CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: Rules permitting Netbios/Microsoft-DS

  1. #1
    Join Date
    2005-12-13
    Posts
    10
    Rep Power
    0

    Default Rules permitting Netbios/Microsoft-DS

    I'm not sure if this is the right forum for this question, but here goes...

    Lately, we seem to be getting more requests to open the Netbios and Directory Services ports (TCP 137-139 & 445). That's always been a risky thing to do, in my opinion, even if the traffic is sourced from our own DMZ or from a trusted partner.

    Is there a general "best practice" thought that it's less risky to do so these days or am I just running into more & more uneducated individuals?

  2. #2
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    11

    Default Re: Rules permitting Netbios/Microsoft-DS

    For drive sharing, anything for Windows 2000 and newer only needs tcp/445. The other NetBIOS ones can be blocked.

  3. #3
    Join Date
    2005-12-13
    Posts
    10
    Rep Power
    0

    Default Re: Rules permitting Netbios/Microsoft-DS

    Quote Originally Posted by bmolnar View Post
    For drive sharing, anything for Windows 2000 and newer only needs tcp/445. The other NetBIOS ones can be blocked.
    Thanks, but I guess my question is *should* that be permitted without any additional security risk?

    We can lock it down so that it's only being requested from a specific IP and our anti-spoofing policy would only allow that source IP from the specified interface, but I'm still leery of doing this.

  4. #4
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Rules permitting Netbios/Microsoft-DS

    You're right to be concerned, as those services have had a shocking track record. Even as recently as a couple of years ago, you could BSOD a Windows 2008 Server with a single packet sent to tcp/445.

    But it's all about managing risk, and helping people to get their business processes working. You need to understand what they're trying to do. Do they need full Windows filesharing, or is there some other protocol they could use to upload/download files? But then what is the risk associated with those other protocols?

    Some things you can do, if you have to allow file sharing:
    * CIFS only, no NBT.
    * Obviously restrict the sources
    * Look at some IPS protections
    * Ensure your servers are patched (but you're doing that anyway, right?)
    * Check the permissions on the file shares being used. Make sure they aren't writable by Everyone, but have access restricted to only those groups that need them. Publicly writable shares are an easy way of spreading Conficker-type malware.

  5. #5
    Join Date
    2005-12-13
    Posts
    10
    Rep Power
    0

    Default Re: Rules permitting Netbios/Microsoft-DS

    Quote Originally Posted by northlandboy View Post
    You're right to be concerned, as those services have had a shocking track record. Even as recently as a couple of years ago, you could BSOD a Windows 2008 Server with a single packet sent to tcp/445.

    But it's all about managing risk, and helping people to get their business processes working. You need to understand what they're trying to do. Do they need full Windows filesharing, or is there some other protocol they could use to upload/download files? But then what is the risk associated with those other protocols?

    Some things you can do, if you have to allow file sharing:
    * CIFS only, no NBT.
    * Obviously restrict the sources
    * Look at some IPS protections
    * Ensure your servers are patched (but you're doing that anyway, right?)
    * Check the permissions on the file shares being used. Make sure they aren't writable by Everyone, but have access restricted to only those groups that need them. Publicly writable shares are an easy way of spreading Conficker-type malware.
    The servers are not my responsibility, but I do know that they are on a regular patching schedule and the Windows admins are pretty strict about permissions. We have an IDS infrastructure in place, not an IPS - though I think that's actually being considered.

    Thanks for the info. I do realize that there are measures to assist in the security if we open this traffic, but I wanted to see if there was a general feeling that firewall/security administrators were more comfortable with letting this through. Unfortunately, I see the upper mgmt in my organization being less restrictive by allowing users more flexibility. It's my job to see that the integrity of the network is maintained.

  6. #6
    Join Date
    2010-09-02
    Posts
    117
    Rep Power
    10

    Default Re: Rules permitting Netbios/Microsoft-DS

    there are some risks associated with these vulnerable ports and these can be misused as your firewalls dont help within VLANs until you have a personal firewall installed on the host machines or servers...security is at first place if you follow any security hardening document then also you will find that these should be blocked. Alternate measures can be implied.

    i suggest you block NBT its vulnerable.

  7. #7
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    15

    Default Re: Rules permitting Netbios/Microsoft-DS

    Quote Originally Posted by aweise View Post
    ... even if the traffic is sourced from our own DMZ or from a trusted partner.
    Ain't no such thing as a trusted partner since you really have no idea what they are doing at any given time. See http://www.securityfocus.com/news/6767

    "The Slammer worm entered the Davis-Besse plant through a circuitous route. It began by penetrating the unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network. The T1 line, investigators later found, was one of multiple ingresses into Davis-Besse's business network that completely bypassed the plant's firewall, which was programmed to block the port Slammer used to spread."

    I suspect even if they had a firewall in there it would have been a mess.

    So these folks are connecting to your file servers? If so, one of the the biggest risks with NetBIOS is that the password mechanism is weak. So people on your end could decrypt their passwords easily. How are you setting up their accounts on your servers? <rhetorical question>.

    If you're connecting to their file servers, likewise.

    Ray

Similar Threads

  1. Disable NetBIOS on Virtual Network Adapter?
    By Snowbird in forum SecureClient/SecuRemote
    Replies: 2
    Last Post: 2009-06-04, 15:27
  2. Eventia Reporter R65 - Rules UID instead of Rules names
    By limprota in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 1
    Last Post: 2009-03-06, 20:27
  3. novell client and microsoft-ds
    By oliver in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 0
    Last Post: 2006-03-29, 07:23
  4. Replies: 2
    Last Post: 2006-03-17, 16:05
  5. microsoft-ds
    By oliver in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 5
    Last Post: 2006-02-22, 02:29

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •