‘Closing down Windows NT NetBIOS services’

Summary

‘Windows NT comes with its NetBIOS services started by default; these services (among other things) provide the file sharing service, remote management and more. These services should be disabled when connecting a Windows NT machine to the Internet, since they pose a security threat. The following article will try to explain how to disable these services from running without installing any expensive hardware (please notice, that this does not mean that you are safe: far from it! Many other holes exist in Windows NT that can be used to compromise your system).’

Credit:

‘The following Microsoft article explains which services are needed in order to run a secure IIS:
http://support.microsoft.com/support/kb/articles/Q189/2/71.ASP
Microsoft Internet Information Server 4.0 Security Checklist can be downloaded from:
http://www.microsoft.com/security/products/iis/CheckList.asp
Additional methods for blocking NetBIOS were provided by Eric.’


Details

‘There are a few simple ways to disable NetBIOS on a Windows NT machine (note that disabling NetBIOS on a Windows NT machine, will cause it to stop sharing any resources – files, registry, etc).

1) This method uses Windows NT’s built-in TCP/IP network security feature, where an administrator defines which ports she wishes to block. By examining the TCP/IP properties under the Network Configuration in the Control Panel, you’ll find the security settings. The dialog box is located on the IP Address tab under the Enabled Security section. Keep in mind that when you block ports using this feature, the ports remain blocked until you re-adjust the settings. To block NetBIOS, deny incoming access to TCP ports 135, 137, and 138, as well as UDP port 139.

2) This method stops the ‘Server’ service. The Server service is necessary for NetBIOS functionality, and when that service is not running, NetBIOS is not available. The Server service is not required to run an Internet Information Server (IIS) Web server or many other servers you might expose to the Internet. The only limitation in stopping the Server service is that you can no longer access that machine’s resources using NetBIOS-based tools such as NT Explorer or User Manager. To use such tools, you simply start the Server service for the required time period and then stop the service when you’re done managing the server over NetBIOS.

3) IPSecurity Filtering (Has nothing to do with IPSec)
Located: Control Panel – Administrative Tools – Local Security Policy – IPSecurity Policies

Define a rule for destination ports tcp 139 and 445 from any source port / source address to ‘My IPAddress’. Create and assign a blocker rule to this filter.
TCP ports 139 and 445 will not respond to a port scan. Filters are granular per protocol, and source and destination ports and addresses.

4) Unbind File and Printer Sharing for Microsoft Networks
Located: Control Panel – Network – Advanced (from menu bar) – Advanced Settings
Select Network Card to unbind NetBIOS – Uncheck File Sharing for Microsoft Networks
This will disable all incoming requests to tcp 139 and 445′

Categories: Windows