Is it time to get rid of NetBIOS?

Discussion in 'other security issues & news' started by MrBrian, Jan 24, 2012.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From https://isc.sans.edu/diary.html?storyid=12454:
     
  2. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    NETBIOS is still needed for File and Printer Sharing. Also, it allows finding things by NETBIOS name, and some router manufacturers use that to allow people to reach their device. That said, I don't use File and Printer sharing, I use 'sneaker net', so no NETBIOS in my network.

    I haven't figured out if Win7's HomeGroup uses NETBIOS or not. Hopefully it is a clean break from that old protocol.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Immediately disabled after installing Windows along with a few other unused services. I have 0 use for these services and I've read enough exploits that use them.
     
  4. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Actually disabling the NetBIOS service doesn't entirely disable it, you need to disable it on a per-connection basis also. That involves going into your advanced connection properties for IPv4 and selecting "Disable NetBIOS over TCP/IP" in the "WINS" tab.

    I wouldn't know of the possible negatives this would cause as I don't share anything over my network. Though I have been considering setting up a data server (Windows Server 8 looks awesome) for the house with network storage so I may find out at some point, hopefully it doesn't break anything.
     
  5. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    There is no security breach Enabling NetBIOS over TCP/IP

    What an shame that some of these legendary techies do not understand or take advantage of an shared network.

    Some of these legendary techies preach how people of lower experience and intellegence of their own should harden
    their operating systems by disabling 'necessary' services and install horse release software while allowing their
    fingers to run wild over the keyboard spewing out information that is legendary only in their own minds.

    For example, Microsoft provides an secure way for both experienced and inexperienced computer users the privalage
    of instant File and Printer Sharing right out of the box via the NetBIOS over TCP/IP that works in conjunction with
    the Computer Browser Service.

    Disabling NetBIOS over TCP/IP will break File and Printer Sharing and the Computer Browser Service.

    The Computer Browser Service is responsable for populating the My Network Places with the shared resources.

    Enable the built-in security features of the Microsoft Windows Operating System including Automatic Updates and
    enjoy the privalege of freedom while preserving the virginity of the operating system.

    Installing foreign files into the operating system is the first breach in security.

    For some, enjoying freedom for the first time by sharing files and printers across an shared network would enlighten
    with astonishment to one of the things the operating system is actually capable of doing.

    Todays households exist more than one computer, phone, television, all of which can share information across an
    shared network.....it is the wave of the future that is passing by the legendaries locked up in an sandbox.


    HKEY1952
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    It's been shown time and time again to have vulnerabilities.
    https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP#Security_vulnerabilities

    A simple wikipedia search will show you that much.

    I have absolutely 0 need for this as I don't print from this computer or try to communicate with any other devices.

    Even if it weren't known to be exploited I'd shut it off because it's just not necessary for me and the fact is that any running code is prime attack surface that I just don't need.

    You mentioned the Computer Browser service (another one I immediately shut off) interestingly enough I was actually taught to shut it off in preparation for the CompTIA Security+ test lol

    It's actually almost comical how many times that service has been exploited.

    HKEY, no clue what half of your message was even trying to get at but, yes, the NetBIOS service has been exploited (and yes I am legendary.)
     
    Last edited: Jan 25, 2012
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I don't see this option but I have ports 137,8,9 all blocked on my firewall.
     
  8. guest

    guest Guest

    I always disable NetBIOS as well. Sharing can be done though the wireless N router when needed, I always prefer buying devices that support this sort of connection.
     
  9. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,790
    I think HKEY1952 and elapsed are refering to this. All built-in. Screenies from WinXP

    NETBIOS-netwProperties.png

    NETBIOS-WinFirewall.png

    Every adapter can be so setup, wired, wireless, whatever.
    In Windows firewall, Custom list is handy on wireless in case someone jumps on your network.

    Firewall rules for restrictions also help, of course.
     
    Last edited: Jan 25, 2012
  10. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Thanks, I was too lazy to take screenshots :D Though I don't bother with the ports, mainly because Windows Firewall on public mode blocks it.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Thanks - I missed the "Advanced" button in my settings. All set now.
     
  12. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    In most situations, the network is not the resource at risk; rather, it is the endpoints of the network that are threatened. There will be bugs, either in the network programs or in the administration of the system. It is this way with computer security: the attacker only has to win once. It does not matter how thick are your walls, or how lofty your battlements; if an attacker finds one weakness your system will be penetrated. Unfortunately, that is not the end of your woes.
     
  13. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    As depicted in Post #9 with the screen shots by act8192, thank you act8192, that whole ball of wax is the security
    shell for NetBIOS over TCP/IP.


    That whole ball of wax is further protected by the operating systems security model for file and printer sharing
    referred to as: 'Simple File Sharing'.

    Simple File Sharing activates the 'Guest Account' in the background with the default guest account settings insuring
    the security of the network. The guest account default settings exists 'Read and Write' NTFS Permissions only and
    the guest account can not access no other parts of the operating system such as the Windows Directory.

    The guest account activated in the background by simple file sharing should not, and must not, be confused with the
    'Guest Account' log on at the keyboard with the Microsoft Windows Log On Screen. For security reasons the
    locally-logged-on 'Guest Account' should be Disabled.

    In an nutshell, Simple File Sharing, when enabled, and is enabled by default, mitigates, or in simpler terms, lowers
    NetBIOS over TCP/IP to an submissive state under the authority of the 'Guest Account' and 'Windows Firewall'
    in four ways:

    01) Simple File Sharing treats anyone attempting to use shared resources over the network as an 'Guest'.

    02) Simple File Sharing enables the 'Guest Account' in the background for Network Use Only, with read and optionally
    write access. One can separately activate the 'Guest Account' as an locally-logged-on User, however,
    the locally-logged-on 'Guest Account' is Disabled by Default.

    03) Simple File Sharing removes 'Everyone' from the NTFS Permissions Lists for access to the hard disk drives Root
    Folder and the Windows Directory. That action renders only authorized locally-logged-on users access to most of the
    hard disk drive, and most importantely, the Microsoft Windows Directory. When folders are shared, Microsoft Windows
    automatically applies the correct NTFS Permissions to the shared folder so that 'Everyone', for example 'Guest', can
    read and optionally write to the shared folders only.

    04) Simple File Sharing insists that the Windows Firewall be enabled and mitigates, or lowers, NetBIOS over TCP/IP
    with an Inbound Firewall Rule restricting NetBIOS over TCP/IP communications to the 'Subnet' of the network only.
    In other words, NetBIOS over TCP/IP mitigated, or lowered, to the 'Subnet Only' with the Windows Firewall Inbound
    Deny Rule for File and Printer Sharing having the Scope to Allow Inbound Communications for 'Subnet Only', restricts
    communications with shared resources to the Local Area Network Only, voiding/blocking any Wide Area Network attempts
    to the local shares.

    Without an inbound firewall deny rule in place, everyone on the Internet will have the same rights to the shared
    resources as the locally-logged-on user, and those rights are: read and optionally write. However, while anybody
    with access to the network can access the shared resources, the damage an intruder, or an careless locally-logged-on
    user can do, is limited to stealing or modifying only the files that are known to be public. The Root Folder of any
    and all hard disk drives, the Windows Directory, and any other files and folders outside of the shared folders are
    not public, and not shared, and therefore not accessable.

    Even if an Administrative User with Full Administrative Rights attempts to access an shared folder FROM another
    computer on which that Administrator also has/uses the same Username and Password, that Administrative User will not
    be granted full rights to the shared resources as that Administrative User would have locally. In other words, that
    Administrative User will be treated like anyone else.....an 'GUEST'.....only with read and optionally write access
    in regards to file and printer sharing with remote computer shares.

    Finally, the handy whole-drive administrative shares such as "C$" do not work with the Simple File Sharing Model.


    HKEY1952
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.