Broadcast stomping in win2k domain

By sbotsford ·
Servers: Freebsd running Samba 2.2.8a
Clients: Win2k SP4 + security fixes up through January.

Recently I was hit hard by a network worm that exploited a security hole in windows (what a surprise...)

To prevent a recurrence when (not if...) the next winsooze security hole is discovered, one step I want to take is to minimize client-to-client communication.

For this I have installed a free firewall (Sunbelt Kerio PF) and written packet filter rules to block ALL traffic between clients.

I've also set up my dhcp server to tell all the clients to use netbios-name-lookup type 2 (WINS only)
given them the name of the WINS server.

This part all works.
Now the tricky part:
In addition I want to stomp out the gratuitous broadcasting that winsnooze does. So I wrote another packet rule that blocks all traffic from the client to my broadcast address,

If I do this, then domain logins where the user's profile is not cached on the local machine fail with a message "You can't login because the domain SJSA is not available"

If the profile is cached, then domain login works just fine.

In both cases the network shares mapped to local drives works.

Question: Why do domain logins fail, but network shares succeed when the client is forbidden to broadcast?

Question: What steps can be taken to eliminate gratuitous broadcasts by windows?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Broadcast stomping revisited.

by sbotsford In reply to Broadcast stomping in win ...

Creating LMHosts in /winnt/system32/drivers/etc, populating it with the names of my servers,

thus: conan #pre #dom:sjsa postie #pre

fixed this problem.

Changing the "Computer Browser" service to disabled kept newly booted computers from forcing an election immediately on boot.

Adding a rule to the firewall to allow all traffic between client and servers, and putting it first in the list allowed the clients to hear broadcast browser announcements from the servers.

Collapse -

Check these out

by gary In reply to Broadcast stomping revisi ...

Snort and Windows update.

Related Discussions

Related Forums