Announcement

Collapse
No announcement yet.

NetBIOS - How to Disable logins

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NetBIOS - How to Disable logins

    Hiya,

    I'm looking for a way to disable logins/sessions over NetBIOS without actually disabling the entire service?

    I've seen this done but can't remember the method

    Thanks in advance,

  • #2
    Re: NetBIOS - How to Disable logins

    Hi,

    Here is an article from the petri site: http://www.petri.com/disable_netbios_in_w2k_xp_2003.htm
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: NetBIOS - How to Disable logins

      Hey,

      I did have a read of that. I'm not actually looking to disable NetBIOS entirely. Just want to prevent the use of psexec etc.

      Thought that would be possible without killing the service totally?

      Comment


      • #4
        Re: NetBIOS - How to Disable logins

        What makes you think that even disabling Netbios you can't run Psexec?
        You would be better trying to prevent Psexec.exe from running either via you AV IDS/IPS rules or look at the Software restriction policy settings?
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: NetBIOS - How to Disable logins

          psexec needs NetBIOS to work, it runs over 445.

          I think I've found a solution, just testing and will post back.

          Comment


          • #6
            Re: NetBIOS - How to Disable logins

            Interesting...
            445 is actually used by SMB over TCP/IP
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: NetBIOS - How to Disable logins

              Got it after some Google-Fu, basically admin$ etc needs to be canned (although maybe other ways exist??)

              To do this you need to tweak the reg:
              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanManServer\Parameters
              Add a DWORD called AutoShareWks, value 0. Reboot required.

              Would be interested in other methods though

              Comment


              • #8
                Re: NetBIOS - How to Disable logins

                FYI: I just use the term NetBIOS to refer to ports 135,139,445 etc.

                Obviously need to be more precise

                Comment


                • #9
                  Re: NetBIOS - How to Disable logins

                  Originally posted by kay-vee-m View Post
                  Got it after some Google-Fu, basically admin$ etc needs to be canned (although maybe other ways exist??)

                  To do this you need to tweak the reg:
                  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanManServer\Parameters
                  Add a DWORD called AutoShareWks, value 0. Reboot required.

                  Would be interested in other methods though …
                  So basicaly what you are doing KVM is disabling the Administrative shares just for the sake of psexec?
                  Psexec does indeed use the Admin$ share to copy an executable accross (psexecsvc.exe iirc).
                  Althought I agree that the administrative shares are a security pain in the back side, they are also quite useful so my approach to this would be slightly different.
                  I would instead use a hash rule for psexec and psexecsvc in a software restriction policy.
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: NetBIOS - How to Disable logins

                    I'm not a massive fan of black lists. Other tools like metasploit/nessus etc also have the functionality to login. Not to mention worms such as c'ficker spreading. So if there is a more lightwight method of stopping remote login over smb without restricting admin$ I would be quite interested.

                    Comment


                    • #11
                      Re: NetBIOS - How to Disable logins

                      Originally posted by kay-vee-m View Post
                      I'm not a massive fan of black lists. Other tools like metasploit/nessus etc also have the functionality to login. Not to mention worms such as c'ficker spreading. So if there is a more lightwight method of stopping remote login over smb without restricting admin$ I would be quite interested.
                      I think you are approaching this the wrong way. Blacklisting might not be your favorite protection method but it's IMO the only viable option currently in the context of defence in depth. Theoreticaly total isolation and whitelisting is the most efficent way of protecting your system but they are not practical nor functional.
                      Here is what can happen if the administrative shares are disabled: http://support.microsoft.com/kb/842715
                      Caesar's cipher - 3

                      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                      SFX JNRS FC U6 MNGR

                      Comment


                      • #12
                        Re: NetBIOS - How to Disable logins

                        My question is why is so much effort seemingly being expended here? Has someone tried to use psexec and now you're trying implement protection to prevent it from happening again? Are you trying to protect your systems from all potential risks?

                        I look at it from a perspective of possibility and probability.

                        Is it possible that someone will attack a system via psexec?: Yes, it's possible.

                        Is it probable that someone will attack a system via psexec?: No, it's not probable.

                        I take all reasonable and recommended security precautions but I'm not running a government network where the nuclear codes are stored so I don't need to implement that level of security.

                        I don't need to buy hurricane insurance if I live in Nebraska.

                        Comment


                        • #13
                          Re: NetBIOS - How to Disable logins

                          Cheers for that link, good to know some of the side effects. When I find out how this organisation does restrict access I will post the details. Its a very large network so will be interesting to see how they've gone about it.

                          Comment


                          • #14
                            Re: NetBIOS - How to Disable logins

                            what about the Policy:

                            "Access this computer from the network"

                            Under 'User Rights Assignment'?

                            Looks promising...

                            Comment

                            Working...
                            X