Security → Removed By OP

Removed by OP:

one wannabe complaint was one to many

*** if anyone copied the info or Link that was previously here....feel free to begin your own Topic on the subject.

Just curious, why would you need to do this if you're behind a router?

Edit: Not a wannabe complaint, a legitimate question. If you're behind a router, what does disabling SMB / NetBIOS gain you?

I have no idea. Plus, I don't understand why we are told to disable NetBios when it is required for networking. I have seen zero clear answers about this issue in this forum. The only answer that has been helpful to me is that ProcessGuard will protect me so I am doing nothing about it (I already had Webclient disabled). I think I need to be reading other security forums than this one because only ONE person ONE TIME in only ONE of the many threads here on this topic mentioned that ProcessGuard will fully protect. So, why should I pull out my hair doing all this stuff that folks are going on about here when I already have a security program that will protect me? The comment about PG was not even directed at me. Instead others here have told me to do all sorts of elaborate stuff (inlcuding blocking ports and getting rid of things I need for networking) when all along PG will protect me which is what I thought from the beginning but I wasn't sure because everyone here has been ignoring security software protection as a solution.

I have it disabled on this computer I'm using now, but that's because it is not connected to a LAN. I also have Client for MS Networks disabled and File and Printer Sharing disabled. I don't need them on this computer. However, I don't think you can get by without them if you have a network. You don't have to have NetBIOS over TCP/IP enabled for networking, but having it makes it easier to find computers on a network. I believe it does add some overhead to the network, and that would be a reason to not use it.

I found this old article on the subject, referencing Windows 2000:

»articles.techrepublic.co ··· 315.html

NetBIOS is not required for networking.

I don't know who and why some one told you that you should disable it, but I do it for my own reasons (not related to the last security problem with CWD, BTW).

I'm always running computers on my LAN with NetBIOS disabled. It's an old technology, it's extremely chatty, and it is not actually needed for computers to connect to each other and share resources.

NETBIOS IS required. File and Printer sharing requires it. NETBIOS is required for you to be able to see the machines in My Network Places and Network Neighborhood. It ls also required for virtual machines to see each other and be able to communicate and share on the network. It was in these threads here on the exploit where repeatedly we have been told to disable NETBIOS.

The article that rcdailey refers to states "....NetBIOS will not carry between domains and is completely useless if you have a router on your network. That is a ridiculous comment. I could not have a network without a router! In fact, the reason I got a router was so I could network the computers!

Further, I have a 98SE machine. That requires NETBIOS to network it and networking a 98SE machine with XP Pro years ago was extremely difficult. I was unable to do it after hours and hours of trying (after undoing NetBeui that I was using on that machine and using the XP Pro disk (another current thread someone is claiming no need for a reinstallation disk...I would have been up a creek if I hadn't had one) to install the necessary files on the 98SE computer, I easily got the 98SE machine to see the XP machine. (Networking the printer was an entirely different story though).

The XP machine could not/would not see the other machine. Finally, a Dell field tech was over to replace something on the XP machine and I asked him about it. He said he would fix it, it would be easy and quick. An hour later he was stumped. Long story, but finally with some strange creativity that meant I lacked a lot functionality when that computer was networked, he finally got XP to see the other computer.

I was ok (except for printer problems periodically on the 98SE machine) until I started using virtual machines. The first one, an XP virtual machine was easy, but the Vista virtual machine was and still is, at times, a real bugger to keep properly networked. It has to with file permissions on that computer. The Windows 7 RC virtual computer was was also not easy to network. The virtual machines all use different software to run on and love to get an IP address assigned to another machine and that is a bitch to fix.

Anyhow, I am not about to screw around with the network that is currently working ok. It is too great a headache to mess with networking if you succeed in getting the machines to all see each other, share files properly, master browser function works correctly, and all machines do not try to boot with another machine's IP address.

Mr OZO,

The original post provided INSTRUCTIONS on how to disable Net bios and SMB.........in this Topic never was it posted advising anyone to disable anything......the choice was entirely theirs.
It appeared that numerous members were struggling because of not knowing how to disable the Net bios.
When the complaining began the post was removed.

The article explains how it would be possible to have a network based on TCP/IP without NetBIOS. I did not say it would be dead simple and I have not done it, although I may take a stab at disabling NetBIOS over TCP/IP at a business where there is a small network. It's easy enough to disable and see what happens and then re-enable. I don't think it will work because of the names that need to be translated by some service. However, if the router supplies DNS, then the computers on the network can find each other via DNS if Active Directory is enabled, according to the site. That's another issue.

If things work as they are, I'm inclined to leave them alone or at least be sure I can go back to where I was, as happened today on another issue. So, if your systems are working fine as they are, don't mess with the network.
I agree on the headache with getting machines to see each other. I've been there and had trouble when the network shares were lost and I could not remember how they had been set up because it had been so long since the last time they were lost

Oh, and now I remember something else, based on further reading. If I would like to disable NetBIOS over TCP/IP on this network at this particular office, then I need to map a network drive for some legacy software and that would mean I'd have to use the IP of the computer, which I could get from the router, but then I'd be disabling the Computer Browser service, because it won't work without NetBIOS, etc., etc. I don't think I'll have time to play with it since they really need to use those computers sometimes during the day.

I guess you don't realize that the article and you are talking about different routers. They're talking about routers that separate different subnets on complex networks, while you're talking about your home NAT router. Am I right?

They're correct when they state - NetBIOS is not routable protocol, meaning - it can not traverse IP routers properly. Please make youself a bit more familiar with the NetBIOS before you tell us that it is a ridiculous comment...

My condolences that you still have network with 98SE machines They need that old protocol. But beginning with W2000 - there is no such need (don't believe me? - read the article mentioned above or check links at the bottom of the article).

You know, I wouldn't necessarily trust that one person who said ProcessGuard will fully protect you against these "binary planting" attacks, unless you've seen some really good testing that proves his words. I haven't dealt with Process Guard in a long time, but as far as I remember, it doesn't monitor DLL loading. I could be wrong. But if I'm not, and if Process Guard doesn't monitor DLL loading, then it can't protect you against these attacks, because the attacks happen to rely on a malicious DLL being loaded by a legit program that you will have allowed to run, such as your browser or media player of choice. This is not DLL injection by a malicious piece of code, it's a legit program trying to load a malicious DLL because of a design error in the legit program (or, one could argue, the operating system).

Edit: Actually, ten seconds of googling found a post by PG developers that suggests PG does not protect against these attacks.
»www.wilderssecurity.com/ ··· count=13

quote:

---

said by Jason_DiamondCS:
Process Guard blocks all static DLL injections except for these :-

1) An existing DLL is overwritten that is used by a commonly run program
2) A DLL is placed on the system that the host program enumerates and loads. ie a plugin based program

---

Number 2 is our winner.Please don't go around removing posts just because someone complains. Don't even consider it. Unless that someone is a moderator. Removing posts because someone complained makes a mess of the forum discussions. Let's face it, some people will complain. Some people will not. A wise man doesn't care either way, he just tries to make sure that what he's saying is right and proper and makes sense.

Edit: added stuff.

Thank you for that information about PG. I seldom go to Wilders these days but I should have gone and looked myself.

Amen. Those were useful posts.

But they're not there now, are they?You edited your O.P. purely of your own accord after exactly one reply.

Nor did I see Jahntassa make any 'complaint'.

Mele20, I'm sorry that your win98 system requires netbios for networking.
The advice relating to disabling netbios came from the write-ups on the current webdav feature vulnerability where, if exploited (or utilized, if you are referencing use by a 'trusted' third party software) which stated that a remote share could be used to host a malicious dll during an exploit. If filesharing is disabled and ports are blocked to provide a redundant backup for prevention, then the malicious activity cannot succeed. Netbios CAN communicate directly to a remote share (note this is not a broadcast) through a router.

Please read the following especially notes on P-node and use of lmhosts:
»technet.microsoft.com/en ··· 013.aspx to connect to a remote share (on the internet).

It will show how filesharing can be used through a router

In my case, my network is merely multiple access points for each computer to be able to connect to the net via the router. Each SW firewall blocks all of the other computers on the lan from communicating. This is a security measure to prevent one from infecting another if something happens. No resource sharing is required between the computers. Probably every home lan is different so generic advice may have limited usefullness.

Mysec's advice regarding prevention of unauthorized executables is outstanding. So you are protected and that is good.
As a redundant backup for you, I have recommended blocking the named ports on your router outbound (to the WAN). You lose nothing (unless you're also making use of remote shares on the net) but add an extra measure of defense.

For others, if you choose not to disable the service and block the ports, AND an exploit makes use of the webdav feature's vulnerability, then the call goes out of your computer through your router (which is going to recognize the communication to a remote share as legit) then the exploit will succeed (not taking into account PG or other effective protection). Better to prevent it one way or another (block the ports, disable the service on post w2k systems).
I hope this helps to explain the logic behind the advice.
Three interesting findings that I have encountered while evaluating the webdav problem:
1. Port 135 may be harder to close than I first thought because of its use by rpc. Will share more if I find out anything.
2.Network Magic makes use of filesharing and the like in its functionality. I turn off the services and think I've closed the ports, only to find svchost.exe opening them and using them.
This simply shows that SW can bypass settings.
3. One post had a novel approach involving disabling the netbios device driver or driver from the device manager.
I'm not recommending that yet, but when I tried it, the result effectively broke network magic, in turn breaking internet connection. And btw, I do realize that I don't need network magic.
Good luck to everyone on what seems to be a confusing issue with this webdav feature.

Sorry, there was a tech glitch in my previous post (my end). Below the link should read:

It will show how filesharing can be used through a router to connect to a remote share (on the internet).

And in general, the advice on this subject related to turning off un-needed services to enhance a systems security. Most services have vulnerabilities both patched and un-patched.
If you Need these services, then the advice does not apply.

rcdailey , you said that you want to try disabling NetBIOS on your LAN? Here is couple of things you have to prepare:

• name resolution. It could be done using a local DNS server, a DNS service from your NAT router (some offer DNS support and I, e.g., use it in my setup) or simply specify host names in local hosts files

• to see shared resources in My Network Places you may want to add them manually using Add Network Place wizard (or any other way). Keep in mind that that place will not be populated with computer names automatically if you disable NetBIOS.

After you made those preparations, there is no any differences (from user perspective, of cause) between setup using NetBIOS and setup without it.