[Dshield] Netbios over tcpip never good ? (was spamcop listed)

WMAVT@aol.com WMAVT at aol.com
Thu Dec 18 19:06:14 GMT 2003

Ok my Two cents, 
              I do not like it either but what the heck are we to do about 
it, Take the 10s of 1000s of AOL, CompuServe Users that have no idea how AOL can 
track them, do auto background downloads that change registry settings and 
              M$ may say it should not be used BUT They Keep it Just to do 
what AOL is doing. I wonder how many other Big Companies are using it also?
              Have Fun Bill 
Ps not on AOL by Choice LOL.

========Original Message======== 
Subj:   RE: [Dshield] Netbios over tcpip never good ? (was spamcop listed)  
Date:   12/16/2003 1:59:32 PM Mountain Standard Time    
From:    cbrenton at chrisbrenton.org (Chris Brenton)
Sender:    list-bounces at dshield.org
Reply-to: <A HREF="mailto:list at dshield.org">list at dshield.org</A> (General DShield Discussion List)
To:    list at dshield.org (General DShield Discussion List)

On Tue, 2003-12-16 at 13:52, Richard Roy wrote:
> I don't mean to start a FLAME war, but this IS a group of security
> minded individuals correct?

If security is your primary concern, hit the "off" switch on your
computer and leave it in that position. Anything less than this security
posture implies that you are willing to accept some level of risk in
order to do business. Now its just a matter of how much risk you are
willing to accept. Different organizations and individuals have
different levels of risk they are willing to accept.

> I must disagree strongly.  NETBIOS has NO place on the Internet PERIOD.

I think I could make a strong argument that Windows has not place on the
Internet, but we will not go there. ;-)

> OUCH! I can not believe that anyone would ever be seroius about that.
> MS themselves in their own training courses tells you that netbios does
> not belong over the Internet.  

Speaking of "training, I'm noticing a trend, have confirmed this with
other SANS instructors, but would love some feedback from the community
at large.

I'm starting to see more production Windows 2003 servers in the wild. As
most of you probably know, it ships with no open listening ports. You
effectively have a server that can not act as a server till you turn
stuff on. Sounds good so far, but wait there is more. ;-)

I'm noticing that during my audits that many administrators don't
understand what needs to be turned on and what does not. They end up
turning *everything* on in order to get it working. The end result is a
server that is actually _less_ secure than a Windows 2000 server out of
the box. 

Is anyone seeing this as well? Obviously this is a matter of
administrator education, and a more informed admin will not do this. As
a ratio however, I'm seeing more insecure 2003 servers than 2000 during
my audits. Just curious if anyone else that is doing auditing is seeing
similar results.

> I apologize if this is a bit mean spirited, but I cannot believe anyone
> who subscribes to this list and reads the postings would have this type
> of an uninformed attitude.

I personally would *never* use NetBIOS/IP on the Internet. I've been at
this long enough however to know that I'm not smart enough to identify
every business need and application that people may come up with for a
specific service. With this in mind, I'm *very* hesitant to ram my
beliefs down someones throat without fully understanding where they are
coming from, and what their needs are.

So with that in mind, the correct fix is to have the OS vendor rectify
the problem, not expect ISPs to enforce some kind of militant "Big
Brother" action for everyone's good. This way people have choices.
Choices are good. :-)

>From the "Live Free or Die" state,

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: 

----------------------- Headers --------------------------------
Return-Path: <list-bounces at dshield.org>
Received: from  rly-xn06.mx.aol.com (rly-xn06.mail.aol.com []) 
by air-xn04.mail.aol.com (v97.14) with ESMTP id MAILINXN41-75c3fdf722135d; Tue, 
16 Dec 2003 15:59:32 -0500
Received: from  mail.giac.net (host.sans.org []) by 
rly-xn06.mx.aol.com (v97.10) with ESMTP id MAILRELAYINXN610-75c3fdf722135d; Tue, 16 Dec 
2003 15:59:13 -0500
Received: (qmail 6583 invoked from network); 16 Dec 2003 20:59:11 -0000
Received: from  (HELO dshield.com) (@)
  by 0 with SMTP; 16 Dec 2003 20:59:11 -0000
Received: from maverick12.sans.org (localhost.localdomain [])
    by dshield.com (8.11.6/8.11.6) with ESMTP id hBGKuEk05537;
    Tue, 16 Dec 2003 20:56:14 GMT
Received: from mail.giac.net (iceman1 [])
    by dshield.com (8.11.6/8.11.6) with SMTP id hBGKkdk05190
    for <list at maverick12.sans.org>; Tue, 16 Dec 2003 20:46:39 GMT
Received: (qmail 4059 invoked from network); 16 Dec 2003 20:46:39 -0000
Received: from  (HELO dshield.org) (@)
    by 0 with SMTP; 16 Dec 2003 20:46:39 -0000
Old-Received: (qmail 4056 invoked from network); 16 Dec 2003 20:46:38 -0000
Old-Received: from host-64-179-20-23.man.choiceone.net (HELO
    mailgate.chrisbrenton.org) (
    by 0 with SMTP; 16 Dec 2003 20:46:38 -0000
Old-Received: from grendel (mailgate.chrisbrenton.org [] (may be
    by mailgate.chrisbrenton.org (8.12.7/8.12.7) with ESMTP id
    for <list at dshield.org>; Tue, 16 Dec 2003 15:41:37 -0500
Subject: RE: [Dshield] Netbios over tcpip never good ? (was spamcop listed)
From: Chris Brenton <cbrenton at chrisbrenton.org>
To: General DShield Discussion List <list at dshield.org>
In-Reply-To: <
07266AE1CAE57D4AAC50EBA4BEB0FDEF4F5C4C at jtpostoffice.corp.justicetrax.com>
References: <
07266AE1CAE57D4AAC50EBA4BEB0FDEF4F5C4C at jtpostoffice.corp.justicetrax.com>
Content-Type: text/plain
Message-Id: <1071607366.2046.143.camel at grendel>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.4 
Date: Tue, 16 Dec 2003 15:42:48 -0500
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.29 (www . roaringpenguin . com / mimedefang)
Old-X-Envelope-To: list at dshield.org
X-Seen-By: bob list
X-Envelope-To: UNKNOWN
X-Mailman-Approved-At: Tue, 16 Dec 2003 20:54:39 +0000
X-BeenThere: list at dshield.org
X-Mailman-Version: 2.1.3
Precedence: list
Reply-To: General DShield Discussion List <list at dshield.org>
List-Id: General DShield Discussion List <list.dshield.org>
List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
    <mailto:list-request at dshield.org?subject=unsubscribe>
List-Archive: <http://www.dshield.org/pipermail/list>
List-Post: <mailto:list at dshield.org>
List-Help: <mailto:list-request at dshield.org?subject=help>
List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
    <mailto:list-request at dshield.org?subject=subscribe>
Sender: list-bounces at dshield.org
Errors-To: list-bounces at dshield.org

More information about the list mailing list