[Dshield] Netbios over tcpip never good ? (was spamcop listed )
jlauro at umflint.edu
Wed Dec 17 13:14:31 GMT 2003
> -----Original Message-----
> > What exactly is so insecure about netbios ? The thing
> mentioned before
> > about 'user enumeration' is something that can easily be
> disabled with
> > a registry key.
> This is not about Windows being secure or not. It is about
> how to use Windows securely.
> Microsoft outlines in its "ISP Security Practices List"
> "Deny all traffic to ports 135-139,445 TCP/UDP (NetBios/SMB)."
(lower part of the page, in the Firewall and Router Security section)
Note, they say have that as a "base set", not as a draconian mandated
unalterable set, and the higher priority rule on the same list is:
"Default deny, explicitly allow services, and explicitly deny others,
for additional security." So if you need to allow services, then do
so, and by their guidelines this trumps the deny port 135-139, 445. If
you are going to quote Microsoft, at least try not to do it out of
One example of something using one of the listed ports that I haven't
noticed (sorry, haven't been following the conversation closely, may
have missed it), is port 135. Outlook/Microsoft exchange requires port
135 (client -> server) open for native operation. However, it can be
made to work with port 80 in exchange 2003 and outlook 2003, but I
susspect that in the long run that will really open up other holes
that will be harder to block because the RPC services is now moved to
port 80... Many ISPs unwisely block port 135 in both directions when
it should only be blocked one way.
Doing wild port blocking by ISPs just causes application writers to
migrate their protocols to a typically unblocked port, such as 80. We
then have less fine grained control for security, because everything
is multiplexed on one port! You can now only do host based instead of
service based blocking...
More information about the list