Topic: TCP/IP NetBIOS Helper (Read 1533 times)

Black Viper · « **on:** March 13, 2008, 01:38:09 pm »

Discussion of the TCP/IP NetBIOS Helper Service located in Windows Vista SP1.

TCP/IP NetBIOS Helper
Service Information: http://www.blackviper.com/WinVista/Services/TCP_IP_NetBIOS_Helper.htm

TekMason · « **Reply #1 on:** October 25, 2008, 06:28:03 pm »

I think I have discovered an error with the information on the TCP/IP NetBIOS Helper service. It is an easy mistake to make however as the description of the service itself is misleading, Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

If you are not using WINS (NetBIOS) for name resolution you can not access a server share by UNC name with this service disabled!
i.e. \\server1\share will not work.
Packet traces indicate that windows will resolve the name with DNS, then completely skips SMB to connect and moves on to http:\\servername\share (WebDav I presume). I have confirmed this on WinXP SP2 and SP3.

TekMason

couttsj · « **Reply #2 on:** October 25, 2008, 08:40:11 pm »

I am not sure I understand what you are trying to say. The description says "Enables support for NetBIOS name resolution", and it is for this reason that I have always found it necessary to run this service on both XP and Vista. Without it, I cannot find the other machines on the network.

J.A. Coutts

TekMason · « **Reply #3 on:** October 25, 2008, 09:07:21 pm »

Windows 2000 and later AD Domain based networks do not net to use WINS or NetBIOS for name resolution. They can rely soley on DNS for all server/network name resolution. This is a best practice for security and efficiency. NetBIOS and WINS are really nasty protocols/services that reveal a lot of information about your network and they also offer crackers a multitude of attack vectors.

Point is...
The name of this service and the description that MS provides might lead one to believe that it is useful only for NetBIOS and they can disable the TCP/IP NetBIOS Helper service in a AD Domain using only DNS.

TekMason

TekMason · « **Reply #4 on:** October 25, 2008, 09:15:09 pm »

Sorry I can't figure out how to edit my posts. I should have said...

Disabling NetBIOS (thus WINS) is a best practice for security and efficiency.

couttsj · « **Reply #5 on:** October 26, 2008, 07:49:03 am »

Quote from: TekMason on October 25, 2008, 09:07:21 pm

Windows 2000 and later AD Domain based networks do not net to use WINS or NetBIOS for name resolution. They can rely soley on DNS for all server/network name resolution. This is a best practice for security and efficiency. NetBIOS and WINS are really nasty protocols/services that reveal a lot of information about your network and they also offer crackers a multitude of attack vectors.

Point is...
The name of this service and the description that MS provides might lead one to believe that it is useful only for NetBIOS and they can disable the TCP/IP NetBIOS Helper service in a AD Domain using only DNS.

TekMason

I guess we will have to agree to disagree. Active Directory is the service that I have always found to be a real pain in the butt. I agree that NetBios does pose a security risk, but my solution has always been to block ports 137/138/139 at the network perimeter. Port 445 should also be blocked at the perimeter. Both 139 & 445 have been used as attack vectors in the past, and are being used again in this latest Microsoft fiasco.

J.A. Coutts

TekMason · « **Reply #6 on:** October 26, 2008, 07:11:31 pm »

I don't think we are in disagreement JA.

Every one of the ports you mentioned should definitely be blocked at the firewall.
In addition the server service should be disabled on all computers that are not truly servers.

TekMason

Quote from: couttsj on October 26, 2008, 07:49:03 am

I guess we will have to agree to disagree. Active Directory is the service that I have always found to be a real pain in the butt. I agree that NetBios does pose a security risk, but my solution has always been to block ports 137/138/139 at the network perimeter. Port 445 should also be blocked at the perimeter. Both 139 & 445 have been used as attack vectors in the past, and are being used again in this latest Microsoft fiasco.

J.A. Coutts

couttsj · « **Reply #7 on:** October 26, 2008, 07:30:24 pm »

Quote from: TekMason on October 26, 2008, 07:11:31 pm

I don't think we are in disagreement JA.

Every one of the ports you mentioned should definitely be blocked at the firewall.
In addition the server service should be disabled on all computers that are not truly servers.

TekMason

2/3 of my customers share files on a small network without a server. They would be lost without the Server service. I don't know if any of them use a domain controller of whatever variety.

J.A. Coutts

TekMason · « **Reply #8 on:** October 27, 2008, 09:49:22 pm »

Hi JA,
In those situations on small networks each PC is a server and you must run the Server and Computer Browser services with NetBIOS and WINS running in the background.
TekMason

Black Viper's BBS

Author Topic: TCP/IP NetBIOS Helper (Read 1533 times)

Black Viper

TCP/IP NetBIOS Helper

TekMason

Re: TCP/IP NetBIOS Helper

couttsj

Re: TCP/IP NetBIOS Helper

TekMason

Re: TCP/IP NetBIOS Helper

TekMason

Re: TCP/IP NetBIOS Helper

couttsj

Re: TCP/IP NetBIOS Helper

TekMason

Re: TCP/IP NetBIOS Helper

couttsj

Re: TCP/IP NetBIOS Helper

TekMason

Re: TCP/IP NetBIOS Helper