Re: Is it possible to disable NETBIOS and still allow NTLM and Kerberos authentication?

Roger -

Everything you said seems to jive with what I am seeing in our lab
environment . However I do have one question.

You mentioned:
"Pretty much all Netbios activity can/will continue without NetBT if DNS and
AD (i.e. ldap) can support name resolution / host location services."

I don't know a lot about NETBIOS myself so I'm relying a lot on the auditor
to provide us with guidance - however your comments make me question how
knowledgable our auditor really is.

Is it really even possible to disable NETBIOS entirely in a Windows network?
What additional steps would be required besides disabling NETBT?

Thanks,
Brad


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:u0HaJx5dIHA.6136@xxxxxxxxxxxxxxxxxxxxxxx
Disabling NetBT (Netbios/tcp) will not impact authentication,
nor fileshares, nor domain membership (gpo application, etc.)
and short hostnames (e.g. \\server, http://server) will fly if your
naming and DNS are aligned.
I have yet to have such auditors explain to me just what they are
thinking the recommendation/mandate solves/avoids. Pretty much
all Netbios activity can/will continue without NetBT if DNS and
AD (i.e. ldap) can support name resolution / host location services.

Roger

"Brad Baker" <brad@xxxxxxxxxxxxx> wrote in message
news:%23wWbfl2dIHA.4728@xxxxxxxxxxxxxxxxxxxxxxx
We've been informed by a security auditor that we need to disable NETBIOS
on our network. That seems simple enough to do, but we are concerned that
doing so may affect NTLM authentication which we use for several web
based applications (as well as kerberos). Does NTLM or Kerberos utilize
NETBIOS?

Thanks
Brad





.