Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Is it possible to disable NETBIOS and still allow NTLM and Kerberos authentication?

1,135 views
Skip to first unread message

Brad Baker

unread,
Feb 24, 2008, 11:46:23 PM2/24/08
to
We've been informed by a security auditor that we need to disable NETBIOS on
our network. That seems simple enough to do, but we are concerned that doing
so may affect NTLM authentication which we use for several web based
applications (as well as kerberos). Does NTLM or Kerberos utilize NETBIOS?

Thanks
Brad


Ken Schaefer

unread,
Feb 25, 2008, 4:13:15 AM2/25/08
to
Hmm - how are you proposing to disable NetBIOS?

I'm not aware of any dependancy of NTLM AuthN over HTTP on NetBIOS, and
Kerberos shouldn't have any dependancy on NetBIOS (not from client to KDC,
nor client to IIS).

Cheers
Ken

"Brad Baker" <br...@nospam.nospam> wrote in message
news:%23wWbfl2...@TK2MSFTNGP03.phx.gbl...

WenJun Zhang[msft]

unread,
Feb 25, 2008, 4:57:57 AM2/25/08
to
Hi Brad,

I think what you mentioned is the NetBIOS over TCP/IP options in TCP/IP
advanced setting of a network adapter.

Disabling NetBIOS over TCP/IP on IIS server will not affect integrated
authentication i.e: NTLM and Kerberos. The only impact should be that you
can no longer use NetBIOS names to access web sites on the server locally,
e.g: http://localhost/ or http://servername/ .

Please update here if you have any further question.

Have a great week.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Roger Abell [MVP]

unread,
Feb 25, 2008, 5:50:47 AM2/25/08
to
Disabling NetBT (Netbios/tcp) will not impact authentication,
nor fileshares, nor domain membership (gpo application, etc.)
and short hostnames (e.g. \\server, http://server) will fly if your
naming and DNS are aligned.
I have yet to have such auditors explain to me just what they are
thinking the recommendation/mandate solves/avoids. Pretty much
all Netbios activity can/will continue without NetBT if DNS and
AD (i.e. ldap) can support name resolution / host location services.

Roger

"Brad Baker" <br...@nospam.nospam> wrote in message
news:%23wWbfl2...@TK2MSFTNGP03.phx.gbl...

Brad Baker

unread,
Feb 25, 2008, 1:28:20 PM2/25/08
to
Roger -

Everything you said seems to jive with what I am seeing in our lab
environment . However I do have one question.

You mentioned:


"Pretty much all Netbios activity can/will continue without NetBT if DNS and
AD (i.e. ldap) can support name resolution / host location services."

I don't know a lot about NETBIOS myself so I'm relying a lot on the auditor
to provide us with guidance - however your comments make me question how
knowledgable our auditor really is.

Is it really even possible to disable NETBIOS entirely in a Windows network?
What additional steps would be required besides disabling NETBT?

Thanks,
Brad


"Roger Abell [MVP]" <mvpN...@asu.edu> wrote in message
news:u0HaJx5d...@TK2MSFTNGP03.phx.gbl...

Roger Abell [MVP]

unread,
Feb 26, 2008, 4:34:41 AM2/26/08
to
"Brad Baker" <br...@nospam.nospam> wrote in message
news:uGjS0w9d...@TK2MSFTNGP06.phx.gbl...

> Roger -
>
> Everything you said seems to jive with what I am seeing in our lab
> environment . However I do have one question.
>
> You mentioned:
> "Pretty much all Netbios activity can/will continue without NetBT if DNS
> and AD (i.e. ldap) can support name resolution / host location services."
>
> I don't know a lot about NETBIOS myself so I'm relying a lot on the
> auditor to provide us with guidance - however your comments make me
> question how knowledgable our auditor really is.
>

I have impression such is widely spread in "audit industry" beliefs,
or should that be willingness to err into precaution due to incomplete
perspective on a number of points.

> Is it really even possible to disable NETBIOS entirely in a Windows
> network?

No. Not currently; but that does also depend on what the Windows
system is supposed to be able to do. NetBios has basically 3 part
functionality. One may easily remove NetBT (NetBios over Tcp/Ip)
but think of this as removing a transport. Windows will accomplish
what NetBios parts it needs over Tcp 445 and it will accomplish the
name resolution /location service part only by DNS and/or Ldap.

> What additional steps would be required besides disabling NETBT?

Pre-req: A post-current (post-2k8) generation Exchange and Windows.

WenJun Zhang[msft]

unread,
Feb 26, 2008, 4:37:32 AM2/26/08
to
Hi Brad,

The topic should be out of the scope of IIS. The following article should
answer your question partially:

323357 How To Configure TCP/IP Networking While NetBIOS Is Turned Off on a
Server Running Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;323357

Have a great day.

0 new messages