File and Printer Sharing (NetBIOS) Fact and Fiction

Part of the Navas Cable Modem/DSL Tuning Guide^TM

Copyright 1999-2017 The Navas Group^SM, All Rights Reserved.
Permission is granted to copy for private non-commercial use only.

Posted as <http://cable-dsl.navasgroup.com/netbios.htm>. 

Contents

• The Problem
• The Real Risk
• Fact (updated!)
• Fiction (Urban Myths)
• What Ports are Open
• NetBIOS Abuse by Scour (updated!)
• Increasing NetBIOS Security with Scope ID (updated!)
• Shields UP!^TM

Important Notes:

• The following material pertains primarily to consumer/SOHO Internet access. Enterprises should seriously consider strong firewall protection. (For more information, see the main Navas Cable Modem/DSL Tuning Guide^TM.)
• This information was compiled by the author and is provided as a public service. The author is not responsible for any errors or omissions, or for any consequential problems that might result. USE AT YOUR OWN RISK.
• Privacy Policy: This site makes no use of personal information; does not require registration; and does not use browser "cookies."
• The author does not have the time to give individual technical support, so please do not email requests for assistance.
• Email comments and suggestions to John Navas.

The Problem

While NetBIOS (Microsoft Networking) over TCP/IP can present a serious security risk if you are careless, hysteria related to NetBIOS over TCP/IP is unwarranted. Some Internet sites are making matters worse spreading bad advice (fiction/urban myths).

Note: For an excellent media perspective on the hysteria surrounding this issue, see the Network Magazine editorial " Accuracy in the 'Networking' Media" (January 2000).

[Jump to Contents]

The Real Risk

If you have a local area network (LAN) and you want to share file(s) and/or printer(s), or if you otherwise enable Microsoft Networking, then you may inadvertently expose "shares" (file and printer resources that have been enabled for sharing) to the Internet. This most commonly happens when "shares" are created with weak passwords (e.g., "password") or no passwords at all. When you are connected to the Internet, anyone on the Internet may then not only access but also change or destroy material on your computers. (Your risks might include other passwords, social security numbers, credit card number, bank account numbers, etc.)

[Jump to Contents]

Fact

UPDATE (10/10/2000): Microsoft Windows 95/98/Me Share Level Password Vulnerability (bugtraq 1780) makes NetBIOS (Microsoft Networking) Share Level passwords easy to defeat when Scope ID is not used (see "Increasing NetBIOS Security with Scope ID"). If NetBIOS is not disabled (see "Security on Cable Modem or DSL"), then installing the Microsoft patch is strongly recommended (even if Scope ID is used)!

NetBIOS is a real security risk if and only if all of the following conditions exist:

1. File and Printer Sharing for Microsoft Networks is installed as a network component (Network in Control Panel).
2. File and Printer Sharing for Microsoft Networks is bound to TCP/IP on an adapter used for the Internet.
3. Options for files and printers are checked (enabled) under File and Print Sharing.
4. "Share(s)" have actually been configured for file(s) and printer(s).
5. Strong passwords have not been used on file and printer "share(s)."
6. Scope ID has not been set like a strong password.

In other words, if (for example) you have not actually configured any "shares," then there is no real security risk from File and Printer Sharing for Microsoft Networks being bound to TCP/IP.

A "strong" NetBIOS password (that provides good security) is:

• at least 8 characters long;
• a mixture of alphabetic letters and numeric digits (e.g., 8jh67fg8);
• not a recognizable word or phrase;
• not something associated with you (e.g., your telephone number);
• different from your other and previous passwords; and
• still something you can remember.

If you follow the advice in the main Navas Cable Modem/DSL Tuning Guide^TM to disable File and Printer Sharing, it may still be possible for others on the Internet to "see" your computer, but all they will see are your computer and workgroup names (and your computer description), which are no real security risk (unless you are really dumb, and use things like credit card numbers). For this author, you would see "John" and "WORKGROUP" respectively, which is obviously no big deal. Nevertheless, you can conceal your computer and workgroup names by setting a strong Scope ID, or by completely disabling NetBIOS over TCP/IP.

If you need or want to run NetBIOS File and Printer Sharing over TCP/IP, a strong Scope ID is a good way to protect against outside intrusion -- see "Increasing NetBIOS Security with Scope ID".

For an excellent assessment of NetBIOS security issues, see "CIFS: Common Insecurities Fail Scrutiny", also available at <http://www.ussrback.com/docs/cifs.txt>. (For background and perspective, see White Paper 1: The Rise of the Underground Engineer at EE Times.)

If you are seriously concerned about security, then you should consider firewall protection. (For more information on firewalls, see the main Navas Cable Modem/DSL Tuning Guide^TM.)

[Jump to Contents]

Fiction (Urban Myths)

Fiction: You are automatically unsafe if File and Printer Sharing is enabled.

Fact: You are only unsafe if several other conditions are satisfied (see "Fact"); e.g., you have actually created unprotected "share(s)."

Fiction: NetBIOS passwords can and will be cracked.

Fact: You are safe if you use strong passwords (see "Fact" and Note 2 below).

Fiction: The way to protect yourself is to remove Client for Microsoft Networks.

Fact: The risk actually comes from the server component (File and Printer Sharing for Microsoft Networks), not the client component (Client for Microsoft Networks). Worse, removing the Client for Microsoft Networks may prevent you from saving passwords -- see Q137361 "Save Password Check Box Is Unavailable".

Fiction: Removing Client for Microsoft Networks improves system performance.

Fact: On a reasonably current and properly configured computer, loading Client for Microsoft Networks does not have a significant impact on performance (and is something that is easily checked if you want to be sure).

Fiction: Security is compromised by disclosure of your computer and workgroup names.

Fact: Unless your names are really dumb (e.g., your credit card numbers), there is no real problem.

Fiction: "Stealth" ports greatly improve security.

Fact: Just because a port is visible (open and "listening") does not mean that there is any real security problem. What matters is what can and cannot be done through the port.

Fiction: You are completely safe if you remove File and Printer Sharing.

Fact: There are other risks, particularly if your system has become infected with a virus or compromised by a Trojan Horse (e.g., Back Orifice). Other services may still present risks. For more information on computer security issues, see the CERT Coordination Center.

Fiction: Changing your Workgroup can keep you safe.

Fact: Your computer can still be seen easily with the necessary tools.

Fiction: Hidden shares can keep you safe.

Fact: So-called "hidden" shares (where the last character in the share name is "$"; e.g., "MYPRINTER$") are not really hidden -- they can be seen easily with the necessary tools.

[Jump to Contents]

What Ports are Open

See also "Check Your Security" in the main Navas Cable Modem/DSL Tuning Guide^TM.

A TCP or UDP "port" is a specific numeric address (in the range 0-65535) that is used for particular network connections between two computers. Certain "well-known ports" are used for popular network services like HTTP (the protocol of the World Wide Web), FTP (file transfer protocol), mail, news, etc. NetBIOS over TCP/IP uses ports 137-139.

Under Windows 95/98/NT/2000, a number of utilities are available to monitor the status of both TCP/IP and NetBIOS, including:

[Jump to Contents]

NetBIOS Abuse by Scour

Updates:

• "Scour files for bankruptcy"
• "Scour To Voluntarily Shut Down File-Sharing Exchange"
• "Son of Scour close to file-swapping beta launch" (new!)

Exposed NetBIOS shares are at risk not only from from malicious crackers, but also from supposedly legitimate entities. A particularly bad example is Scour. Without notice or authorization, Scour deliberately scans Internet addresses looking for certain types of exposed NetBIOS Shares, adding those it finds to its publicly accessible catalog. (Although Scour implies that it does so only after you "join," it also scans addresses that have not "joined.")

Scour has been known to scan from these blocks of network addresses:

• 209.249.159.0 - 209.249.159.255
• 216.52.208.0 - 216.52.208.255

You may to block access from Scour with a firewall rule (recommended). Direct complaints about Scour to:

• The abuse department of your own ISP.
  (Scour should be completely blocked to protect all subscribers.)
• Abovenet Communications (netblock 209.249.159.0 - 209.249.159.255)
• InterNAP Network Services (netblock 216.52.208.0 - 216.52.208.255)

(A polite complaint tends to get better results than a demanding one.)

[Jump to Contents]

Increasing NetBIOS Security with Scope ID

If you need or want to run NetBIOS File and Printer Sharing over TCP/IP, a strong Scope ID is a good way to protect against outside intrusion. This is because computers running NetBIOS over TCP/IP with Scope ID are invisible to other computers that do not have the same Scope ID. (Scope ID is not set by default, so normally such computers are visible to everyone.) Think of Scope ID as a kind of overall NetBIOS protection that hides the lock if you don't have the right key. Scope ID even prevents the Microsoft Windows 95/98/Me Share Level Password Vulnerability (bugtraq 1780).

Information on setting Scope ID:

• For Windows 98 as well as Windows 95, see Q138271 "Windows 95 NetBIOS Scope ID Configuration".
• For Windows NT, use Control Panel » Network » Protocols » TCP/IP Protocol » Properties » WINS Address » Scope ID.
• The guidelines for a strong password (see "Fact" above) apply equally to Scope ID!
• To avoid compatibility problems, all letters in the Scope ID should be uppercase. (See Q163112 "NetBIOS Scope ID All Uppercase in Windows NT 4.0")
• See also Q138449 "Using and Troubleshooting the TCP/IP Scope ID".

For an excellent assessment of NetBIOS security issues, and the use of Scope ID as a defense, see "CIFS: Common Insecurities Fail Scrutiny" (also available at <http://www.ussrback.com/docs/cifs.txt>) .

[Jump to Contents]

Shields UP!^TM

It is not the normal practice of this site to criticize other sites; however, Shields UP!^TM is spreading a great deal of dangerous misinformation on the risks of Microsoft Networking:

• Shields UP!^TM claims that "the best FREE thing you can do for your Internet security is to immediately remove the Client for Microsoft Networks." [bold emphasis added] As explained above, the risk is from the server component of Microsoft Networking (File and Printer Sharing for Microsoft Networks), not the client component. (See Fiction/Urban Myths)
• Shields UP!^TM can report that you are "wide OPEN" even when NetBIOS is in fact secure (i.e., no "shares"), which just spreads "Internet security hysteria." (See Note below)
• Worse, Shields UP!^TM can report that you are "exposing NO SHARES to the Internet" even when you do have "shares" exposed (e.g., when "shares" are merely "hidden" with a trailing "$"). "A FALSE sense of security is worse than being unsure."
• Shields UP!^TM suggests that password crackers (based on brute force trial and error) make password protection insecure. In fact, the most common problem is no real password protection at all. If you do use passwords and avoid easily guessed words (e.g., "password"), then it's very doubtful that anyone will invest the time and effort needed to crack your password. (See Note below)
• Shields UP!^TM claims that "personal" firewalls are the "ONLY WAY to be safe!" Although personal firewalls can provide good protection for personal Internet access, they are not as safe as separate standalone (hardware) firewalls. (For more information, see "Hardware Firewalls" in the main Navas Cable Modem/DSL Tuning Guide^TM.)
• The false claim that so-called "Evil Port Monitors" (certain unnamed security products) are "so much junk" that compromise your computer's security by "actively advertising its existence across the Internet" is simply "Internet security hysteria" promulgated by Shields UP!^TM. Port monitors don't really do that. (See Fiction/Urban Myths)
• The claim that your computer and workgroup names are in and of themselves "significant personal information" that is "highly valuable" is likewise just "Internet security hysteria" promulgated by Shields UP!^TM. (See Fiction/Urban Myths)
• Shields UP!^TM claims that Client for Microsoft Networks will "slow down" your computer. The real impact on your computer is insignificant. (See Fiction/Urban Myths)
• The strong password example at Shields UP!^TM ("4F3hw9Egh84d2") uses mixed case. While that is helpful on some other systems, NetBIOS passwords are not case sensitive, so mixing case does not increase NetBIOS password security.
• Shields UP!^TM is unable to distinguish a weak (insecure) Scope ID from a strong (secure) one -- it will indicate that you are secure either way.

For alternatives to Shields UP!^TM, see "Check Your Security" in the main Navas Cable Modem/DSL Tuning Guide^TM.

Notes:

1. You will pass Shields UP!^TM "Test My Shields" if you set a (strong) Scope ID, or if you completely disable NetBIOS over TCP/IP.
2. Even assuming 100 trials per second, and that an attacker would know what kind of attack to use, cracking a simple two-word password (e.g., "rocktowel") with a minimal (64K) dictionary-based approach would take on the order of a year or more of continuous non-stop attack (probably much more). Long before then the attacker will almost certainly give up and move on, because there are easier and more productive fish to fry.
3. Steve Gibson (self-proclaimed security guru behind Shields UP!^TM) is also spreading a great deal of hysteria over raw socket functionality in Microsoft Windows XP. For rebuttal to this hysteria, see:
   1. "Security geek developing WinXP raw socket exploit" (The Register)
   2. "Microsoft rebuts XP Net instability claims" (The Register)
   3. "Hostile Code, not the Windows XP Socket Implementation, is the Real Security Threat" (Microsoft)
   4. "Steve Gibson really is off his rocker" (The Register)
   5. "Code Red Tribulation is nigh, Steve Gibson warns" (The Register)
   6. "To put it simply: 'no'" (Vmyths.com)
   7. See also:
      1. "Unmasking Steve Gibson" (radsoft.net)
      2. The Steve Gibson Saga (Vmyths.com)
4. Shields UP!^TM is not the only case of hysteria from Steve Gibson. He got his start by promulgating the myth that "hard disks die" due to degradation of magnetic patterns. He profited from the myth by selling SpinRite, a program claimed to fix the alleged problem. (more details)

("Shields UP!" is a claimed trademark of Gibson Research Corporation.)

[Jump to Contents]

[The Navas Group home page]

Trademarks belong to their respective owners.