The Windows server service, while indispensable on a file, print or application server, can create quite a headache when administering Windows workstations. Since the service advertises on well-known NetBIOS ports, it is a common attack vector for hackers attempting to gain access to the computers on your network.
There are a number of ways to block this avenue of attack, including implementing a central firewall or disabling the server service outright. On a Windows 2000 or XP Professional workstation, you can also create an IPsec filtering policy to stop NetBIOS traffic dead in its tracks. Follow the steps below to create an IPsec policy for an individual workstation or a central policy for an entire Active Directory domain or organizational unit.
Step 1: If you're working as part of a domain where you aren't the only administrator on staff, consult the necessary person or persons before changing any settings on a production machine. If someone has already set up group policies at the site, domain or organizational unit level, conflicting settings could spell trouble for your workstation -- causing anything from a minor annoyance to a complete inability to communicate on your network.
Step 2: Open the local computer policy by clicking on Start -> Run, then typing "gpedit.msc."
Step 3: Click on Computer Configuration -> Windows Settings -> Security Settings. Right-click on IP Security Policies on Local Computer and select "Create IP Security Policy."
Step 4: Click "Next" to bypass the initial welcome screen. Enter a name for the IPsec policy and click "Next" again.
Step 5: Remove the check mark next to "Activate the default response rule" and click "Next."
Step 6: Click "Add" to create a new security rule. A security rule consists of two key components: an IP filter list that tells Windows what sort of traffic to look for and a filter action that tells Windows what to do once it has found something.
Step 7: Create two IP filters. Both will filter traffic with a source IP address of "Any IP Address" and a destination of "My IP Address." IP filters monitor traffic according to a source and/or destination IP address, as well as source/destination port numbers. (An IP filter can only handle one type of traffic at a time, which is why security rules rely on filter lists.) One will filter traffic with a destination TCP port 139, the other will affect TCP destination port 445. This will cause the IP security rule to flag NetBIOS traffic directed against your workstation from any point of origin.
Step 8: Create a filter action to block the IP traffic affected by the IP filters created in Step 7.
Step 9: Right-click on the completed IPsec policy and click "Assign" to apply it to your local workstation.
You're done! No rebooting required. Your workstation will now reject any and all NetBIOS connection attempts. If you need to tweak the policy, you can create additional security rules to allow NetBIOS connections from administrative workstations. You can also de-assign the policy if it's not working the way you had intended.
About the author: Laura Hunter is SearchWindowsManageability.com's resident expert on management tools and solutions, storage management and network security. She has spent many years working in the trenches of network design, administration and user support, and she has earned a myriad of vendor certifications, including Microsoft Certified Systems Engineer, Certified Novell Engineer and Cisco Certified Network Associate. She is a senior systems analyst for a major American university.
FOR MORE INFORMATION