Re: Disable NetBIOS and NTLM on Windows 2003 Domain Controllers an

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/05/04


Date: Tue, 5 Oct 2004 13:58:30 -0500

Dns name resolution is used for that and port 445 will be used as 139
becomes unavailable. Shares can still be accessed but only by IP address or
fully qualified domain name. I have not tried disabling NBT in a domain
myself and of course I would not recommend anyone make such a change without
testing before rolling out. --- Steve

"Andrei Ungureanu" <AndreiUngureanu@discussions.microsoft.com> wrote in
message news:1526F60C-06B4-40CF-87A4-8046FF3F352F@microsoft.com...
> What about SYSVOL folder? Do you need NETBIOS/SMB for this?
>
> Andrei Ungureanu
> www.eventid.net
> Free Windows event logs reports
> http://www.altairtech.ca/evlog/
>
> "Steven L Umbach" wrote:
>
>> Domain controllers do not need NBT to replicate amongst themselves but I
>> believe there will be a problem with exchange. If you disable NBT keep in
>> mind that there may be problems with the use of my Network Places if
>> used.
>> Domain controllers are usually domain master and master browsers, though
>> elections would happen if other computers on the network still use it.
>>
>> Keep in mind that Remote Access Servers will not authenticate users if
>> configured to not allow lm and ntlm. It will work if you disable just lm
>> which is by far the biggest vulnerability. Also unless you configure
>> security options on Windows 2003 Servers and modify the registry on W2K
>> servers, lm hashes of passwords will still be stored and if you disable
>> that. the lm hash for a users password will still exist until they change
>> their password. --- Steve
>>
>>
>> "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
>> news:eUYl4OjqEHA.3428@TK2MSFTNGP11.phx.gbl...
>> > Thanks for your response.
>> >
>> > You indicate that Domain Controllers (may?) need NetBIOS for Active
>> > Directory replication - do you know if there are any Microsoft
>> > documents
>> > that address this "requirement" directly?
>> >
>> >
>> >
>> >
>> > "Andrei Ungureanu" <AndreiUngureanu@discussions.microsoft.com> wrote in
>> > message news:64B7F953-413E-4332-8B53-1D46C54CFAC3@microsoft.com...
>> >> hmmm .. about NTLMv1/LM ... I don't think it's a problem disabling
>> >> them
>> >> (maybe only if you have some very old OS on your network). Regarding
>> >> NETBIOS
>> >> ... I think the domain controller need this functionality for the
>> >> replication. Anyway, for fully disable NETBIOS and SMB check
>> >> http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/a0604.mspx
>> >> (as you can see it's not enough to check Disable Netbios over TCP/IP
>> >> from
>> >> Advanced TCP/IP settings).
>> >>
>> >> Andrei Ungureanu
>> >> www.eventid.net
>> >> Free Windows event logs reports
>> >> http://www.altairtech.ca/evlog/
>> >>
>> >>
>> >>
>> >> "Research Services" wrote:
>> >>
>> >>> Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all
>> >>> Windows
>> >>> 2000 and Windows 2003 Domain Controllers and/or Exchange 2003 servers
>> >>> (within our own child domain) without affecting Windows networking
>> >>> communications adversely?
>> >>> We are a child domain in a single forest, we are NOT Enterprise
>> >>> Administrators. Our DCs and Exchange are currently configured to
>> >>> refuse
>> >>> and
>> >>> not send LM.
>> >>> All clients are Windows XP with NetBIOS already disabled and only
>> >>> talk
>> >>> NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in
>> >>> our
>> >>> child
>> >>> domain.
>> >>> We are not sure if this will affect AD replication, especially
>> >>> between
>> >>> other
>> >>> child domains in the forest not controlled by us - OR if Exchange
>> >>> 2003
>> >>> relies on NetBIOS and/or less than NTLMv2 to function correctly.
>> >>>
>> >>> Thanks for any input or help.
>> >>>
>> >>>
>> >>>
>> >>>
>> >
>> >
>>
>>
>>



Relevant Pages