Oh, I forgot to mention, Jean-Pierre, that there is a functional NetBIOS
emulator in Windows 2000, designed primarily for backward compatibility, but
there nonetheless. It's also responsible for mailslot communications, IIRC.
If you search Microsoft's site for "NetBIOS emulator", you should get plenty
of hits explaining the functionality.

Laura
----- Original Message -----
From: "Jean-Pierre Harvey" <jean-pierre.harveyedivision.com.au>
To: "'Adcock, Matt'" <Matthew.AdcockGSCCCA.ORG>; "'Laura A. Robinson'"
<larobinsbellatlantic.net>; "'Stadler, Brian T'" <bstadlerukans.edu>;
<flynngnjmu.edu>
Cc: "Focus on Microsoft Mailing List" <FOCUS-MSSECURITYFOCUS.COM>;
<bugtraqSECURITYFOCUS.COM>
Sent: Wednesday, August 15, 2001 8:59 PM
Subject: RE: MS patch-scanner for Win-NT, 2K, IIS, SQL

> All,
>
> Microsoft do not recommend implementing Win2K without NetBIOS. AD does
> require NetBIOS features to function correctly:
>
> When you are running AD, you can successfully disable NetBIOS from the
WINS
> tab of the TCP/IP properties without breaking anything as long as you have
a
> fairly vanilla implementation. Just don't try disablng the TCP/IP Netbios
> Helper Service, then things will start to break. Of course, this means
that
> if an anonymous user has an IP address he/she can still enumerate shares,
> users etc by default. Yes, even if it is disabled in the TCP/IP properties
> of network adapter.
>
> Setting the security policy for anonymous users to "no access without
> explicit anonymous permissions" will give an access denied error when
> attempting to connect using a null session.
>
> Does anyone else find this whole situation a bit strange? Surely if you
> disable NetBIOS over TCP/IP one would expect not to have NetBIOS running
> over TCP/IP.... this does not appear to be the case, since the "helper
> service" still (pretends to?) use NetBIOS over TCP/IP, or at least retains
> the classic default insecure NetBIOS features allowing anonymous
> enumeration.
>
> JP
>
> -----Original Message-----
> From: Adcock, Matt [mailto:Matthew.AdcockGSCCCA.ORG]
> Sent: Thursday, August 16, 2001 8:13 AM
>
> Sorry, but logons don't require NetBIOS in Win2K. As I stated before, the
> directory and OS don't need it at all in a pure 2K environment. Win2K
> DNS/LDAP can completely replace WINS in a pure environment. WINS was a
> failed implementation of internal DNS, and MS has gone back to a more pure
> directory services implementaion with Win2K DNS/LDAP. From
> http://support.microsoft.com/support/kb/articles/Q299/9/77.ASP:
>
> <quote>
> Windows 2000 uses NetBIOS over TCP/IP to communicate with prior versions
of
> Windows NT and other clients, such as Microsoft Windows 95. Careful
testing
> should be done before disabling NetBIOS over TCP/IP in any production
> environment. Programs and services that depend on NetBIOS no longer
function
> after you disable NetBT services, so it is important that you verify that
> your clients and programs no longer need NetBIOS support before you
disable
> it.
> </quote>
>
> I did not mean to imply that it's necessarily a good idea to remove it
> completely. See
>
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS
> 2000/en/server/help/sag_WINS_und_NetbiosConceptsNode.htm for a discussion
of
> where disabling NetBIOS is appropriate and how it affects Win2K machines.
>
> You're right about the apps, but as far as the OS is concerned, NetBIOS is
> just for backwards compatibility and completely unnecessary.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]