NetBIOS Vs DNS:
Earlier Netbios was used instead of DNS for name resolution. But after 2000, Windows started using DNS (Domain Name System) and SMB (Server Messsage Block) Direct Hosting at TCP/IP port 445 for requests instead of port 139
.
The Risk:
.
The Risk:
This is basically used for name resolution and File sharing. NetBIOS on the WAN or over the Internet, however, is an enormous security risk. All sorts of information, such as your domain, workgroup and system names, as well as account information is obtainable via NetBIOS.
The SMB (Server Message Block) protocol is used among other things for file sharing in Windows OS. In Windows Servers it ran on top of NetBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445. By standard both port 139 and 445 is open to get the highest degree of compatibility. A client will try to request on both ports and continue the communication on the port which responds first.
How to Disable?
Disable SMB use of Netbios port 139 (Forces use of port 445):
- On the Start menu, point to Settings, and then click Network and Dial-up Connections
- Right-click Internet facing connection, and then click Properties.
- Select Internet Protocol TCP/IP and select Properties
- Click Advanced and select the WINS tab
- Tick Disable NetBIOS over TCP/IP and click Ok
[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \NetBT \Parameters]Disable SMB use of port 139 and 445 (Disables nbt.sys driver):
SMBDeviceEnabled = 0
- Right-click My Computer on the desktop, and then click Manage.
- Expand System Tools, and then select Device Manager.
- Right-click Device Manager, point to View, and then click Show hidden devices.
- Expand Non-Plug and Play Drivers.
- Right-click NetBios over Tcpip, and then click Disable.
- On the Start menu, point to Settings, and then click Network and Dial-up Connections
- Right-click Internet facing connection, and then click Properties.
- Select Client for Microsoft Networks, and then click Uninstall.
- Follow the uninstall steps.
- Select File and Printer Sharing for Microsoft Networks, and then click Uninstall.
- Follow the uninstall steps.
If you are using a router as your Internet gateway then you will want to ensure that it does not allow inbound or outbound traffic via TCP ports 135-139.
If you’re using a Firewall then you should also block the same ports - TCP ports 135-139.
No comments:
Post a Comment