Re: how to shut off netbios-ns/port:137 (udp)
From: Johnnie Baker (apscnjohnnie_at_hotmail.com)
Date: 06/07/03
- Next message: Lanwench [MVP - Exchange]: "Re: Popups when IE is closed"
- Previous message: JA: "unsafe email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 6 Jun 2003 21:39:14 -0700
I have personally advised people to use the free download
zonealarm from
http://www.zonelabs.com/store/content/company/products/znal
m/freeDownload.jsp Actually the built in security policy
is capable of blocking netbios attacks but as the previous
post indicates it does require a deal of experience. Use
secpol.msc from a run command on Win2k/xp. Here is an
example which meets your needs for blocking the common
netbios ports. I apologize for posting the entire
procedure instead of the link. I have forgotten where I
obtained it. I agree with the recommendation for putting
in place a firewall such as MS ISA. And NAT is always a
cheap alternative. I personally open up my connection to
the world and am only using Windows XP with an inexpensive
Norton Firewall. You certainly wouldn't want to apply
this procedure to a large number of workstations. Even
though you can save the ipsec policy you create and push
it to your domain environment via login script. But who
would have a large number of workstations open to the
internet ..... a public school :)
Step-by-Step Guide: How to block NetBIOS connections to
Windows 2k/XP Pro
The Windows server service, while indispensable on a file,
print or application server, can create quite a headache
when administering Windows workstations. Since the service
advertises on well-known NetBIOS ports, it is a common
attack vector for hackers attempting to gain access to the
computers on your network.
There are a number of ways to block this avenue of attack,
including implementing a central firewall or disabling the
server service outright. On a Windows 2000 or XP
Professional workstation, you can also create an IPsec
filtering policy to stop NetBIOS traffic dead in its
tracks. Follow the steps below to create an IPsec policy
for an individual workstation or a central policy for an
entire Active Directory domain or organizational unit.
Step 1: If you're working as part of a domain where you
aren't the only administrator on staff, consult the
necessary person or persons before changing any settings
on a production machine. If someone has already set up
group policies at the site, domain or organizational unit
level, conflicting settings could spell trouble for your
workstation -- causing anything from a minor annoyance to
a complete inability to communicate on your network.
Step 2: Open the local computer policy by clicking on
Start -> Run, then typing "gpedit.msc."
Step 3: Click on Computer Configuration -> Windows
Settings -> Security Settings. Right-click on IP Security
Policies on Local Computer and select "Create IP Security
Policy."
Step 4: Click "Next" to bypass the initial welcome screen.
Enter a name for the IPsec policy and click "Next" again.
Step 5: Remove the check mark next to "Activate the
default response rule" and click "Next."
Step 6: Click "Add" to create a new security rule. A
security rule consists of two key components: an IP filter
list that tells Windows what sort of traffic to look for
and a filter action that tells Windows what to do once it
has found something.
Step 7: Create two IP filters. Both will filter traffic
with a source IP address of "Any IP Address" and a
destination of "My IP Address." IP filters monitor traffic
according to a source and/or destination IP address, as
well as source/destination port numbers. (An IP filter can
only handle one type of traffic at a time, which is why
security rules rely on filter lists.) One will filter
traffic with a destination TCP port 139, the other will
affect TCP destination port 445. This will cause the IP
security rule to flag NetBIOS traffic directed against
your workstation from any point of origin.
Step 8: Create a filter action to block the IP traffic
affected by the IP filters created in Step 7.
Step 9: Right-click on the completed IPsec policy and
click "Assign" to apply it to your local workstation.
You're done! No rebooting required. Your workstation will
now reject any and all NetBIOS connection attempts. If you
need to tweak the policy, you can create additional
security rules to allow NetBIOS connections from
administrative workstations. You can also de-assign the
policy if it's not working the way you had intended.
Regards,
Johnnie
>-----Original Message-----
>my post may have disappeared, but i agree. Disabling
services does nothing
>to block outbound connections from worms or remote access
trojans or
>keystroke loggers, inbound attempts to guess OS from the
TCP headers, etc.
>While it is theoretically possible to do everything
necessary to completely
>harden a Windows computer to be fairly secure without a
firewall, you really
>have to know your stuff beforehand to hope to accomplish
this, and even then
>you still greatly improve your security by using a
firewall. Here are a
>number of free and inexpensive firewalls:
>
>http://securityadmin.info/faq.htm#firewall
>http://securityadmin.info/faq.htm#harden
>
>
>"Lanwench [MVP - Exchange]"
><lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com
> wrote in message
>news:#8SxWLfKDHA.2244@TK2MSFTNGP11.phx.gbl...
>> Get a firewall ASAP. No network, nor even single
workstation, should be
>> without one. Get a good stateful inspection device that
sits between you
>and
>> the Internet. You can't possibly protect your network
by disabling
>services,
>> and your internal network actually *needs* many of
those services. Look at
>> www.sonicwall.com for some decent boxes that don't cost
too much. A simple
>> NAT device is not going to do it for you.
>>
>> Alex Fitterling wrote:
>> > Hi Lanwench,
>> >
>> > no we do not have any firewall at all. I really want
this port off. Is
>> > there any trick to get into this. Or could I just
reach this by
>> > deactivating the window file sharing protocol in
network setup? If so,
>> > is this enough then or in what else should I proceed?
>> >
>> > Please help.
>> >
>> > Alex
>> >
>> >
>> >> Alex - if this is only internal to your network, and
you have a
>> >> properly configured firewall protecting your network
from the
>> >> Internet, you shouldn't really worry about this.
>> >>
>> >> Alex Fitterling wrote:
>> >>> Dear Microsoft Users,
>> >>>
>> >>> when scanning certain win2k-clients in my network
with the
>> >>> opensource security tool nessus, I get following
security warning:
>> >>>
>> >>>
>> >>> ---
>> >>> Warning netbios-ns (137/udp) . The following 2
NetBIOS names have
>> >>> been gathered : NAME = Computer 1) name that is
registered for the
>> >>> messenger service on a computer that is a WINS
client. BENUTZER1 =
>> >>> Computer name that is registered for the messenger
service on a
>> >>> computer that is a WINS client. . The remote host
has the following
>> >>> MAC address on its adapter : XXXXXXXXXXXXXXXXXXX 1)
>> >>>
>> >>> If you do not want to allow everyone to find the
NetBios name
>> >>> of your computer, you should filter incoming
traffic to this port.
>> >>>
>> >>> Risk factor : Medium
>> >>> CVE : CAN-1999-0621
>> >>> Nessus ID : 10150
>> >>>
>> >>> 1) due to security reasons the values has been made
irrecognizable.
>> >>> ----
>> >>>
>> >>> I definitely want to deactivate the whole port, not
allowing the
>> >>> clients to share anything on net. Is there a way to
reach this, or
>> >>> could that (only microsoft knows) for any reason be
dangerous?
>> >>>
>> >>> So far I took a look in certain newsgroups. There
were actually a
>> >>> whole bunch of inquiries I myself wasn't able to
deal with. So this
>> >>> is my own posting.
>> >>>
>> >>> Sincerely,
>> >>>
>> >>> Alex
>>
>>
>
>
>.
>
- Next message: Lanwench [MVP - Exchange]: "Re: Popups when IE is closed"
- Previous message: JA: "unsafe email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
