Disable NetBIOS and SMB to protect public Web servers
As the connection between your internal network and the rest of the world, public Web servers always deserve an extra measure of protection. Find out one way to lock down these servers.
Serving data to users outside of an internal network, public Web servers are typically the first point of contact for an external attack. In addition, internal networking ports are the most revealing and most often attacked ports on a server. That’s why you need to make sure you’ve disabled the services that are specifically for intranets.
The two biggest culprits that you need to worry about are the Server Message Block (SMB) protocol and NetBIOS over TCP/IP. Both services can reveal a wealth of security information and are reoccurring vectors for hacks and attacks. They’re unnecessary for the operation of a public Web server, and you should take steps to shut down both services on these servers.
Disable NetBIOS
NetBIOS was once a useful protocol developed for nonroutable LANs. In this case, it acts as a session-layer protocol transported over TCP/IP to provide name resolution to a computer and shared folders. NetBIOS uses these ports:
- UDP 137: NetBIOS name service
- UDP 138: NetBIOS datagram service
- TCP 139: NetBIOS session service
Since external users — or hackers — don’t need access to shared internal folders, you should turn off this protocol. To disable NetBIOS over TCP/IP, follow these steps:
- Got to Start | Control Panel, and double-click the System applet.
- On the Hardware tab, click the Device Manager button.
- Select Show Hidden Devices from the View menu.
- Expand Non-Plug And Play Drivers.
- Right-click NetBios Over Tcpip, and select Disable.
- Close all dialog boxes and applets.
This disables the Nbt.sys driver, which stops NetBIOS from listening to or initiating sessions over TCP 139. While SMB normally uses this port for communication, it will now switch to TCP 445 — also known as the Common Internet File System (CIFS) port. That’s why you need to disable SMB next.
Uninstall SMB
SMB uses TCP 139 or TCP 445 — depending on which port is available. There’s one way to disable SMB on a non-domain controller. However, I recommend completely uninstalling this service to prevent some well-meaning individual (or program) from re-enabling the service.
To uninstall SMB, follow these steps:
- Go to Start | Control Panel, and double-click the Network Connections applet.
- Right-click Local Area Connection (i.e., the Internet-facing connection), and select Properties.
- Select Client For Microsoft Networks, and click the Uninstall button.
- After the uninstall finishes, select File And Printer Sharing For Microsoft Networks, and click the Uninstall button.
- Close all dialog boxes and applets.
Understand the ramifications
You’ve now disabled both SMB and NetBIOS. If an attacker manages to compromise your Web server, he or she won’t be able to use NetBIOS or SMB to further explore and exploit your network.
Of course, security measures are often a balancing act of functionality and security. In this case, disabling these services takes away your ability to remotely manage Web servers through Active Directory’s Computer Management console. However, you can still connect to and manage these servers through the Remote Desktop Client.
Final thoughts
While it’s a common practice to block these ports at security boundaries, nothing beats disabling them on the machines themselves. Remember, as the connection between your internal network and the rest of the world, Web servers always deserve an extra measure of protection.