, i.e. not even filtered at all, in my opinion. However,
you could change that on the clients using their IP filtering.

Relevant Pages

  • Re: Connecting to DC using VPN changes IP address for LAN clients
    ... As soon as a remote user connects, your DC is multihomed (because RRAS ... SBS is the only exception. ... Netbios name by disabling Netbios over TCP/IP on it. ... found that the lan adapter is already the top one and the dial in one is ...
    (microsoft.public.windows.server.networking)
  • Re: Dropping Netbios over TCP?
    ... Yea, Win2k/XP do not "need" Netbios, But they do need a method of name ... > I have a Win2k pc with two network cards. ... > is always 192.168.1.1 and the automatically assigned DNS server is always ... > The second network card is used to connect me to my office LAN. ...
    (microsoft.public.win2000.networking)
  • Re: DNS OK - Internet Not
    ... >but they were configured to use the external DNS ... >the request needs to go outside the LAN ... WINS may speed up initial Netbios browsing after boot but if it isn't ... master browser and the other machines sort of muddle through. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outpost newbie Q - Other machine on network cant see this one
    ... of other sites that offer partial remote probe testing. ... This is with NETBIOS clicked and restricted to my LAN IP ... I've left the Trusted Zone as blank. ...
    (comp.security.firewalls)
  • Re: Large Increase in Netbios Traffic
    ... "PC" <paulm DOT c at iol DOT ie> wrote in message ... > netbios traffic on our network recently. ... the same subnet as these clients then it is going to recieve these. ... broadcast from adversly effecting LAN performance. ...
    (microsoft.public.windows.server.networking)