Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how to shut off netbios-ns/port:137 (udp)

0 views
Skip to first unread message

Alex Fitterling

unread,
Jun 3, 2003, 9:42:34 AM6/3/03
to
Dear Microsoft Users,

when scanning certain win2k-clients in my network with the opensource
security tool nessus, I get following security warning:


---
Warning netbios-ns (137/udp) . The following 2 NetBIOS names have been
gathered : NAME = Computer 1) name that is registered for the
messenger service on a computer that is a WINS client. BENUTZER1 =
Computer name that is registered for the messenger service on a
computer that is a WINS client. . The remote host has the following
MAC address on its adapter : XXXXXXXXXXXXXXXXXXX 1)

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150

1) due to security reasons the values has been made irrecognizable.
----

I definitely want to deactivate the whole port, not allowing the
clients to share anything on net. Is there a way to reach this, or
could that (only microsoft knows) for any reason be dangerous?

So far I took a look in certain newsgroups. There were actually a
whole bunch of inquiries I myself wasn't able to deal with. So this is
my own posting.

Sincerely,

Alex


Lanwench [MVP - Exchange]

unread,
Jun 3, 2003, 10:11:46 AM6/3/03
to
Alex - if this is only internal to your network, and you have a properly
configured firewall protecting your network from the Internet, you shouldn't
really worry about this.

Alex Fitterling

unread,
Jun 3, 2003, 11:02:45 AM6/3/03
to
Hi Lanwench,

no we do not have any firewall at all. I really want this port off. Is
there any trick to get into this. Or could I just reach this by
deactivating the window file sharing protocol in network setup? If so,
is this enough then or in what else should I proceed?

Please help.

Alex

Lanwench [MVP - Exchange]

unread,
Jun 3, 2003, 1:08:51 PM6/3/03
to
Get a firewall ASAP. No network, nor even single workstation, should be
without one. Get a good stateful inspection device that sits between you and
the Internet. You can't possibly protect your network by disabling services,
and your internal network actually *needs* many of those services. Look at
www.sonicwall.com for some decent boxes that don't cost too much. A simple
NAT device is not going to do it for you.

Karl Levinson [x y] mvp

unread,
Jun 3, 2003, 3:18:15 PM6/3/03
to
my post may have disappeared, but i agree. Disabling services does nothing
to block outbound connections from worms or remote access trojans or
keystroke loggers, inbound attempts to guess OS from the TCP headers, etc.
While it is theoretically possible to do everything necessary to completely
harden a Windows computer to be fairly secure without a firewall, you really
have to know your stuff beforehand to hope to accomplish this, and even then
you still greatly improve your security by using a firewall. Here are a
number of free and inexpensive firewalls:

http://securityadmin.info/faq.htm#firewall
http://securityadmin.info/faq.htm#harden


"Lanwench [MVP - Exchange]"
<lanw...@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:#8SxWLfK...@TK2MSFTNGP11.phx.gbl...

Johnnie Baker

unread,
Jun 7, 2003, 12:39:14 AM6/7/03
to
I have personally advised people to use the free download
zonealarm from
http://www.zonelabs.com/store/content/company/products/znal
m/freeDownload.jsp Actually the built in security policy
is capable of blocking netbios attacks but as the previous
post indicates it does require a deal of experience. Use
secpol.msc from a run command on Win2k/xp. Here is an
example which meets your needs for blocking the common
netbios ports. I apologize for posting the entire
procedure instead of the link. I have forgotten where I
obtained it. I agree with the recommendation for putting
in place a firewall such as MS ISA. And NAT is always a
cheap alternative. I personally open up my connection to
the world and am only using Windows XP with an inexpensive
Norton Firewall. You certainly wouldn't want to apply
this procedure to a large number of workstations. Even
though you can save the ipsec policy you create and push
it to your domain environment via login script. But who
would have a large number of workstations open to the
internet ..... a public school :)

Step-by-Step Guide: How to block NetBIOS connections to
Windows 2k/XP Pro
The Windows server service, while indispensable on a file,
print or application server, can create quite a headache
when administering Windows workstations. Since the service
advertises on well-known NetBIOS ports, it is a common
attack vector for hackers attempting to gain access to the
computers on your network.
There are a number of ways to block this avenue of attack,
including implementing a central firewall or disabling the
server service outright. On a Windows 2000 or XP
Professional workstation, you can also create an IPsec
filtering policy to stop NetBIOS traffic dead in its
tracks. Follow the steps below to create an IPsec policy
for an individual workstation or a central policy for an
entire Active Directory domain or organizational unit.
Step 1: If you're working as part of a domain where you
aren't the only administrator on staff, consult the
necessary person or persons before changing any settings
on a production machine. If someone has already set up
group policies at the site, domain or organizational unit
level, conflicting settings could spell trouble for your
workstation -- causing anything from a minor annoyance to
a complete inability to communicate on your network.

Step 2: Open the local computer policy by clicking on
Start -> Run, then typing "gpedit.msc."

Step 3: Click on Computer Configuration -> Windows
Settings -> Security Settings. Right-click on IP Security
Policies on Local Computer and select "Create IP Security
Policy."

Step 4: Click "Next" to bypass the initial welcome screen.
Enter a name for the IPsec policy and click "Next" again.

Step 5: Remove the check mark next to "Activate the
default response rule" and click "Next."

Step 6: Click "Add" to create a new security rule. A
security rule consists of two key components: an IP filter
list that tells Windows what sort of traffic to look for
and a filter action that tells Windows what to do once it
has found something.

Step 7: Create two IP filters. Both will filter traffic
with a source IP address of "Any IP Address" and a
destination of "My IP Address." IP filters monitor traffic
according to a source and/or destination IP address, as
well as source/destination port numbers. (An IP filter can
only handle one type of traffic at a time, which is why
security rules rely on filter lists.) One will filter
traffic with a destination TCP port 139, the other will
affect TCP destination port 445. This will cause the IP
security rule to flag NetBIOS traffic directed against
your workstation from any point of origin.

Step 8: Create a filter action to block the IP traffic
affected by the IP filters created in Step 7.

Step 9: Right-click on the completed IPsec policy and
click "Assign" to apply it to your local workstation.
You're done! No rebooting required. Your workstation will
now reject any and all NetBIOS connection attempts. If you
need to tweak the policy, you can create additional
security rules to allow NetBIOS connections from
administrative workstations. You can also de-assign the
policy if it's not working the way you had intended.

Regards,
Johnnie

>.
>

0 new messages