dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8719
share rss forum feed

Cronk

join:2005-07-16

Need to block NetBIOS?

I have been reading about the need to block netbios traffic as a security precaution. In this article from the microsoft knowledge base,

»support.microsoft.com/default.as···;Q330904

it says:
If you use a router or other hardware device to provide Internet access to multiple computers, configure the connection sharing device to block inbound NetBIOS and UDP broadcast traffic.

Can anyone tell if this is a necessary precaution, and how to do it with the router? I do understand it can be done with a software firewall, but I want to know how to do it with the router.

Thanks



Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13

you disable it on your comp
see
»www.petri.co.il/disable_netbios_···2003.htm

Cudni
--
What is now proved was once only imagined.
Help yourself so God can help you



SirSteve
Premium
join:2003-11-28
Woodbury, CT

2 edits
reply to Cronk

I may be wrong here but isn't NetBIOS blocked by default in the Windows XP SP2 firewall settings?



antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA
Reviews:
·Comcast
reply to Cronk


... I run XP Pro SP2, and Outpost ALWAYS showed NetBIOS with an asterisk and 0 bytes sent/received ... once disabled, of course, nothing shows at all - so I don't know if it was 'disabled' by SP2 or 'neutered' ... I feel better not seeing anything at all in the firewall ...

... f w i w ...

--
... "Do You Know Where Your Towel Is ?" ...



ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
reply to Cronk

Why not just delete the Protocol from your wireless adapter, go to properties, and just leave TCP/IP, and delete NetBIOS?
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com



hpguru
Curb Your Dogma
Premium
join:2002-04-12
reply to Cronk

I have 8Signs FW configured to only accept netbios connections to or from trusted MAC addresses so I don't worry about it.


Cronk

join:2005-07-16

1 edit
reply to Cronk

OK thanks to all for the information.

I am hesitant to disable it at the computer level because from what I've read, NetBIOS may be needed for file sharing on Win9x, which is the OS on one of my machines.

That's why I thought it would be better if I could block NetBIOS traffic from the web, at the router. The MS knowledge base article seems to imply it can be done at the router, but I have yet to find out how to do it. Does no one here block it at the router?

Thanks



Birds0

join:2004-10-23
reply to Cronk

Part of it will depend on what type of firewall you have and how it handles protocols.

Basically you would create a line in the firewall rules for both inbound and outbound traffic that would drop all packets associated with the NetBIOS protocol. Such a rule might look like:
"drop all protocol NetBIOS"

Some modems have built in keywords for common protocols such as TCP and UDP. NetBIOS may not be listed as a keyword in which case you would have to know the protocol number associated with it.

From what I can find, the value for the NetBIOS frames appears to be 003f.

So a rule to drop it might also look like:
"drop all protocol 003f" or something to that effect.

But...

If you aren't using file or print sharing then the easiest thing is to go into the the TCP/IP protocol under the "Advanced" button, select the "WINS" tab and click the "Disable NetBIOS over TCP/IP" radio button.

Hope this helps.

Birds


Cronk

join:2005-07-16
reply to Cronk

Thanks.

But I want to be able to use file and print sharing.

By the way, wouldn't NetBIOS traffic from the net be seen by the router as unsolicted traffic, and just be blocked by default anyway?



Birds0

join:2004-10-23

One would hope but since firewalls require ports to be open in order to send and receive traffic there is always a possibility of someone sneaking in.

For home file and print sharing plus some security, have you considered using the old NetBEUI protocol and disabling NetBIOS (NetBEUI can be found on the Windows XP OS CD and installed very easily - copy two files over.)

NetBEUI is a non-routing protocol so if you have your router's WAN port and the DSL modem on a different IP network than the PCs in your house (meaning your WAN port and DSL modem are something like 192.168.2.XXX while your PCs and printers are something like 192.168.50.XXX) , you would be able to share files and printers but the NetBEUI protocol wouldn't broadcast it's presence to the WAN port or DSL modem. The protocol would stay local to the 192.168.50.XXX network.

Enjoy.



gracie7
Geek Goddess
Premium
join:2003-07-15
confusion
reply to Cronk

As birds mentioned, i'd recommend using netbeui for file sharing; if you check some of my old posts, you'll find detailed directions. (i also recommend using the netbeui from win 2k rather than the xp one, in line with a number of ms mvps). binding file and printer sharing to netbeui instead of netbios over tcp/ip will effectively help close the open ports you are concerned about.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide



Birds0

join:2004-10-23
reply to Birds0

Forgot to include...

NetBIOS typically uses ports 137, 138, 139, 445. Can't remember which are UDP and which are TCP.

Check the existing firewall rules to see if there are rules created to "drop" those ports, if not you would create the rules yourself according to the syntax your firewall uses.


Cronk

join:2005-07-16
reply to Cronk

Thanks for that info.

I am not that good with network protocols, and I'd rather leave the XP settings as close to default as possible.

I'm still trying to figure out an easier way to block NetBIOS with the router. When I look in the Help files for my Sygate firewall, it says:

NetBIOS protection
By default, this option is disabled and cannot be changed in the Standard version, and is disabled and changeable in the Pro version of the Personal Firewall. This option blocks all communication from computers located outside the Personal Firewall's local subnet range. NetBIOS traffic is blocked on UDP ports 88, 137, and 138 and TCP ports 135, 139, 445, and 1026.

If that is all it takes to block NetBIOS, can't I just block those in my router? Or would they be blocked already by default in the router, and I'm just chasing my tail here?

Thanks


Cronk

join:2005-07-16
reply to Cronk

Oops, it looks like you and I were typing at the same time, Birds.



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to gracie7

Agree with you and Birds in this regard. I (we) use NetBEUI for our own small peer-to-peer LAN here for file and printer sharing and it works a charm. It's a heterogeneous environment, comprised of Win 98 SE, Win 2000 Pro, Win XP Home, and Win XP Pro boxes.

I understand that the NetBEUI protocol will not be supported in the next Microsoft OS, but it sure works fine at the moment. (Have to install from the CD for Win XP, as I recall.)
--
Regards, Joseph V. Morris



gracie7
Geek Goddess
Premium
join:2003-07-15
confusion

said by jvmorris:

I understand that the NetBEUI protocol will not be supported in the next Microsoft OS, but it sure works fine at the moment. (Have to install from the CD for Win XP, as I recall.)
glad to see another netbeui proponent .while netbeui is not installed by default with x, it IS supported, and so far my network works fine using netbeui even with one machine running a vista alpha, so i'm hoping it will be usable with vista as well. and you do not have to install from the xp cd; as i mentioned (and a number of trusted mvps have suggested), you can use the win2k netbeui and insall it fine on xp, and it works better than the one on the xp cd. see past threads for directions and links.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1

Gracie,

If it ain't broke, I ain't gonna fix it! (And it's not broken here.)

We don't really do a lot of file and printer sharing; it's more a safeguard against suddenly empty ink cartridges, etc. I think I'm gonna have to buy a new printer sometime soon, however, as the one on this ole Win 98 SE box is as old as the box itself and the ink cartridges are indeed becoming a bit hard to find.

With regards to NetBIOS, on the other hand, I prefer to shut it down and keep it shut down (including via the software firewalls on the various boxes). I had too many horrible episodes with one update or another silently re-enabling it without my knowledge (years ago on the older OSs, to be sure), so I've just shut it down completely, blocked it with the firewalls, etc.
--
Regards, Joseph V. Morris



salzan
Experienced Optimist
Premium
join:2004-01-08
WA State
reply to Cronk

Here's Steve Gibson's page with some further reading and instructions on how to use NetBEUI instead of NetBIOS.

»www.grc.com/su-bondage.htm

I've got our home office network of four machines running Win98 and WIn2K set up this way.



gracie7
Geek Goddess
Premium
join:2003-07-15
confusion

said by salzan:

Here's Steve Gibson's page with some further reading and instructions on how to use NetBEUI instead of NetBIOS.
a great starting place and a boon "in the day", but never updated for xp. the xp directions are quite different, and have been posted here and in networking a number of times. steve's pages are still the canon on getting the concepts.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide


ChrisDAT
Google Keyword Compsysnyc

join:2002-02-26
Hollis, NY
reply to Cronk

Whenever I config Win "file/print sharing" on a LAN, I spec IPX/SPX (Ethernet 802.3)-- while the config is a bit more involved than NetBEUI (you must assign a network address and an Ethernet frame type), it has the advantage of being routable on a multi-network LAN (with IPX routers present), but not routable over the internet, so it remains invisible to the internet.

In XP it's called NWLink IPX/SPX/NetBIOS Compatable Protocol, and the config is straight forward.

Internal Network number: 00000000 -- for all PCs, and I wouldn't suggest changing it.

Frame type: Ethernet 802.3 -- it's important that you set this, so that all of your PCs use the same one. Auto will cause problems. 802.3 has the least overhead of the frame types. [FYI: ETHERNET_II is the frame type used by TCP/IP, and ETHERNET_SNAP is a throwback to IBM Token Ring].

Network Number: C0A80100 -- this example is actually hex for 192.168.1.0 -- you can choose whatever you like, just as long as all PCs have the same one.

Unlike TCP/IP, the host address is not configurable because it is the MAC address of the NIC, this all but gurantees that all hosts have unique addresses.

Just another way to skin this cat.



Mike cox

@208.247.x.x
reply to jvmorris

NETBEUI was actually taken out of the LOOP because the SAMBA File server for Linux made use of it!
Not to Mention that it is one of the Only ways left to get a Windows 95/98 box to talk to a 2000/XP boxen Stabely.

And microsoft said We Cant have tose customers using Linux or old 95/98 we NEED to FORCE them to upgrade to our latest product.
Shame on you Microshaft.



Birds0

join:2004-10-23
reply to ChrisDAT

ChrisDAT,

Does the use of IPX/SPX produce a less "chatty" network than the use of NetBEUI?

Thanks.



gracie7
Geek Goddess
Premium
join:2003-07-15
confusion

we'd looked at ipx/spx as an alterative and found no advantage and some disadvantage, so ymmv. i've never found netbeui to be 'chatty', but then my chat standards are pretty low .



ChrisDAT
Google Keyword Compsysnyc

join:2002-02-26
Hollis, NY
reply to Cronk

I would say that IPX does have less network overhead because it has more control over addressing and stuff like that -- It does many of the things that TCP/IP does in terms of connection control and management that are just not present in the NetBEUI protocol (I think it's connection-less?).

You would be surprised how similar IPX and IP are -- SPX is TCP -- the error-controlling, connecion oriented protocol, whereas NetBEUI relies heavily on broadcasts and UDP type data communication (no ACKs?) -- IPX even uses it's own version of ARP.

The weakness of Microsoft's IPX implimentation of IPX is that it provides little or no tools to manage or interrogate the protocol, so you can't "see" what it's doing. However, the MS NET command (NET [VIEW|CONFIG|USERS|?|, etc...], indreictly display the stats the same way.

net config [server|workstation] is the most informative command for exposing the bound protocols.

net session displays connection stats like nbtstat -s.

net statistics [server|workstation] is like running netstat -s.

Unfortunately, the NET commands do not expose IPX stats directly, just the WinShare stats. They are available regardless of what protocol you use, and across all Win versions.

Both protocols are perfectly acceptable on a small scale, I would try both, and see which performs best for you. IMHO, IPX will shine with large numbers of PCs and/or high share traffic -- it's just a more efficient protocol.

Just to add: I get much faster "Network 'Hood" convergence (display) using IPX than with NetBEUI.



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to Mike cox

Well, Mike, you just reminded me of another reason I run NetBEUI -- it's the Old Beast, a WfW 3.11/DOS 6.22 box that I keep promising myself I'm going to hook up again!
--
Regards, Joseph V. Morris


Cronk

join:2005-07-16
reply to Cronk

I've decided that the Win9x box does not really need to have file sharing enabled, so I am willing to go ahead and disable NetBIOS. I was getting ready to disable it in Network properties as people have suggested above, but I decided to do a test first. I turned off my Sygate firewall, so my only firewall is the NAT function in the router. I went to Steve Gibson's ShieldsUp! site and ran his tests, and passed all of them. It shows that all the NetBIOS vulnerabilities are closed. So apparently the router is blocking all the NetBIOS ports. Or am I missing something here?

Thanks



SirSteve
Premium
join:2003-11-28
Woodbury, CT

said by Cronk:

I went to Steve Gibson's ShieldsUp! site and ran his tests, and passed all of them. It shows that all the NetBIOS vulnerabilities are closed. So apparently the router is blocking all the NetBIOS ports. Or am I missing something here?

Thanks
Nope, your not missing anything. You're all set.


ChrisDAT
Google Keyword Compsysnyc

join:2002-02-26
Hollis, NY
reply to Cronk

The router NAT is sufficient to hide your NetBT (NetBIOS over TCP/IP) PCs from incoming [only] probes and stuff like that -- however, if your PCs are still running NetBT, they may still "expose" themselves by making outbound requests to resolve Win names and the like -- as a matter of fact, unless you create a firewall rule to prevent outbound NetBT (or stop running it), your PCs will still be able to establish NetBT connections to (unblocked) PCs on the internet -- maybe not what you want.



salzan
Experienced Optimist
Premium
join:2004-01-08
WA State
reply to gracie7

said by gracie7:

never updated for xp.
Oops!:o I never realized the explanations weren't updated.
It's been a long time since I used the info but I remember that the little diagrams helped explain it when I was trying to set up NetBEUI.

Time to clean up the bookmarks.....

Formeister

join:2000-10-28
Somers, CT
reply to Cronk

For an XP or WinX box you can get buy with just NetBEUI and TCP/IP. You can disable Netbios and have you bindings set to just NetBEUI. All cu's will be able to see each other and you can share printers etc. I've heard this is very secure.

For me if I wanted my Xp Box to see my linux box or vice versa I had to keep Netbios, of course I'm a linux noob so there may be ways around this.