Broadcast stomping in win2k domain - TechRepublic
Question
February 7, 2007 at 03:37 PM
sbotsford

Broadcast stomping in win2k domain

by sbotsford . Updated 19 years, 5 months ago

Servers: Freebsd running Samba 2.2.8a
Clients: Win2k SP4 + security fixes up through January.

Recently I was hit hard by a network worm that exploited a security hole in windows (what a surprise…)

To prevent a recurrence when (not if…) the next winsooze security hole is discovered, one step I want to take is to minimize client-to-client communication.

For this I have installed a free firewall (Sunbelt Kerio PF) and written packet filter rules to block ALL traffic between clients.

I’ve also set up my dhcp server to tell all the clients to use netbios-name-lookup type 2 (WINS only)
given them the name of the WINS server.

This part all works.
Now the tricky part:
In addition I want to stomp out the gratuitous broadcasting that winsnooze does. So I wrote another packet rule that blocks all traffic from the client to my broadcast address, 192.168.1.255.

If I do this, then domain logins where the user’s profile is not cached on the local machine fail with a message “You can’t login because the domain SJSA is not available”

If the profile is cached, then domain login works just fine.

In both cases the network shares mapped to local drives works.

Question: Why do domain logins fail, but network shares succeed when the client is forbidden to broadcast?

Question: What steps can be taken to eliminate gratuitous broadcasts by windows?

This discussion is locked

All Comments