NPF 2003. rule for "default outbound NETBIOS"

Discussion in 'other firewalls' started by HandsOff, Jul 3, 2004.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I have never changed the rules that NPF established directly at least but i decided to take a look at the rules just to see if they made sense. I question the rule that says:

    Default outbound NETBIOS - Permit.

    I don't really know what NETBIOS is, however, vaugly i recall there are some security concerns with it. I took a look at my services.msc to see how it was handling "TCP/ICP NetBIOS helper" and it is set to Manual Start, and currently, as I write this, the process is not Started. Now, at one time I went through all of the services in services.msc and thought i disabled everything that it was appropriate do so to. However, I checked on the famous Black Viper site and he seems to suggest i could be disabled. and services does not list any dependacies for it.

    2 QUESTIONS:
    - Should I change the firewall rule from Permit to Block?
    - Should the TCP/IP NetBIOS service be disabled?

    and 3, i guess....did i include enough information to answer the question?

    By the way I use Comcast cable to connect to the internet if that helps


    Looking forward to some info!

    -HandsOff
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi HandsOff

    Is your system standalone with no need file and printer sharing?

    If the answer is yes:

    You can change the rule to block and enable logging.

    The TCP/ICP NetBIOS helper service can be disabled along with NetBIOS in your network properties, Internet Protocol (TCP/IP), for your adapter.

    Regards,

    CrazyM
     
  3. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Thanks for the information. I will change the firewall rule (I am not sharing resources. soon i will be sharing the connection - will that matter?)

    For the other, if it is just as effective i would prefer to disable the tcp/ip netbios service helper with services.msc. My reasoning is that i do look at it once in a while and am more likely to notice if it somehow gets restarted. it doesnt happen every day, but somehow services do manage to get mysteriously changed...well, mysterious to me, anyways


    -HandsOff
    (Lucky in computers, unlucky in...)
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Once you are sharing your connection, if you decide to share other resources such as printers, you will need to make some adjustments in your rules.

    Disabling the helper service does not disable NetBios if it is enabled on your system. A simple netstat -a will determine this. If it is, you will see your system listening on TCP 139 and UDP 137/138. To disable it you will need to go into your network properties, Internet Protocol (TCP/IP), Advanced, for your adapter and uncheck it.

    Regards,

    CrazyM
     
  5. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Not necessarily. I have a three (or is it four? I need to go downstairs and check! :) ) local LAN here and we share files and printers (we even have a network storage device!). We've got a Win 98 SE box, Win 2000 Pro, and a Win XP Home Edition machine at the present. (I think the mysterious fourth PC may be Win ME, but I'm not sure about that one.) We also share an internet connection. Initially, we used Microsoft's ICS (through this very machine as a matter of fact) for shared access to the Internet. Now we use a fairly inexpensive NAT router.

    NetBIOS is disabled on all of these machines, but I must admit that NetBEUI is enabled. NetBEUI is not routable, so in one sense that's a bit better. (It's not installed by default on Win XP, but you can generally find the necessary drivers somewhere on your Win XP CDs. I've just forgotten exactly where.)

    I'm not sure that even that is necessary any more. I'm now (after six months) sufficiently confident of the protection provided by the NAT router, so I probably could live quite well and with no ill effects, even if I disabled NetBEUI. (And NetBEUI is not going to be available at all in Microsoft's next OS.) Still, we have access to the three printers (all different) on the various PCs and also to the Network Storage Device that we use for backup.

    So, no, bottom line is that you're not going to have any problems as a consequence of disabling NetBIOS.
     
  6. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi Crazy M, I'm glad I asked that question because i would have made a big mistake thinking the disabling the service would disable NetBIOS. I did a netstat -a, as you suggested and it was clear that netbios was active, although not as clear as one might like. for one thing, neither the TCP nor the UDP actually listed the specific port numbers, and only TCP was listed as "listening", though I believe that is simply the simantics where they only lable TCP as "listening". I just downloaded the trial of Diamond CS - Port Explorer. It is obviously a very powerful tool though I do think it is ironic that netstat only gives you the name netbios to identify the port, and Port Explorer only gives you the port numbers. Oh, well, probably most people who use it know these ports by heart. On the other hand people who don't are a much bigger market, so they may change that somewhere down the road, who knows? Again thanks for the info. As is too often the case, I had a few peices of the puzzle but not enough to see the big picture.

    -HandsOff
     
  7. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    ...Reply to JVMorris:

    Actually, all we will be sharing is the connection. We will be using a Netgear router with NAT and some firewall capabilities built in. I know that many people think of sharing printers and so on as a nice feature, but frankly I run a tighter ship internet security-wise than the other users so I don't want to be networked with them in the truest sense. It would be nice to be able to send (share?) large files, but I'll probably stick to the old fashioned way - burning CD's and DVD's and walking over to the other computer.

    In fact, to be perfectly honest, I'm not even able to keep out hackers on the internet at large. I would have to feel that I have that down before I am going to take on the added risks of others on a local network. Worse still, by the time I do figure it out, it will be time to trash XP and go to the next O/S!

    -HandsOff
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    In NIS/NPF if you go to View Statistic there is a section called Network Connections which will give you similar information.

    Regards,

    CrazyM
     
  9. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I completely missed seeing the port numbers in the statistics in NPF. That screen is so packed that the column is so narrow that, for instance, under the Local column heading "Localhost 1025" was displayed "Local...". So I saw that they identified the executable, but did not see that they specified the port. Now, I finally get it! That is very good to know!

    BTW, I followed up on another "Listening" port that I noticed on Port Explorer's colorful screen. Port 445. From what I could peice together, it could be considered to be related to netbios and regarded as something to dissallow. I stumbled on a website that gave a registry edit that would shut it down. I am quite pleased that it worked!

    I doubt that there was any malware activity responsible for 137, 138, 139, and 445 listening, however, it just makes sense not to have a bunch of ports open.

    another thing I noticed was Adobe Acrobat "listening" when I am viewing an e-book! Again, maybe there is no harm but why why why does acrobat have to listen for anything when the entire ebook is on my hard drive. I just don't get it! well, one thing at a time.

    Thanks for the good information

    -HandsOff
     
Thread Status:
Not open for further replies.