dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4239
share rss forum feed


bcool
Premium
join:2000-08-25
The Ozarks

1 edit

NetBIOS over TCP/IP on Windows 7 SP1

Sorry for raising a tired old horse that's been beaten to death, but...

I just installed Windows 7 SP1 and once again I'm faced with the decision whether it really matters in 2014 on W7 SP1 that I purposefully go in and "disable" or "unbind", (or whatever the proper terminology) NetBIOS over TCP/IP and even perhaps disabling "IP Helper" service.

1.) I am standalone computer employing Westell 327w DSL router for connection to ISP and ip addressing. Apparently the Westell 327w offers DHCP server function.

2.) By default, it appears Windows 7 SP1 leaves NeBIOS over TCP/IP to "use NetBIOS setting from the DHCP server...etc"

3.) Under "ipconfig" details = NetBIOS over TCP/IP is enabled.

4.) Registry setting also shows value of "0" which I imagine corresponds with "default" (as per above description).

I'm so tired having to ponder this crap once again. If I've learned anything over the many years of working with Windows...change 1 "simple" little setting and it's likely to affect other components in an unintended way (like Computer Browser service, etc).

Come on: I have a router firewall with custom security rules. I also use ZoneAlarm Free 2014. I have Malwarebytes Pro running and Windows Defender. I have Avast! 2014 Free. I work from a limited account almost exclusively. Do I really still have to fret over NetBIOS over TCP/IP setting on Windows 7 SP1 Home Premium? Really? WITH ALL DUE RESPECT: Is this maybe some "old guard" techies still living in the past that are just unwilling to accept that with all things considered, NetBIOS over TCP/IP set to default in Windows 7 SP1 posses a minimal risk today. Are these old faithful the same ones who insist that it's a good idea to run a registry cleaner at least once a week as a routine Windows maintenance regimen?

Please explain why I need to worry about Windows 7 default setting here, please?


Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

said by bcool:

Please explain why I need to worry about Windows 7 default setting here, please?

Why do you think you need to worry about the default setting here?


workablob

join:2004-06-09
Houston, TX
kudos:3
reply to bcool

Unless your router is configured to allow ports 137, 138, or 139 NetBIOS traffic willl never leave your LAN.

Blob
--
Don't try to follow me, I have a cab waiting. EEEEEEEEradicator!



bcool
Premium
join:2000-08-25
The Ozarks
reply to Shady Bimmer

a thinking reader.... very good question that happens to reveal that I'm still somewhat affected by what still seems to be "conventional wisdom" on the Internet, that is, in cases where NetBIOS is not explicitly required---DISABLE it immediately! Do not delay!! Rush! Rush! Rush!

I don't want to mess with it this time around. If it ain't broke, I'd like to leave well enough alone this time.



bcool
Premium
join:2000-08-25
The Ozarks

2 edits
reply to workablob

said by workablob:

Unless your router is configured to allow ports 137, 138, or 139 NetBIOS traffic willl never leave your LAN.

Blob

So far as I can tell, the router is NOT configured to allow ports 137, 138, or 139. Is there anything useful that comes from test at »www.grc.com/x/ne.dll?bh0bkyd2 (GRC ShieldsUP!). I always pass it ("STEALTH" everything) with flying colors if that means anything at all?

EDIT: FWIW...This is result of probing NetBIOS ports on my machine:

Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.

Unable to connect with NetBIOS to your computer.

All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.


PX Eliezer
Morrow Project fan
Premium
join:2013-03-10
Outland
kudos:5
Reviews:
·Callcentric
·callwithus
reply to bcool

I don't know whether or not it is a security issue....

But I [do] know that I have always had it disabled, and disabling it has never caused a problem.

I use an old freeware program for this:

Seconfig XP

A free tool to close (not just shield) most exploited Windows security holes.
Can close ports 135, 137-139, 445, 1025 (used by file and printer sharing, Windows domains, other Microsoft Networks access and widely exploited by worms, hackers etc.), 1900, 5000 (used by UPnP) and other...
Can disable most dangerous Windows services.
Can protect Windows side against most ARP spoofing/poisoning attacks.
Can configure many other hidden security related Windows TCP/IP settings.
Works only with registry (no files, services, drivers etc.).
Includes three easy to use presets for average home (standalone) computers, Microsoft Networks members and standalone computers with VPN client access to Microsoft Networks.
Certified to be malware free by Softpedia.

»seconfig.sytes.net/

I've used it for several years, starting on XP and now on Windows7. Although a couple of the functions don't work on Windows7 (and it's not labelled for Win7), the important parts work fine.

Thing is, downloading it, doing a virus check on it, installing it, and rebooting, will only take a few minutes. Then you'll have a long-term useful tool and you'll be done.


bcool
Premium
join:2000-08-25
The Ozarks

1 edit

Thanks PX Eliezer. Appreciate your comment. I'll take it under advisement for time being.



workablob

join:2004-06-09
Houston, TX
kudos:3

1 recommendation

reply to bcool

That's what I expected. That the ports are not open. So, you have nothing to worry about regarding NetBIOS.

Thanks,

Blob
--
Don't try to follow me, I have a cab waiting. EEEEEEEEradicator!



bcool
Premium
join:2000-08-25
The Ozarks

1 edit

I suppose if I really wanted to get anal about the issue, I could run test with ZoneAlarm Free turned off and just router firewall up...just to see what Westell 327w is doing on its own. But you know what...for now this is enough.

Thanks all.



Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 recommendation

Click for full size
Good question habbit about your own security & after NETBIOS is secure ..... hope yours machine is able "SECURE_ABLE" too [ »www.grc.com/securable.htm ]


planet

join:2001-11-05
Oz
kudos:1
Reviews:
·Cox HSI
reply to bcool

said by bcool:

3.) Under "ipconfig" details = NetBIOS over TCP/IP is enabled.

I've disabled this. Haven't encountered any problems. I too am behind a router and I use the Win 7 FW with Sphinx FW Control »www.sphinx-soft.com/Vista/order.html

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

1 recommendation

reply to bcool

Leave it enabled. You have a firewall and a NAT router.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 recommendation

reply to bcool

said by bcool:

So far as I can tell, the router is NOT configured to allow ports 137, 138, or 139. Is there anything useful that comes from test at »www.grc.com/x/ne.dll?bh0bkyd2 (GRC ShieldsUP!). I always pass it ("STEALTH" everything) with flying colors if that means anything at all?

It is useful for troubleshooting port forwarding; but take "Full Stealth" with a grain of salt. I "fail" stealth because I have configured my router to respond to "ping" on the WAN. This is necessary for participation in a site group monitor:

»/testhistory?view=81

Passing the GRC NetBIOS test is mostly default theses days, because most ISPs block at least port 139, if not all of the NetBIOS ports.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online
reply to dave

said by dave:

Leave it enabled. You have a firewall and a NAT router.

Would that prevent any possibility of this type of exploit?

»isc.sans.edu/forums/diary/Is+it+···OS/12454
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

Click for full size
AFAIK ..... with Steve, routers configuration from Win-Vista up, it is highly secure networking !!! This is my own experience & your mile age may vary. Attach : Steve secure networking config.#


bcool
Premium
join:2000-08-25
The Ozarks

1 edit
reply to bcool

By the way, does unbinding File and Print Sharing from network adapter (what some might call disabling this feature) have any practical benefit here. I don't need File and Print Sharing.

**************************
EDIT: I doubt it had any real impact one way or the other. But I removed File and Print Sharing from the adapter components. I could unbind Client for Microsoft Networks but frankly I don't know enough about W7 OS to mess with it now.


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online
reply to Parad0X787

Yes NAT and firewalls do tend to work to prevent inbound packets so tend to block an attack. But routers have been found to have vulnerabilities and sometimes can be owned.

In any case, the vulnerability I asked dave See Profile to comment on is an outbound vulnerability. I was asking whether he felt that it offered any risks? I have found in the past that he tends to have a very good understanding of security.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.



Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

THX 4 clarification & understood your point of view



Rocky67
Pencil Neck Geek
Premium
join:2005-01-13
Orange, CA
reply to bcool

dave See Profile has offered the correct advice. Leave it enabled and don't worry about it.
--
Panic is the new patriotism



bcool
Premium
join:2000-08-25
The Ozarks

Thanks everybody. I feel a lot better about the issue. Thanks Dave!


psloss
Premium
join:2002-02-24
Lebanon, KS
reply to TheWiseGuy

said by TheWiseGuy:

Yes NAT and firewalls do tend to work to prevent inbound packets so tend to block an attack. But routers have been found to have vulnerabilities and sometimes can be owned.

In any case, the vulnerability I asked dave See Profile to comment on is an outbound vulnerability. I was asking whether he felt that it offered any risks? I have found in the past that he tends to have a very good understanding of security.

There's a little higher risk with NBT for an attack like that on untrustable networks. (Like "old-school" hotel/motel wifi. I haven't profiled the McDonald's style of wifi service recently.)

If one's home network is untrustable, well...

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3

Thank You


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

2 recommendations

reply to psloss

I concur. I think you're probably ok at home.

Offhand, though, I would guess it depends on (1) your router not passing along a broadcast NB name-resolution request, or if it does, (2) the WAN link not having any bad guys on it.

NB is supposed to be non-routeable so that ought to be ok.

But I am not 100% of the details.



bcool
Premium
join:2000-08-25
The Ozarks

Hmmm....

The Lord giveth and the Lord taketh away

Guess I'll just leave it at default set up.


Frodo

join:2006-05-05

1 recommendation

reply to bcool

I'm of the opinion that if you aren't using it, don't enable it. It doesn't matter whether it is netbios or anything else. That's kind of a companion approach to least privilege.

In my case, my router blocks inbound or outbound netbios. To my chagrin, I saw outbound transmissions being blocked in the router's firewall log. I first set up an IPsec policy to confine netbios to the IP ranges on the network cards, checked to see that no packets were being logged, and then shut it off anyhow. Don't know why it was trying to send packets.

It's very easy to turn on, if I wind up needing it.



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
reply to bcool

I've disabled it as I used to get annoying Event Viewer warnings or alerts about other computers on my network fighting to be the MASTER browser... or something to that effect. No negative effects and the alerts have stopped being logged.
--
"Graffiti Wall" Dustyn's Wall »[Serious] RIP



dib22

join:2002-01-27
Kansas City, MO
reply to bcool

I disable it to eliminate it from the equation.

Many here have stated that the router or upstream provider will take care of it... my question is, What happens when the upstream provider fat fingers their firewall, or if your local router gets comprimised?


Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

NetBIOS NS is a broadcast service (IE: not routable) and so would not pass through your router even if the provider has a misconfiguration. I have not seen specific references that the provider would protect against this, however.

Aside from that, most firewalls (consumer/prosumer) block everything inbound unless explicitly forwarded. As such even if a provider had a screwup it would still not impact home users unless they explicitly enabled the noted inbound connectivity.

With NetBIOS the default best practices apply. If file and printer sharing is not required then this functionality should be disabled. If left enabled (if needed or otherwise) the increase in risk is limited and with current Win* versions (Win7 or Win8) is less of a concern than with EOL OSs such as WinXP.

Disabling the feature on the network interfaces (as is referenced here) has less of an impact with Windows 7 than it did with previous OSs, but not doing so is no longer a significant risk.

If one's local router were to be compromised there likely would be additional issues beyond the use of NetBIOS with Win7 (or later).


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

Then again what happens if there is a reverse Name Lookup of an IP? (while unlikely there are situations where I have seen them occur) The NetBios NS would first query DNS and if there was no Name associated with the IP it would then send packets to the IP address asking its Name and return packets would be allowed. (Except in this case ZA would block outbound NetBios)

Personally I think any risk is extraordinarily minor, but I tend to be conservative when giving security advice and if there is no gain in having something enabled, why take any risk at all?
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

1 edit

That would be a standard DNS query (not NetBIOS NS). The originator of the query is not particularly relevant and has nothing to do with whether NetBIOS is in use or not.

Edit:

To expand. NetBUI was strictly broadcast-domain only and was not routable, but was far from being "secure". NetBIOS is more secure and is routable, though some specific NetBIOS services such as name services (NS) are still broadcast-only.

With hosts that are part of a domain NetBIOS is secure, in fact is more secure than many legacy protocols. However in non-domain cases (such as home networks) this may not be the case. Windows 7 attempts to bring more security to non-domain (IE: home network) instances and the legacy concerns over NetBIOS really no longer apply. However best practices dictate that if the functionally is not used it should be disabled definitely apply (this reduces attack surface directly).