File and Printer Sharing (NetBIOS) Fact and Fiction

Part of the Navas Cable Modem/DSL Tuning GuideTM

Copyright 1999-2012 The Navas GroupSM, All Rights Reserved.
Permission is granted to copy for private non-commercial use only.

Posted as <http://cable-dsl.navasgroup.com/netbios.htm>. 

Contents

Important Notes:


The Problem

While NetBIOS (Microsoft Networking) over TCP/IP can present a serious security risk if you are careless, hysteria related to NetBIOS over TCP/IP is unwarranted. Some Internet sites are making matters worse spreading bad advice (fiction/urban myths).

Note: For an excellent media perspective on the hysteria surrounding this issue, see the Network Magazine editorial " Accuracy in the 'Networking' Media" (January 2000).

[Jump to Contents]


The Real Risk

If you have a local area network (LAN) and you want to share file(s) and/or printer(s), or if you otherwise enable Microsoft Networking, then you may inadvertently expose "shares" (file and printer resources that have been enabled for sharing) to the Internet. This most commonly happens when "shares" are created with weak passwords (e.g., "password") or no passwords at all. When you are connected to the Internet, anyone on the Internet may then not only access but also change or destroy material on your computers. (Your risks might include other passwords, social security numbers, credit card number, bank account numbers, etc.)

[Jump to Contents]


Fact

UPDATE (10/10/2000): Microsoft Windows 95/98/Me Share Level Password Vulnerability (bugtraq 1780) makes NetBIOS (Microsoft Networking) Share Level passwords easy to defeat when Scope ID is not used (see "Increasing NetBIOS Security with Scope ID"). If NetBIOS is not disabled (see "Security on Cable Modem or DSL"), then installing the Microsoft patch is strongly recommended (even if Scope ID is used)!

NetBIOS is a real security risk if and only if all of the following conditions exist:

  1. File and Printer Sharing for Microsoft Networks is installed as a network component (Network in Control Panel).
  2. File and Printer Sharing for Microsoft Networks is bound to TCP/IP on an adapter used for the Internet.
  3. Options for files and printers are checked (enabled) under File and Print Sharing.
  4. "Share(s)" have actually been configured for file(s) and printer(s).
  5. Strong passwords have not been used on file and printer "share(s)."
  6. Scope ID has not been set like a strong password.

In other words, if (for example) you have not actually configured any "shares," then there is no real security risk from File and Printer Sharing for Microsoft Networks being bound to TCP/IP.

A "strong" NetBIOS password (that provides good security) is:

If you follow the advice in the main Navas Cable Modem/DSL Tuning GuideTM to disable File and Printer Sharing, it may still be possible for others on the Internet to "see" your computer, but all they will see are your computer and workgroup names (and your computer description), which are no real security risk (unless you are really dumb, and use things like credit card numbers). For this author, you would see "John" and "WORKGROUP" respectively, which is obviously no big deal. Nevertheless, you can conceal your computer and workgroup names by setting a strong Scope ID, or by completely disabling NetBIOS over TCP/IP.

If you need or want to run NetBIOS File and Printer Sharing over TCP/IP, a strong Scope ID is a good way to protect against outside intrusion -- see "Increasing NetBIOS Security with Scope ID".

For an excellent assessment of NetBIOS security issues, see "CIFS: Common Insecurities Fail Scrutiny", also available at <http://www.ussrback.com/docs/cifs.txt>. (For background and perspective, see White Paper 1: The Rise of the Underground Engineer at EE Times.)

If you are seriously concerned about security, then you should consider firewall protection. (For more information on firewalls, see the main Navas Cable Modem/DSL Tuning GuideTM.)

[Jump to Contents]


Fiction (Urban Myths)

Fiction: You are automatically unsafe if File and Printer Sharing is enabled.
Fact: You are only unsafe if several other conditions are satisfied (see "Fact"); e.g., you have actually created unprotected "share(s)."
Fiction: NetBIOS passwords can and will be cracked.
Fact: You are safe if you use strong passwords (see "Fact" and Note 2 below).
Fiction: The way to protect yourself is to remove Client for Microsoft Networks.
Fact: The risk actually comes from the server component (File and Printer Sharing for Microsoft Networks), not the client component (Client for Microsoft Networks). Worse, removing the Client for Microsoft Networks may prevent you from saving passwords -- see Q137361 "Save Password Check Box Is Unavailable".
Fiction: Removing Client for Microsoft Networks improves system performance.
Fact: On a reasonably current and properly configured computer, loading Client for Microsoft Networks does not have a significant impact on performance (and is something that is easily checked if you want to be sure).
Fiction: Security is compromised by disclosure of your computer and workgroup names.
Fact: Unless your names are really dumb (e.g., your credit card numbers), there is no real problem.
Fiction: "Stealth" ports greatly improve security.
Fact: Just because a port is visible (open and "listening") does not mean that there is any real security problem. What matters is what can and cannot be done through the port.
Fiction: You are completely safe if you remove File and Printer Sharing.
Fact: There are other risks, particularly if your system has become infected with a virus or compromised by a Trojan Horse (e.g., Back Orifice). Other services may still present risks. For more information on computer security issues, see the CERT Coordination Center.
Fiction: Changing your Workgroup can keep you safe.
Fact: Your computer can still be seen easily with the necessary tools.
Fiction: Hidden shares can keep you safe.
Fact: So-called "hidden" shares (where the last character in the share name is "$"; e.g., "MYPRINTER$") are not really hidden -- they can be seen easily with the necessary tools.

[Jump to Contents]


What Ports are Open

See also "Check Your Security" in the main Navas Cable Modem/DSL Tuning GuideTM.

A TCP or UDP "port" is a specific numeric address (in the range 0-65535) that is used for particular network connections between two computers. Certain "well-known ports" are used for popular network services like HTTP (the protocol of the World Wide Web), FTP (file transfer protocol), mail, news, etc. NetBIOS over TCP/IP uses ports 137-139.

Under Windows 95/98/NT/2000, a number of utilities are available to monitor the status of both TCP/IP and NetBIOS, including:

NBTSTAT (NetBIOS over TCP/IP Statistics)
Useful options include:
-n Lists your NetBIOS names.
-s Lists your current NetBIOS sessions.
-? Displays help on options.
NETSTAT (Network Statistics)
Useful options include:
-a Displays all listening ports and active connections.
-n Displays addresses and port numbers in numerical form.
-? Displays help on options.
NET (Network command)
Useful NET commands include:
VIEW Lists available computers with NetBIOS support.
VIEW \\computername Lists visible shares for specific computer computername.
HELP Displays help on commands.

[Jump to Contents]


NetBIOS Abuse by Scour

Updates:

Exposed NetBIOS shares are at risk not only from from malicious crackers, but also from supposedly legitimate entities. A particularly bad example is Scour. Without notice or authorization, Scour deliberately scans Internet addresses looking for certain types of exposed NetBIOS Shares, adding those it finds to its publicly accessible catalog. (Although Scour implies that it does so only after you "join," it also scans addresses that have not "joined.")

Scour has been known to scan from these blocks of network addresses:

You may to block access from Scour with a firewall rule (recommended). Direct complaints about Scour to:

(A polite complaint tends to get better results than a demanding one.)

[Jump to Contents]


Increasing NetBIOS Security with Scope ID

If you need or want to run NetBIOS File and Printer Sharing over TCP/IP, a strong Scope ID is a good way to protect against outside intrusion. This is because computers running NetBIOS over TCP/IP with Scope ID are invisible to other computers that do not have the same Scope ID. (Scope ID is not set by default, so normally such computers are visible to everyone.) Think of Scope ID as a kind of overall NetBIOS protection that hides the lock if you don't have the right key. Scope ID even prevents the Microsoft Windows 95/98/Me Share Level Password Vulnerability (bugtraq 1780).

Information on setting Scope ID:

For an excellent assessment of NetBIOS security issues, and the use of Scope ID as a defense, see "CIFS: Common Insecurities Fail Scrutiny" (also available at <http://www.ussrback.com/docs/cifs.txt>) .

[Jump to Contents]


Shields UP!TM

It is not the normal practice of this site to criticize other sites; however, Shields UP!TM is spreading a great deal of dangerous misinformation on the risks of Microsoft Networking:

For alternatives to Shields UP!TM, see "Check Your Security" in the main Navas Cable Modem/DSL Tuning GuideTM.

Notes:

  1. You will pass Shields UP!TM "Test My Shields" if you set a (strong) Scope ID, or if you completely disable NetBIOS over TCP/IP.
  2. Even assuming 100 trials per second, and that an attacker would know what kind of attack to use, cracking a simple two-word password (e.g., "rocktowel") with a minimal (64K) dictionary-based approach would take on the order of a year or more of continuous non-stop attack (probably much more). Long before then the attacker will almost certainly give up and move on, because there are easier and more productive fish to fry.
  3. Steve Gibson (self-proclaimed security guru behind Shields UP!TM) is also spreading a great deal of hysteria over raw socket functionality in Microsoft Windows XP. For rebuttal to this hysteria, see:
    1. "Security geek developing WinXP raw socket exploit" (The Register)
    2. "Microsoft rebuts XP Net instability claims" (The Register)
    3. "Hostile Code, not the Windows XP Socket Implementation, is the Real Security Threat" (Microsoft)
    4. "Steve Gibson really is off his rocker" (The Register)
    5. "Code Red Tribulation is nigh, Steve Gibson warns" (The Register)
    6. "To put it simply: 'no'" (Vmyths.com)
    7. See also:
      1. "Unmasking Steve Gibson" (radsoft.net)
      2. The Steve Gibson Saga (Vmyths.com)
  4. Shields UP!TM is not the only case of hysteria from Steve Gibson. He got his start by promulgating the myth that "hard disks die" due to degradation of magnetic patterns. He profited from the myth by selling SpinRite, a program claimed to fix the alleged problem. (more details)

("Shields UP!" is a claimed trademark of Gibson Research Corporation.)

[Jump to Contents]


Button [The Navas Group home page]

Trademarks belong to their respective owners.