Avoiding NetBIOS attacks without limiting remote access
I just read your article
on blocking NetBIOS connections to Windows XP Pro. It seems like a good way to avoid NetBIOS attacks, but I have a couple of doubts:
If I'm going to block all NetBIOS and CIFS traffic, wouldn't it be better to remove the server service? It would be easier, and it would reduce the running processes in the workstation (no server, no filter).
If I put any of these measures in practice, I would block my ability to manage the workstation remotely, right?
Thanks in advance for your attention.
You are correct, which is why I suggested double checking with members of your administrative staff before implementing such a policy. Disabling the Server Service would also block all NetBIOS traffic, but using an IPsec policy would potentially allow you to create "exception lists" that would permit the IP addresses of your administrative workstation to manage your workstations remotely, while still denying other access.
This was first published in July 2003