TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA 1 edit |
to Shady Bimmer
Re: NetBIOS over TCP/IP on Windows 7 SP1Sorry I'm very rusty on my NetBios. I haven't thought about it in about 6 years so maybe I am not explaining this well. Above is a firewall prompt for a NetBios Port 137 lookup which occurs, on my Windows 7 system, when I do a tracert. It occurs since the DNS system does not have a Name for the IP address. This was explained in the classic, Firewall Seen by Robert Graham , which is still available at linuxsecurity.net » www.linuxsecurity.com/re ··· .html#10It is not a Broadcast packet, it is a unicast packet. Now can a miscreant find a way to force a system to do a reverse lookup of an IP address. Well in some cases, if you run packet captures, traces or your firewall does reverse lookups for probes, the answer is a definite yes. Is it likely, most people will say no and I guess I would agree. Then again, I suspect, most thought it was not all that likely I would be correct 8-10 years ago when I used to say in this forum that at some point you would get infected just by going to a web site. My point is simple, and I believe you made this point also when you suggested "If file and printer sharing is not required then this functionality should be disabled", when you give security advice, IMO you should be conservative. That means if there is no gain, ie the person does not use NetBios, why not disable it and remove even the small risk. Small risks add up, both for the individual and the "internet community". |
|
bcool Premium Member join:2000-08-25 4 edits |
to Shady Bimmer
said by Shady Bimmer:NetBIOS NS is a broadcast service (IE: not routable) and so would not pass through your router even if the provider has a misconfiguration....
With NetBIOS the default best practices apply. If file and printer sharing is not required then this functionality should be disabled. If left enabled (if needed or otherwise) the increase in risk is limited and with current Win* versions (Win7 or Win8) is less of a concern than with EOL OSs such as WinXP. Thanks everyone for useful info! Here's where I'm at right now. I've disabled NetBIOS (in WINS) for adapter. While I was nearby, I decided to unbind "File and Printer Sharing" protocol for the heck of it. HOWEVER, ZoneAlarm 2014 Free is somehow preventing me from DISABLING "File and Printer Sharing" in the appropriate place in the CONTROL PANEL. Evidence weighs heavy that ZoneAlarm is the culprit and hopefully there's good reason for it. Every time I attempt to DISABLE "Network Discovery" and "File and Printer Sharing" in Advanced sharing settings IT WILL TAKE during current session of Windows. But as soon as I reboot, both items are turned back on. Of course unbinding "File and Printer Sharing" protocol from the adapter probably means little in terms of networking, right? At the end of the day, I have IPv6 (temporarily) disabled, NetBIOS non-functional and that may just have to be enough unless anybody has some other ideas (aside from tossing out ZoneAlarm). Thank you again! Last minute EDIT: I found this in ZA forum, quote: "ZA overrides system settings. So you need to work with ZA zones and from there set what you trust and what you do not. If you have no trusted zone in ZA then there will be no sharing regardless what the OS is saying." === I bet implementing "no trusted zone" to everything in ZA will play havoc somewhere in the OS. Not gonna do it; wouldn't be prudent at this juncture! |
|
dave Premium Member join:2000-05-04 not in ohio |
to TheWiseGuy
Ever the contrarian, I'd say the difficulty lies in knowing "whether you use NetBIOS". I think if you have more than one node attached to your network, it's difficult to be sure. NetBIOS name resolution tends to crop up in unexpected places, and I'm not convinced that a handful of tests is exhaustive proof that nothing I do needs it. Though I could be out of date, I suppose.
The tradeoff from my point of view is "very small risk of attack" versus "very small risk of having to spend time figuring out obscure problem down the road".
I certainly can't turn off file and printer sharing, but that's technically independent of turning the off NetBIOS name service. Though once again, I haven't looked lately as to whether I can do that by itself. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
said by dave:Ever the contrarian, I'd say the difficulty lies in knowing "whether you use NetBIOS". I think if you have more than one node attached to your network, it's difficult to be sure. NetBIOS name resolution tends to crop up in unexpected places, and I'm not convinced that a handful of tests is exhaustive proof that nothing I do needs it. Though I could be out of date, I If you have an actual network I suspect you use it or might use it and there is some gain, which is why I actually have it enabled for my network. If, as in this case, you only have the one computer, you do not use it. Of course there is also the principle of, you can disable it and if something breaks re-enable it, but of course you must remember that it is disabled especially if you make changes to your network. I do not think being a conservative when it comes to security should be contrarian and supporting steps which reduce risk even slightly should not be a contrarian notion for a security forum. But if you and others want to believe I am the contrarian (I am in investing) that is fine, it certainly does not bother me. |
|
bcool Premium Member join:2000-08-25 |
bcool
Premium Member
2014-Mar-3 8:25 am
Dave I get your message and in fact I've paid that price before in Windows 98 and maybe even in XP. This time around I've recorded my changes (the ones that were successfully effected) so I don't forget. So far they include the following:
1.) IPv6 effectively disabled (for adapter and all "tunnel" interfaces) for the moment 2.) IP Helper service was set to MANUAL start 3.) NetBIOS over TCP/IP is unbound in WINS for network adapter 4.) "File and Printer sharing" protocol is unbound from network adapter
Thanks to Windows 7, all four of these can be returned to functional state quite easily so long as I don't forget to check "ENABLE IPv6" within ZoneAlarm. I'm gonna quit now before I really do break something. Event Viewer is pretty quiet and Internet is sailing at high speed practically without incident. The sparse DNS hiccups recorded in Event Viewer were popping up before I even touched a thing so I don't think if I see them again that I can blame my tinkering. That is all. |
|
dave Premium Member join:2000-05-04 not in ohio |
to TheWiseGuy
I think you misunderstood - I meant I was the contrarian for disagreeing with your advice. |
|
bcool Premium Member join:2000-08-25 1 edit |
bcool
Premium Member
2014-Mar-3 10:47 am
Anyway the lesson I learned is record any changes I dare to make to network stack and that way I can reverse anything I do without guessing at it. Thanks everybody! |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
to dave
|
|
|
to bcool
I reinstalled my Win 7 2 weeks ago. I am somewhat sort of wary of my cable modem router security and have been using an USB mobile stick connection. I don't have a home network so I restrict a lot: I have disabled IPv6, file and printer sharing and client for Microsoft networks. If I would use cable modem I would further disable further also QoS and those 2 topology things from the network adapter. Basically so I have only Internet Protocol Version 4 (TCP/IPv4) ticked on my adapters and for that NetBios disabled. Further I am using a 2 way Windows firewall which has TinyWall provided 'Windows Network Discovery rules also unticked'. So basically I have only these rules allowed on my Windows firewall: » www.saunalahti.fi/~jarmo ··· ules.jpgNot as told the last Network Discovery rules. I might need them with a VPN connection? As a service I stopped and disabled WMPNetworkSvc, so that wmpnetwk.exe is not running and opening ports. Everything seems work well for my single computer connected to internet. I am willing to take back in use some of the disabled if someone can give a reason why I should. |
|