Securing Windows 2000 Server
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Appendix C: Disabling NetBIOS on Servers in Untrusted Networks
Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.
This appendix discusses a recommendation specifically for servers located in untrusted networks, for example, publicly accessible Web servers or mail gateways. None of the servers in the Contoso scenario were located in the perimeter network, so the steps recommended within this appendix were not performed on any of them. If you have servers located in an untrusted network, you should consider implementing the changes that follow, but test them thoroughly and be certain that you understand the challenges that disabling NetBIOS will have on managing the computers.
On This Page
Servers in the perimeter network should have all unnecessary protocols disabled including NetBIOS and server message block (SMB). Web servers and DNS servers do not require NetBIOS or SMB. These protocols should both be disabled to counter the threat of user enumeration. User enumeration is a type of information gathering exploit in which an attacker attempts to obtain system specific information to plan additional attacks.
The SMB protocol will return rich information about a computer even to unauthenticated users using "null" sessions. The information that can be retrieved includes domain and trust details, shares, user information (including groups and user rights), registry keys, and more.
Note Null sessions can be blocked by setting the RestrictAnonymous registry key as described in the "MSBP Security Options" section in Chapter 6, "Hardening the Base Windows 2000 Server."
Disabling NetBIOS is not sufficient to prevent SMB communication, because in the absence of standard NetBIOS ports SMB will use TCP port 445, which is referred to as SMB Direct Host. As a result, explicit steps must be taken to separately disable both NetBIOS and SMB.
NetBIOS uses the following ports:
UDP/137 (NetBIOS name service)
UDP/138 (NetBIOS datagram service)
TCP/139 (NetBIOS session service)
SMB uses the following ports:
On servers accessible from the Internet, you should disable SMB by removing File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks using the TCP/IP properties dialog box in your Local Area Connection properties.
To disable SMB
On the Start menu, point to Settings, and then click Network and Dial-up Connections.
Right-click Internet facing connection, and then click Properties.
Select Client for Microsoft Networks, and then click Uninstall.
Follow the uninstall steps.
Select File and Printer Sharing for Microsoft Networks, and then click Uninstall.
Follow the uninstall steps.
To disable NetBIOS over TCP/IP
Right-click My Computer on the desktop, and then click Manage.
Expand System Tools, and then select Device Manager.
Right-click Device Manager, point to View, and then click Show hidden devices.
Expand Non-Plug and Play Drivers.
Right-click NetBios over Tcpip, and then click Disable.
This procedure disables the SMB direct host listener on TCP/445 and UDP 445.
Note This procedure disables the nbt.sys driver. The WINS tab of the Advanced TCP/IP Settings dialog box contains a Disable NetBIOS over TCP/IP option. Selecting this option only disables the NetBIOS Session Service (which listens on TCP port 139). It does not disable SMB completely. To do so, perform the steps in this procedure.
No computers will be able to connect to the server through SMB. The servers will be unable to access folders shared on the network. Many management tools will be unable to connect to the servers.
Solution Accelerator Notifications