Re: NT security et al (Dangers of NetBIOS/NBT?)

[nal () spirit com au (Nick and Debbie Leask)]

I've read fairly similar sentiments about having NetBIOS or NBT floating around on our internet/firewall subnets, but 
I've not heard anyone discussing exactly what the dangers of this are.  There are obvious 'pain's in the butt' when 
this is happening (such as lots of unnecessary deny messages logged against firewall bastion or router logs), but 
that's about all...  Can some one expand in detail what the known or perceived dangers of NetBIOS or NBT are?

What I have done so far (due to this fear of NetBIOS/NBT) is disable all NetBIOS/NBT portions of NT, unbind them from 
the NIC and delete the related .EXE's and .DLL's.  This solves the problem period.  The only downside is that you can't 
have servers in this state participating in a domain, but that just offers further possible dangers anyway...

Any insight into this would be much appreciated.

Cheers


Nick Leask

----------
From:  *Hobbit*[SMTP:hobbit () avian org]
Sent:  Thursday, September 26, 1996 3:07 AM
To:  Multiple recipients of list BUGTRAQ
Subject:  NT security et al

I've been screwing around some with netbios in general, and being more or
less horrified [but not surprised, this is microsnot after all].  I've
learned that one hack you can do in the absence of any other overall
defenses is to use a non-null SCOPE ID.  They don't recommend it but that's
probably just because of the potential administrative headaches in manually
changing the scope on every machine in a facility.

The scope ID would be sort of a "global password" to your netbios service,
sort of the same way as YP domains, so it needs to be nonobvious and kept
within your walls.  Better than nothing, though...  Unfortunately the right
place to set it seems to be buried under obscure and ill-named menu items
that vary from platform, so you'll have to hunt around.

_H*