Client for Microsoft Networks sends out NetBIOS name-resolution broadcast requests to locate computers and share names on your LAN (i.e., the names that appear in the My Network Places browse list). These unsolicited broadcasts announce your system and its internal resources and draw unnecessary attention to your Internet connection. Because NetBIOS name resolution is proprietary to Microsoft, few Internet-connected systems require this function. You can stop a system from broadcasting NetBIOS name-resolution requests on the Internet by unbinding the Client for Microsoft Networks on the network adapter connected to the Internet.
File and Printer Sharing for Microsoft Networks is the counterpart to Client for Microsoft Networks. This component publishes NetBIOS names for local shares and, more important, manages incoming connections to local shares. Regardless of whether your machine has shares, you certainly don't want to publish their NetBIOS names on the Internet. Likewise, you probably don't want unknown Internet systems connecting to your private shares. You can stop a system from publishing NetBIOS names and you can disable incoming connections to NetBIOS resources by unbinding File and Printer Sharing on the network adapter connected to the Internet.
Unbinding both clients effectively closes several NetBIOS ports (ports 137,138, and 139*139 is the most well known) that are a standard target for intruders. To disable these components and eliminate NetBT traffic, open Network and Dial-up Connections (click Start, Programs, Accessories, Communications, Network and Dial-up Connections). Choose Advanced Settings from the Advanced menu to bring up the dialog box you see in Figure 3. Click the network adapter for your Internet connection (e.g., the WAN adapter in Figure 3), and clear the check boxes of both components. The changes apply immediately, without a reboot.
In a pure Win2K environment, DNS replaces proprietary NetBIOS name resolution, and Win2K systems don't need these components to successfully browse a network and connect to shares. When you disable these components, you stop announcing your Internet presence with NetBIOS broadcasts, disable incoming NetBIOS connections, and, as a side benefit, also eliminate a great deal of unnecessary network traffic. If your SOHO consists of Win2K systems and you're running Win2K DNS, you can safely disable these components on all your systems to eliminate NetBIOS vulnerabilities.
Reducing Win2K Service Exposure
Win2K installs many services that support local and network communication. You can view all the services Win2K loads and starts automatically by running the Administrative Tools Services applet. Because running services listen for and respond to incoming requests, typically on a specific port, they're a common target of attacks.
For example, when you install any Win2K platform, the OS by default installs and starts the Telnet service. Telnet listens to incoming requests and responds with a command prompt to each incoming connection. When Telnet responds to an incoming request, it verifies that your system supports remote command-line activity. Intruders that detect this service on your system know the service is listening to and accepting connections with a valid username and password. If you forget to rename the Administrator and Guest accounts and permit blank passwords (the system default), you give a potential intruder an easy way to log on and access your system. When you disable Telnet, you disable the listening port and guarantee that the service won't respond to incoming connection requests.
The Indexing, IIS, FTP Publishing, and Remote Registry services present similar opportunities for unsolicited remote connections. If your system doesn't host a Web site, you can safely disable the IIS and the FTP Publishing services, and if you're not publishing thousands of documents, you can disable the Indexing service, too. Randy Franklin Smith's "Dangerous Services" series of articles (which "Related Articles" references) explains the type of exposure each service presents. You might end up disabling many services to tighten up the security on your system.
Disabling a Win2K service requires two steps. First, you stop the service if it's running, then you set the startup type to Manual or to Disabled. Start the Administrative Tools Services applet to display all the services Win2K installs. Each service and its status appear in the right pane, as Figure 4 shows. To disable a service, right-click it, then click Stop. This disables the service, but only until the next reboot. During system restart, Win2K automatically starts each service that has a startup type of Automatic. To permanently disable a service, you need to change its startup type. To change a service's startup type, double-click the service to bring up its Properties dialog box, which Figure 5 shows. You can change the startup type from Automatic to Manual or Disabled by choosing an option from the Startup type drop-down list. When you set the startup type to Manual, you can start the service by right-clicking it. When you set the startup type to Disabled, Win2K disables the Start, Stop, and Restart options, which means that the service can't run until you change its status back to Manual or Automatic. Repeat this procedure for each service you want to disable.
Prev. page
1
[2]
3
next page 
