I am actually experiencing the same problem. I don't think the messages
are coming from other machines (in my instance anyway). The IP
addresses, although within my local network range, do not always map
back to a real machine. It seems as if the IP address is random and I am
not sure why.

For the record, both my machines are the only nodes in a Win2k Adv
Server cluster, each with two NICs. NetBIOS is disabled on the private
interface, and enabled on the public interface. I imagine disabling it
on the public interface would resolve the issue, but it is not really an
answer to the problem. None of the cases identified in Microsoft's
Q131740 apply to me.

If anyone has any further ideas, it sure would be appreciated.

Cheers,
Dan Larsen

-----Original Message-----
From: Rich Wilson [mailto:wk633yahoo.com]
Sent: July 3, 2001 3:55 PM
To: Ben Jolly; focus-mssecurityfocus.com
Subject: RE: NetBT release messages

DOH!

Thanks (and to Laura, and a few others who replied privately).

It still doesn't answer my questions ('problems') but it does 'solve'
the
problem, which is good enough for me right now. The messages are being
generated by other machines (not the one generating the Event), so I'm
still a
bit worried as to how they are getting through my IPSec filters. I
guess MS
thinks our Computing Experience will be better if some things are left a
mystery :-)

--- Ben Jolly <Ben.Jollyneonsys.com> wrote:
> Disable NetBIOS on the External Interface. If you are just Blocking
NetBIOS
> than NetBIOS is still active on that interface. Go to the Properties
of the
> connection Internet Protocol Properties Advanced Wins select Disable
NetBIOS
> over TCP/IP.
>
>
>
> -----Original Message-----
> From: Rich Wilson [mailto:wk633yahoo.com]
> Sent: Friday, June 29, 2001 5:21 PM
> To: focus-mssecurityfocus.com
> Subject: NetBT release messages
>
>
> I have a problem that's driving me batty.
>
> I have a dual-hostsed server, internal network is 172.16.1.0, external
is
> 192.168.1.0 (all behind a corporate FW). The server has ipsec rules
applied
> for port filtering. There's a default deny everything rule, a rule
that
> allows
> anything from 172.16.1.0, an HTTP rule (allow TCP from any to my
address on
> 80)
> an SMTP client rule (allow TCP from me to any on 25) and a DNS client
rule
> (allow TCP/UDP from me to any on 53).
>
> The server is getting NetBT release messages from other machines on
the
> 192.168.1.0 network, and generating Event ID 4320. The IP in the data
of
> the
> event always points to a 192.168.1.0 machine. The machines generating
the
> release messages don't have access to the 172.16.1.0 network.
>
> Problem 1 is why other machines are generating these? I've been
through all
> the 'normal' reasons for this (searching http://www.eventid.net and
> http://support.microsoft.com/support/kb/articles/Q120/7/52.asp) but I
can't
> see
> any duplicate names anywhere. I've heard having a workgroup name and
system
> name the same will cause this, I don't have that.
>
> Problem 2 is how these messages are getting past IPSec. They appear
even if
> I
> have a specific rule to block UDP on ports 137, 138 and 139. I went
so far
> as
> to write a client/server to send simple UDP packets to make sure IPSec
was
> working, and it is in fact blocking.
>
> Anybody run accross something like this before? I am using Win2K
server,
> SP2.
>
>
> =====
> : __o
> : -\<,
> : 0/ 0
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/

=====
: __o
: -\<,
: 0/ 0

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]