Re: Basic firewall filtering question

["Gethin Jones" <gethinj () gethin net>]

Dear All,

The best way to secure these 'holes' in NETBIOS security is to put security
policies in place that do not allow 'NULL' account access to NETBIOS shares
such as C$, ADMIN$ and IPC$. If you start blocking access to these shares
completely you will run into all sorts of problems.

Have a look :-)

Windows 2000
  1.. Open up the Domain Policy.
  2.. Select Security Settings
  3.. Select Local Policies
  4.. Select Security Options.
  5.. Choose "Additional restrictions of anonymous connections" in the
policy pane and from the pull down menu labelled "Local policy setting",
select "No access without explicit anonymous permissions. Click OK and
reboot the machine.






Windows XP & Windows 2003

  1.. Open the Domain Policy
  2.. Select Security Settings
  3.. Select Local Policies
  4.. Select Security Options. Make sure that BOTH the following options are
enabled:


Network Access: Do not allow anonymous enumeration of SAM accounts.

Network Access: Do not allow anonymous enumeration of SAM accounts and
shares.



The Windows XP & 2003 settings do not completely fix the problem as some
aspects of the policies have not been added by Microsoft yet. But as
Microsoft releases patches for their servers they will incorporate the
correct settings.



Best Regards



Gethin



----- Original Message ----- 
From: "Ferino Mardo" <RMardo () ALJOMAIHBEV com>
To: <security-basics () securityfocus com>
Sent: Saturday, July 24, 2004 1:46 PM
Subject: Basic firewall filtering question


If a personal firewall is installed in a PC connected to a Win2K LAN,
netbios is allowed by allowing ports 137 to 139 in both directions. How
does one define a rule such that:

1. active directory authentication/browsing works

While at the same time making the PC invisible to the rest of the LAN
users?

TIA.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------