Securing Windows 2000 Server

Appendix C: Disabling NetBIOS on Servers in Untrusted Networks

Published: November 17, 2004 | Updated: May 31, 2006

Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.

This appendix discusses a recommendation specifically for servers located in untrusted networks, for example, publicly accessible Web servers or mail gateways. None of the servers in the Contoso scenario were located in the perimeter network, so the steps recommended within this appendix were not performed on any of them. If you have servers located in an untrusted network, you should consider implementing the changes that follow, but test them thoroughly and be certain that you understand the challenges that disabling NetBIOS will have on managing the computers.

Vulnerability

Servers in the perimeter network should have all unnecessary protocols disabled including NetBIOS and server message block (SMB). Web servers and DNS servers do not require NetBIOS or SMB. These protocols should both be disabled to counter the threat of user enumeration. User enumeration is a type of information gathering exploit in which an attacker attempts to obtain system specific information to plan additional attacks.

The SMB protocol will return rich information about a computer even to unauthenticated users using "null" sessions. The information that can be retrieved includes domain and trust details, shares, user information (including groups and user rights), registry keys, and more.

Note Null sessions can be blocked by setting the RestrictAnonymous registry key as described in the "MSBP Security Options" section in Chapter 6, "Hardening the Base Windows 2000 Server."

Top of page

Countermeasure

Disabling NetBIOS is not sufficient to prevent SMB communication, because in the absence of standard NetBIOS ports SMB will use TCP port 445, which is referred to as SMB Direct Host. As a result, explicit steps must be taken to separately disable both NetBIOS and SMB.

NetBIOS uses the following ports:

•	UDP/137 (NetBIOS name service)
•	UDP/138 (NetBIOS datagram service)
•	TCP/139 (NetBIOS session service)

SMB uses the following ports:

•	TCP/139
•	TCP/445

On servers accessible from the Internet, you should disable SMB by removing File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks using the TCP/IP properties dialog box in your Local Area Connection properties.

To disable SMB

1.	On the Start menu, point to Settings, and then click Network and Dial-up Connections.
2.	Right-click Internet facing connection, and then click Properties.
3.	Select Client for Microsoft Networks, and then click Uninstall.
4.	Follow the uninstall steps.
5.	Select File and Printer Sharing for Microsoft Networks, and then click Uninstall.
6.	Follow the uninstall steps.

To disable NetBIOS over TCP/IP

1.	Right-click My Computer on the desktop, and then click Manage.
2.	Expand System Tools, and then select Device Manager.
3.	Right-click Device Manager, point to View, and then click Show hidden devices.
4.	Expand Non-Plug and Play Drivers.
5.	Right-click NetBios over Tcpip, and then click Disable.

This procedure disables the SMB direct host listener on TCP/445 and UDP 445.

Note This procedure disables the nbt.sys driver. The WINS tab of the Advanced TCP/IP Settings dialog box contains a Disable NetBIOS over TCP/IP option. Selecting this option only disables the NetBIOS Session Service (which listens on TCP port 139). It does not disable SMB completely. To do so, perform the steps in this procedure.

Top of page

Potential Impact

No computers will be able to connect to the server through SMB. The servers will be unable to access folders shared on the network. Many management tools will be unable to connect to the servers.

Top of page

15 of 16

•	Overview
•	Chapter 1: Introduction to Securing Windows 2000 Server
•	Chapter 2: Defining the Security Landscape
•	Chapter 3: Understanding the Security Risk Management Discipline
•	Chapter 4: Applying the Security Risk Management Discipline
•	Chapter 5: Securing the Domain Infrastructure
•	Chapter 6: Hardening the Base Windows 2000 Server
•	Chapter 7: Hardening Specific Server Roles
•	Chapter 8: Patch Management
•	Chapter 9: Auditing and Intrusion Detection
•	Chapter 10: Responding to Incidents
•	Chapter 11: Conclusion
•	Appendix A: Purpose of Microsoft Windows 2000 Services
•	Appendix B: Registry Access Control Changes
•	Appendix C: Disabling NetBIOS on Servers in Untrusted Networks
•	Appendix D: Configuring Digital Certificates on Domain Controllers

Securing Windows 2000 Server

Appendix C: Disabling NetBIOS on Servers in Untrusted Networks

On This Page

Vulnerability

Countermeasure

Potential Impact

In This Article