RE: File and Printer Sharing still turned on after unchecked...confused :\

["David Gillett" <gillettdavid () fhda edu>]

  Since NetBEUI is an alternative to IP, TCP port numbers cannot
possibly be associated with it....

  These port numbers are used to carry NetBIOS traffic over TCP
and UDP.  NetBEUI is an alternative broadcast-based (and THEREFORE 
local-only) transport for NetBIOS traffic.
  "File and Printer Sharing" are implemented using NetBIOS.  They
are not the only things that use NetBIOS, which is why turning them 
off is not sufficient to turn off NBT (NetBIOS over TCP/IP).

  If you don't need ANY of the services of NetBIOS, you can turn
off NBT completely -- the exact mechanism varies from one Windows
version to the next.

  If you need some of the NetBIOS services, you almost certainly 
don't want them to transit your perimeter.
  If you have a small Ethernet-only LAN (only one subnet), you 
might try to restrict them to local use by installing NetBEUI 
*and making sure all machines are bound to only do NetBIOS that 
way*.  I don't recommend that, because it's hard to be certain 
that every box is doing only what you want, and the fact that 
some stuff is working over NetBEUI can make troubleshooting
TCP/IP issues harder.
  For larger IP-only LANS, your only viable alternative is to 
block these TCP/UDP ports at the perimeter with a firewall or
router access list.  Outbound as well as inbound!

David Gillett


> -----Original Message-----
> From: Rick Kingslan [mailto:rkingsla () cox net]
> Sent: August 4, 2003 19:30
> To: security-basics () securityfocus com
> Subject: Re: File and Printer Sharing still turned on after
> unchecked...confused :\
>
>
> The best way to answer this particular problem is that first, 
> you're not
> alone.  Second, it's very easy to confuse one protocol with 
> another.  Port
> 135, 137, 138, 139 are all associated with NetBIOS and NetBEUI - over
> TCP/IP.  These are documented and standardized (well, as much 
> as Microsoft
> will let them be standardized...;-] ) in IETF RFC 1001 and 1002.
>
> Typically, in a Windows OS, specifically NT and Windows 2000, 
> we'd set the
> option Disable NetBIOS over TCP/IP.  However, be very aware 
> that NetBIOS
> (the API - not a protocol), NetBEUI (this one's a protocol) 
> and TCP/IP are
> very different.  When you remove that check box from 'File and Printer
> Sharing' you've disabled, to some degree, NetBEUI.  However, 
> if you have a
> TCP/IP stack installed - clearly you do - NetBIOS over TCP/IP is still
> viable alive, and quite dangerous.
>
> Do you need to block it with a firewall?  Ummm.  Yeah.  
> Everyone else does -
> if you come up with a better option, we're all going to be 
> VERY interested!
> ;o)
>
> Rick Kingslan
> Just Some Security Dweeb
>  
>
> > Hi all, 
>
>
> > My windows 98 machine still has ports 137, 138, 139 open even after i
> turned 
> > "File and Printer Sharing" options off. I succesfully used 
> this to get into
>
> > my system, so as you can imagine it's a big security risk. 
> How do you shut 
> > these ports down? I have read many FAQs and papers 
> concerning this but 
> > they've all said to just uncheck the two options in the 
> "File and Printer 
> > Sharing" window under Control Panel > Networking. I have 
> asked around on
> IRC 
> > and the most advice I got was to block the ports with my 
> > router/firewall(smoothwall)...But how come I can't just turn 
> them off 
> > myself? 
>
>
>
>
>
> ----------------------- 
> "You can stop this individual, but you can't stop us 
> all...After all, we're 
> all alike..." - The Mentor 
> ----------------------- 
>
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------