Networking

Disable NetBIOS and SMB to protect public Web servers

As the connection between your internal network and the rest of the world, public Web servers always deserve an extra measure of protection. In this edition of Security Solutions, Mike Mullins tells you one way to lock down these servers.

Serving data to users outside of an internal network, public Web servers are typically the first point of contact for an external attack. In addition, internal networking ports are the most revealing and most often attacked ports on a server. That's why you need to make sure you've disabled the services that are specifically for intranets.

The two biggest culprits that you need to worry about are the Server Message Block (SMB) protocol and NetBIOS over TCP/IP. Both services can reveal a wealth of security information and are reoccurring vectors for hacks and attacks. They're unnecessary for the operation of a public Web server, and you should take steps to shut down both services on these servers.

Disable NetBIOS

NetBIOS was once a useful protocol developed for nonroutable LANs. In this case, it acts as a session-layer protocol transported over TCP/IP to provide name resolution to a computer and shared folders. NetBIOS uses these ports:

  • UDP 137: NetBIOS name service
  • UDP 138: NetBIOS datagram service
  • TCP 139: NetBIOS session service

Since external users—or hackers—don't need access to shared internal folders, you should turn off this protocol. To disable NetBIOS over TCP/IP, follow these steps:

  1. Got to Start | Control Panel, and double-click the System applet.
  2. On the Hardware tab, click the Device Manager button.
  3. Select Show Hidden Devices from the View menu.
  4. Expand Non-Plug And Play Drivers.
  5. Right-click NetBios Over Tcpip, and select Disable.
  6. Close all dialog boxes and applets.

This disables the Nbt.sys driver, which stops NetBIOS from listening to or initiating sessions over TCP 139. While SMB normally uses this port for communication, it will now switch to TCP 445—also known as the Common Internet File System (CIFS) port. That's why you need to disable SMB next.

Uninstall SMB

SMB uses TCP 139 or TCP 445—depending on which port is available. There's one way to disable SMB on a non-domain controller. However, I recommend completely uninstalling this service to prevent some well-meaning individual (or program) from re-enabling the service.

To uninstall SMB, follow these steps:

  1. Go to Start | Control Panel, and double-click the Network Connections applet.
  2. Right-click Local Area Connection (i.e., the Internet-facing connection), and select Properties.
  3. Select Client For Microsoft Networks, and click the Uninstall button.
  4. After the uninstall finishes, select File And Printer Sharing For Microsoft Networks, and click the Uninstall button.
  5. Close all dialog boxes and applets.

Understand the ramifications

You've now disabled both SMB and NetBIOS. If an attacker manages to compromise your Web server, he or she won't be able to use NetBIOS or SMB to further explore and exploit your network.

Of course, security measures are often a balancing act of functionality and security. In this case, disabling these services takes away your ability to remotely manage Web servers through Active Directory's Computer Management console. However, you can still connect to and manage these servers through the Remote Desktop Client.

Final thoughts

While it's a common practice to block these ports at security boundaries, nothing beats disabling them on the machines themselves. Remember, as the connection between your internal network and the rest of the world, Web servers always deserve an extra measure of protection.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

0 comments