OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rich Wilson (wk633yahoo.com)
Date: Tue Jul 03 2001 - 17:55:05 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    DOH!

    Thanks (and to Laura, and a few others who replied privately).

    It still doesn't answer my questions ('problems') but it does 'solve' the
    problem, which is good enough for me right now. The messages are being
    generated by other machines (not the one generating the Event), so I'm still a
    bit worried as to how they are getting through my IPSec filters. I guess MS
    thinks our Computing Experience will be better if some things are left a
    mystery :-)

    --- Ben Jolly <Ben.Jollyneonsys.com> wrote:
    > Disable NetBIOS on the External Interface. If you are just Blocking NetBIOS
    > than NetBIOS is still active on that interface. Go to the Properties of the
    > connection Internet Protocol Properties Advanced Wins select Disable NetBIOS
    > over TCP/IP.
    >
    >
    >
    > -----Original Message-----
    > From: Rich Wilson [mailto:wk633yahoo.com]
    > Sent: Friday, June 29, 2001 5:21 PM
    > To: focus-mssecurityfocus.com
    > Subject: NetBT release messages
    >
    >
    > I have a problem that's driving me batty.
    >
    > I have a dual-hostsed server, internal network is 172.16.1.0, external is
    > 192.168.1.0 (all behind a corporate FW). The server has ipsec rules applied
    > for port filtering. There's a default deny everything rule, a rule that
    > allows
    > anything from 172.16.1.0, an HTTP rule (allow TCP from any to my address on
    > 80)
    > an SMTP client rule (allow TCP from me to any on 25) and a DNS client rule
    > (allow TCP/UDP from me to any on 53).
    >
    > The server is getting NetBT release messages from other machines on the
    > 192.168.1.0 network, and generating Event ID 4320. The IP in the data of
    > the
    > event always points to a 192.168.1.0 machine. The machines generating the
    > release messages don't have access to the 172.16.1.0 network.
    >
    > Problem 1 is why other machines are generating these? I've been through all
    > the 'normal' reasons for this (searching http://www.eventid.net and
    > http://support.microsoft.com/support/kb/articles/Q120/7/52.asp) but I can't
    > see
    > any duplicate names anywhere. I've heard having a workgroup name and system
    > name the same will cause this, I don't have that.
    >
    > Problem 2 is how these messages are getting past IPSec. They appear even if
    > I
    > have a specific rule to block UDP on ports 137, 138 and 139. I went so far
    > as
    > to write a client/server to send simple UDP packets to make sure IPSec was
    > working, and it is in fact blocking.
    >
    > Anybody run accross something like this before? I am using Win2K server,
    > SP2.
    >
    >
    > =====
    > : __o
    > : -\<,
    > : 0/ 0
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Get personalized email addresses from Yahoo! Mail
    > http://personal.mail.yahoo.com/

    =====
    : __o
    : -\<,
    : 0/ 0

    __________________________________________________
    Do You Yahoo!?
    Get personalized email addresses from Yahoo! Mail
    http://personal.mail.yahoo.com/