Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

[PEN-TEST] Blocking NetBIOS \ CIFS on Win2K

From: Eric <ews () TELLURIAN NET>
Date: Sat, 14 Oct 2000 17:52:39 -0700
There are four default ways to block NetBIOS \ CIFS on a Windows 2000 system.

1) Advanced TCP/IP filtering
Located: Control Panel - Network - Internet Protocol (TCP/IP) Properties -
Advanced - Options - TCP/IP Filtering Properties
Use: Permit Only specific protocols.  Do Not permit tcp (protocol 6) ports
139 or 445
Pro: ports 139 and 445 will not respond to a port scan
Con: Permit Only mechanism means you have to specify each allowed protocol,
including RPC ports.  (also: ICMP will be permitted even if you specify to
'permit only' and leave permitted fields blank)
Reboot Required?: YES

2) IPSecurity Filtering (Has nothing to do with IPSec)
Located: Control Panel - Administrative Tools - Local Security Policy -
IPSecurity Policies
Use: Define a rule for destination ports tcp139 and 445 from any source
port / source address to 'My IPAddress'.  Create and assign a blocker rule
to this filter.
Pro: ports 139 and 445 will not respond to a port scan.  Filters are
granular per protocol, and source and destination ports and addresses.
Con: Tricky to setup the first time.  Blocker rule must be manually defined
Reboot Required?: NO

3) Disable NetBIOS over TCP/IP
Located: Control Panel - Network - Internet Protocol (TCP/IP) Properties -
Advanced - WINS
Use: Click radio button to "Disable NetBIOS over TCP/IP"
Pro: tcp 139 will not respond to port scans
Con: tcp 445 will still accept connections and process NetBIOS
Reboot Required: NO
**WARNING: This method instills a false sense of security and should not be
used as tcp 445 is still open and will accept connections**

4) Unbind File and Printer Sharing for Microsoft Networks
Located: Control Panel - Network  - Advanced (from menu bar) - Advanced
Settings
Use: Select Network Card to unbind NetBIOS - Uncheck File Sharing for
Microsoft Networks
Pro: Will disable all incoming requests to tcp 139 and 445
Con: tcp 139 will appear on a port scan, but will not respond to requests
Reboot Required: NO

I like options 2 and 4 - depending upon need.

--eric
Previous By Date Next
Previous By Thread Next

Current thread: