Security information for WINS

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 8 Beta

Security information for WINS

It is important to follow best practices for security when using WINS servers on your network. For more information, see Best practices for security.

The following are known security issues for WINS and related protocols:

  • The NetBIOS naming protocol is an unauthenticated protocol.

    Although the NetBIOS naming protocol can be used with network protocols other than TCP/IP, WINS was designed specifically to support NetBIOS over TCP/IP (NetBT).

    When a user connects to the network, the user is not required to provide credentials before using NetBT or requesting a name service from WINS servers. Malicious users with physical access to the WINS-enabled network can instigate a denial-of-service attack on WINS servers by requesting many name resolution requests or name registration requests from the server, thereby depleting the ability of the WINS server to service requests from other, non-malicious clients.

    Recommendations:

    • Ensure that unauthorized persons do not have physical or wireless access to your network.

    • Enable WINS logging in the event log. When Log detailed events to Windows event log is selected, WINS logs additional detailed information to the system event log, which allows you to monitor events on the WINS server. For more information, see Modify WINS logging properties and Event Viewer overview.

  • Monitor the system event log for burst handling events. Burst mode is enabled by default. If you have disabled burst handling, enable it. The following event messages are logged for name refresh requests by WINS clients:

    • WINS 4338: The WINS server started the burst handling of incoming requests. WINS does this to handle a sudden increase of incoming requests. WINS will also log an event indicating when the burst handling stops. If you see this event frequently, you may want to upgrade the WINS server to a faster computer. You can also try to adjust the burst handling count using the WINS Manager tool.

    • WINS 4339: The WINS server completed the burst handling of incoming requests because the queue length became a quarter of what it was when burst handling began.

      You can also use Event Viewer when you suspect that server performance might be degraded due to an attack. For more information, see Modify burst handling properties.

    • Use Network Monitor if you suspect an attack on your WINS server. You can use Network Monitor to detect networking problems by capturing and viewing the frames (or packets) that a computer receives or sends on a local area network (LAN). When you view incoming packets, you can discover essential information about an attacker, including the IP address of their computer. For more information, see Network Monitor.

  • WINS database and log files are not protected if you move them from the default location.

    The default location of the WINS database and log files is the systemroot\System32\Wins folder. By default, the access control list on the Wins folder provides the best security for the WINS database and log files. The access control list is a list of users and groups that can access the folder. In addition, each object (user or group) is assigned specific permissions that dictate what actions the object can perform. For more information, see Access Control.

    If you change the location of the WINS database files, the new folder location is not protected by the proper access control list by default, thereby creating a security risk. The same is true when you configure a WINS database backup path. The folder you create when you designate the backup path is not protected by the proper access control list by default, and a security risk is created.

    Recommendations:

    • If you move the WINS files to another folder or create a new folder for backup files, create an access control list for the new folders that contains only the Local System account and the Administrators group. In addition, ensure that the new folder does not inherit unwanted permissions from any folder above it in Windows Explorer.

    • Do not store WINS files in a personal folders (My Documents or My Pictures) or in a subfolder of a personal folder.

    • Store WINS database and backup files on a computer that is physically secured and protected from unauthorized access.

    • Turn on file auditing for individual WINS files, to track the users and groups that access the files. For more information, see Apply or modify auditing policy settings for a local file or folder.

    • Do not move the WINS files to a remote storage device or map the WINS files to an external drive or storage device for which no access control list can be created. Also, do not move or copy WINS files to an anonymous File Transfer Protocol (FTP) site or any other unprotected location.

    For more information, see Set the WINS database path, Set the WINS database backup path, Modify WINS logging properties, and The WINS database.

  • Name records for mission-critical servers can be overwritten, causing network traffic to be redirected.

    If a computer connected to the network has the same NetBIOS name as a mission-critical server, such as a domain controller, Web server, or email server, the name records that map the mission-critical server name to a different and incorrect IP address overwrite the WINS name records of the mission-critical server. This can occur when:

    • The original owner of the record is unresponsive, such as when the server is rebooting, the server is disconnected from the network, or when a denial of service attack is being performed against the server.

    • The original record was registered dynamically.

    When this occurs, the mission-critical server name maps to a different IP address, and all of the traffic that was intended for that server is redirected to the new computer, which might be operated by a malicious user.

    Recommendation:

    • Use static WINS entries for mission-critical servers to prevent other computers from taking over the use of the name of a critical server. Static WINS entries also prevent other computers from appending additional IP addresses to the name record of a mission-critical server or domain. For more information, see WINS Best Practices, Using static mappings, and Add a static mapping entry.

Additional recommendations

Before you install and configure WINS for your network, consider:

  • Restricting who can enable, configure, and disable WINS.

    You must be a member of the Administrators group to change configuration information on WINS servers using the WINS console or the netsh wins commands. Restrict the membership of the Administrator group to the minimum number of users necessary to administer the server.

    If there are users who need read-only access to the WINS console, add them to the WINS Users group instead of to the Administrators group. WINS Users can search for WINS records and view replication partners and other configuration information, but they cannot change settings on the WINS server. For more information, see WINS tools, Finding and viewing WINS records, and View WINS Records.