More info related to my last two postings on this subject:

http://support.microsoft.com/support/kb/articles/Q299/9/77.ASP
(see in particular the last section of the document- this is where the
NetBIOS helper service comes in.)

More on the TDI in Win2K:
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/Intwork/inde_nbf_seo
d.htm

See the last bullet in this article, as well:
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/CNET/cnad_arc_khqp.h
tm

As I've often said, Windows 2000 would be a lot cleaner if it weren't for
that dratted backward compatibility. ;-)

Laura
----- Original Message -----
From: "Jean-Pierre Harvey" <jean-pierre.harveyedivision.com.au>
To: "'Adcock, Matt'" <Matthew.AdcockGSCCCA.ORG>; "'Laura A. Robinson'"
<larobinsbellatlantic.net>; "'Stadler, Brian T'" <bstadlerukans.edu>;
<flynngnjmu.edu>
Cc: "Focus on Microsoft Mailing List" <FOCUS-MSSECURITYFOCUS.COM>;
<bugtraqSECURITYFOCUS.COM>
Sent: Wednesday, August 15, 2001 8:59 PM
Subject: RE: MS patch-scanner for Win-NT, 2K, IIS, SQL

> All,
>
> Microsoft do not recommend implementing Win2K without NetBIOS. AD does
> require NetBIOS features to function correctly:
>
> When you are running AD, you can successfully disable NetBIOS from the
WINS
> tab of the TCP/IP properties without breaking anything as long as you have
a
> fairly vanilla implementation. Just don't try disablng the TCP/IP Netbios
> Helper Service, then things will start to break. Of course, this means
that
> if an anonymous user has an IP address he/she can still enumerate shares,
> users etc by default. Yes, even if it is disabled in the TCP/IP properties
> of network adapter.
>
> Setting the security policy for anonymous users to "no access without
> explicit anonymous permissions" will give an access denied error when
> attempting to connect using a null session.
>
> Does anyone else find this whole situation a bit strange? Surely if you
> disable NetBIOS over TCP/IP one would expect not to have NetBIOS running
> over TCP/IP.... this does not appear to be the case, since the "helper
> service" still (pretends to?) use NetBIOS over TCP/IP, or at least retains
> the classic default insecure NetBIOS features allowing anonymous
> enumeration.
>
> JP
>
> -----Original Message-----
> From: Adcock, Matt [mailto:Matthew.AdcockGSCCCA.ORG]
> Sent: Thursday, August 16, 2001 8:13 AM
>
> Sorry, but logons don't require NetBIOS in Win2K. As I stated before, the
> directory and OS don't need it at all in a pure 2K environment. Win2K
> DNS/LDAP can completely replace WINS in a pure environment. WINS was a
> failed implementation of internal DNS, and MS has gone back to a more pure
> directory services implementaion with Win2K DNS/LDAP. From
> http://support.microsoft.com/support/kb/articles/Q299/9/77.ASP:
>
> <quote>
> Windows 2000 uses NetBIOS over TCP/IP to communicate with prior versions
of
> Windows NT and other clients, such as Microsoft Windows 95. Careful
testing
> should be done before disabling NetBIOS over TCP/IP in any production
> environment. Programs and services that depend on NetBIOS no longer
function
> after you disable NetBT services, so it is important that you verify that
> your clients and programs no longer need NetBIOS support before you
disable
> it.
> </quote>
>
> I did not mean to imply that it's necessarily a good idea to remove it
> completely. See
>
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS
> 2000/en/server/help/sag_WINS_und_NetbiosConceptsNode.htm for a discussion
of
> where disabling NetBIOS is appropriate and how it affects Win2K machines.
>
> You're right about the apps, but as far as the OS is concerned, NetBIOS is
> just for backwards compatibility and completely unnecessary.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]