RE: Blocking NetBios

["whirlow" <admin () whirlow plus com>]

To follow on a bit from the other posts regarding your issue. Assuming
that your clients network is solely running Win 2k/xp, you could use the
following as there are four default ways to block NetBIOS on a Windows
2000 system. 


1) IPSecurity Filtering (Unrelated to IPSec) 
Located: Control Panel - Administrative Tools - Local Security Policy - 
IPSecurity Policies 
Use: Define a rule for destination ports tcp139 and 445 from any source 
port / source address to 'My IPAddress'. Create and assign a blocker
rule 
to this filter. 
Pro: ports 139 and 445 will not respond to a port scan. Filters are 
granular per protocol, and source and destination ports and addresses. 
Con: Tricky to setup the first time. Blocker rule must be manually
defined 
Reboot Required?: NO

2) Advanced TCP/IP filtering 
Located: Control Panel - Network - Internet Protocol (TCP/IP) Properties
- 
Advanced - Options - TCP/IP Filtering Properties 
Use: Permit Only specific protocols. Do Not permit tcp (protocol 6)
ports 
139 or 445 
Pro: ports 139 and 445 will not respond to a port scan 
Con: Permit Only mechanism means you have to specify each allowed
protocol, 
including RPC ports. (also: ICMP will be permitted even if you specify
to 
'permit only' and leave permitted fields blank) 
Reboot Required?: YES 


3) Disable NetBIOS over TCP/IP (suggested in other posts)
Located: Control Panel - Network - Internet Protocol (TCP/IP) Properties
- 
Advanced - WINS 
Use: Click radio button to "Disable NetBIOS over TCP/IP" 
Pro: tcp 139 will not respond to port scans 
Con: tcp 445 will still accept connections and process NetBIOS 
Reboot Required: NO 
**WARNING: This method gives a false sense of security and should not be

used as tcp 445 is still open and will accept connections** 


4) Unbind File and Printer Sharing for Microsoft Networks 
Located: Control Panel - Network - Advanced (from menu bar) - Advanced 
Settings 
Use: Select Network Card to unbind NetBIOS - Uncheck File Sharing for 
Microsoft Networks 
Pro: Will disable all incoming requests to tcp 139 and 445 
Con: tcp 139 will appear on a port scan, but will not respond to
requests 
Reboot Required: NO 


I find options 1 and 4 preferable depending on requirements.







---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------