File and Printer Sharing (NetBIOS) Fact and
Fiction
Copyright 1999-2017 The Navas
GroupSM, All Rights
Reserved.
Permission is granted to copy for private non-commercial use
only.
Posted as <http://cable-dsl.navasgroup.com/netbios.htm>.
Contents
Important Notes:
- The following material pertains primarily to consumer/SOHO Internet access.
Enterprises should seriously consider strong firewall protection. (For
more information, see the main Navas
Cable Modem/DSL Tuning GuideTM.)
- This information was
compiled by the author and is provided as a public service.
The author is not responsible for any errors or
omissions, or for any consequential problems that might result.
USE AT YOUR OWN RISK.
-
Privacy Policy: This site makes no use of personal information;
does not require registration; and does not use browser "cookies."
- The
author does not have the time to give individual technical support,
so please do not email requests for assistance.
-
Email comments and suggestions to John Navas.
The Problem
While NetBIOS
(Microsoft Networking) over TCP/IP can present a
serious security risk if you are careless, hysteria
related to NetBIOS over TCP/IP is unwarranted. Some Internet
sites are making matters worse spreading bad advice (fiction/urban myths).
Note: For an excellent media perspective on the hysteria
surrounding this issue, see the Network Magazine editorial
"
Accuracy in the 'Networking' Media" (January 2000).
[Jump to Contents]
The Real Risk
If you have a local area
network (LAN) and you want
to share file(s) and/or printer(s), or if you otherwise enable
Microsoft Networking, then you may inadvertently expose "shares"
(file and printer resources that have been enabled for sharing) to
the Internet. This most commonly happens when
"shares" are created with weak passwords
(e.g., "password") or no passwords at all. When you
are connected to the Internet, anyone on the Internet may then not
only access but also change or destroy material on
your computers. (Your risks might include other passwords,
social security numbers, credit card number, bank account
numbers, etc.)
[Jump to Contents]
Fact
UPDATE (10/10/2000): Microsoft
Windows 95/98/Me Share Level Password Vulnerability (bugtraq
1780) makes NetBIOS
(Microsoft Networking) Share Level passwords easy to defeat when Scope
ID is not used (see "Increasing NetBIOS Security
with Scope ID"). If NetBIOS is not disabled (see "Security
on Cable Modem or DSL"), then installing the Microsoft
patch is strongly recommended (even if Scope ID is used)!
NetBIOS is a real security risk if and only if all
of the following conditions exist:
- File and Printer Sharing for Microsoft Networks is
installed as a network component (Network in Control
Panel).
- File and Printer Sharing for Microsoft Networks is bound to
TCP/IP on an adapter used for the Internet.
- Options for files and printers are checked (enabled) under
File and Print Sharing.
- "Share(s)" have actually been configured for file(s) and
printer(s).
- Strong passwords have not been used on file and printer
"share(s)."
- Scope ID has not been set like a strong password.
In other words, if (for example) you have not actually
configured any "shares," then there is no real
security risk from File and Printer Sharing for Microsoft
Networks being bound to TCP/IP.
A "strong" NetBIOS password (that provides good security)
is:
- at least 8 characters long;
- a mixture of alphabetic letters and numeric digits
(e.g., 8jh67fg8);
- not a recognizable word or phrase;
- not something associated with you (e.g., your telephone
number);
- different from your other and previous passwords; and
- still something you can remember.
If you follow the advice in the main Navas Cable
Modem/DSL Tuning GuideTM to disable File and Printer Sharing, it may
still be possible for others on the Internet to "see" your
computer, but all they will see are your computer and workgroup
names (and your computer description), which are no real
security risk (unless you are really dumb, and use things like
credit card numbers). For this author, you would see "John" and
"WORKGROUP" respectively, which is obviously no big deal.
Nevertheless, you can conceal your computer and workgroup
names by setting a strong Scope
ID, or by completely disabling
NetBIOS over TCP/IP.
If you need or want to run NetBIOS File and Printer Sharing
over TCP/IP, a strong Scope ID is a good way to protect against
outside intrusion -- see "Increasing NetBIOS
Security with Scope ID".
For an excellent assessment of NetBIOS security issues,
see "CIFS: Common
Insecurities Fail Scrutiny", also available at <http://www.ussrback.com/docs/cifs.txt>.
(For background and perspective, see White Paper 1:
The Rise of the Underground Engineer at EE Times.)
If you are seriously concerned about security, then you should
consider firewall
protection. (For more information on firewalls, see the main Navas Cable
Modem/DSL Tuning GuideTM.)
[Jump to Contents]
Fiction (Urban Myths)
- Fiction: You are automatically unsafe if File and
Printer Sharing is enabled.
- Fact: You are only unsafe if several other
conditions are satisfied (see "Fact");
e.g., you have actually created unprotected
"share(s)."
- Fiction: NetBIOS passwords can and will be
cracked.
- Fact: You are safe if you use strong passwords
(see "Fact" and Note 2
below).
- Fiction: The way to protect yourself is to remove
Client for Microsoft Networks.
- Fact: The risk actually comes from the
server component (File and Printer Sharing for Microsoft
Networks), not the client component
(Client for Microsoft Networks). Worse, removing the Client
for Microsoft Networks may prevent you from saving passwords
-- see Q137361 "Save
Password Check Box Is Unavailable".
- Fiction: Removing Client for Microsoft Networks
improves system performance.
- Fact: On a reasonably current and properly
configured computer, loading Client for Microsoft Networks does
not have a significant impact on performance (and is something
that is easily checked if you want to be sure).
- Fiction: Security is compromised by disclosure of
your computer and workgroup names.
- Fact: Unless your names are really dumb
(e.g., your credit card numbers), there is no real
problem.
- Fiction: "Stealth" ports greatly improve
security.
- Fact: Just because a port is visible (open and
"listening") does not mean that there is any real security
problem. What matters is what can and cannot be done
through the port.
- Fiction: You are completely safe if you remove File
and Printer Sharing.
- Fact: There are other risks, particularly
if your system has become infected with a virus or compromised
by a
Trojan Horse (e.g., Back
Orifice). Other services may still present risks. For more
information on computer security issues, see the CERT Coordination Center.
- Fiction: Changing your Workgroup can keep you
safe.
- Fact: Your computer can still be seen easily with
the necessary tools.
- Fiction: Hidden shares can keep you safe.
- Fact: So-called "hidden" shares (where the last
character in the share name is "$"; e.g., "MYPRINTER$") are not
really hidden -- they can be seen easily with the necessary
tools.
[Jump to Contents]
What Ports are Open
See also "Check Your
Security" in the main Navas Cable Modem/DSL
Tuning GuideTM.
A TCP or UDP "port" is a specific numeric
address (in the range 0-65535) that is used for particular network
connections between two computers. Certain "well-known ports" are
used for popular network services like HTTP (the protocol of the
World Wide Web), FTP (file transfer protocol), mail, news,
etc. NetBIOS over TCP/IP uses ports 137-139.
Under Windows 95/98/NT/2000, a number of utilities are available
to monitor the status of both TCP/IP and NetBIOS, including:
NBTSTAT (NetBIOS over
TCP/IP Statistics)
Useful options include: |
-n |
Lists your NetBIOS names. |
-s |
Lists your current NetBIOS sessions. |
-? |
Displays help on options. |
NETSTAT (Network
Statistics)
Useful options include: |
-a |
Displays all listening ports and active
connections. |
-n |
Displays addresses and port numbers in numerical form. |
-? |
Displays help on options. |
NET (Network command)
Useful NET commands include: |
VIEW |
Lists available computers with NetBIOS support. |
VIEW \\computername |
Lists visible shares for specific computer
computername. |
HELP |
Displays help on commands. |
[Jump to Contents]
NetBIOS Abuse by Scour
Updates:
Exposed NetBIOS shares are at risk not only from from malicious
crackers, but also from supposedly legitimate entities. A
particularly bad example is
Scour. Without notice or authorization, Scour
deliberately scans Internet addresses looking for certain
types of exposed NetBIOS Shares, adding those it finds to
its publicly accessible catalog. (Although Scour implies that it
does so only after you "join," it also scans addresses that have
not "joined.")
Scour has been known to scan from these blocks of network
addresses:
- 209.249.159.0 - 209.249.159.255
- 216.52.208.0 - 216.52.208.255
You may to block access from Scour with a firewall rule
(recommended). Direct complaints about Scour to:
(A polite complaint tends to get better results than a demanding
one.)
[Jump to Contents]
Increasing NetBIOS Security with Scope
ID
If you need or want to run NetBIOS File and Printer Sharing
over TCP/IP, a strong Scope ID is a good way to protect against
outside intrusion. This is because computers running NetBIOS
over TCP/IP with Scope ID are invisible to
other computers that do not have the same Scope ID. (Scope
ID is not set by default, so normally such computers are
visible to everyone.) Think of Scope ID as a kind of overall
NetBIOS protection that hides the lock if you don't have
the right key. Scope ID even prevents the Microsoft Windows
95/98/Me Share Level
Password Vulnerability (bugtraq 1780).
Information on setting Scope ID:
For an excellent assessment of NetBIOS security issues, and
the use of Scope ID as a defense, see "CIFS: Common Insecurities
Fail Scrutiny" (also available at <http://www.ussrback.com/docs/cifs.txt>)
.
[Jump to Contents]
Shields UP!TM
It is not the normal practice of this site to criticize other
sites; however, Shields UP!TM is spreading a
great deal of dangerous misinformation on the risks of
Microsoft Networking:
- Shields UP!TM claims that "the best
FREE thing you can do for your Internet security is to immediately
remove the Client for Microsoft Networks." [bold emphasis
added] As explained above, the risk is from the server
component of Microsoft Networking (File and Printer Sharing for
Microsoft Networks), not the client component. (See Fiction/Urban Myths)
- Shields UP!TM can report that you
are "wide OPEN" even when NetBIOS is in fact secure
(i.e., no "shares"), which just spreads "Internet
security hysteria." (See Note below)
- Worse, Shields UP!TM can report that you
are "exposing NO SHARES to the Internet" even when you
do have "shares" exposed (e.g., when "shares" are
merely "hidden" with a trailing "$"). "A FALSE sense of security is
worse than being unsure."
- Shields UP!TM suggests that
password crackers (based on brute force trial and error) make
password protection insecure. In fact, the most common problem is
no real password protection at all. If you do use passwords
and avoid easily guessed words (e.g., "password"), then it's
very doubtful that anyone will invest the time and effort needed
to crack your password. (See Note
below)
- Shields UP!TM claims that
"personal" firewalls are the "ONLY WAY to be safe!" Although
personal firewalls can provide good protection for personal
Internet access, they are not as safe as separate standalone
(hardware) firewalls. (For more information, see "Hardware
Firewalls" in the main Navas Cable Modem/DSL
Tuning GuideTM.)
- The false claim that so-called "Evil Port Monitors"
(certain unnamed security products) are "so much junk" that
compromise your computer's security by "actively advertising its
existence across the Internet" is simply "Internet security
hysteria" promulgated by Shields UP!TM. Port monitors
don't really do that. (See Fiction/Urban
Myths)
- The claim that your computer and workgroup names are in and of
themselves "significant personal information" that is
"highly valuable" is likewise just "Internet security
hysteria" promulgated by Shields UP!TM. (See Fiction/Urban Myths)
- Shields UP!TM claims that Client
for Microsoft Networks will "slow down" your computer. The real
impact on your computer is insignificant. (See
Fiction/Urban Myths)
- The strong password example at Shields UP!TM ("4F3hw9Egh84d2")
uses mixed case. While that is helpful on some other
systems, NetBIOS passwords are not case sensitive, so
mixing case does not increase NetBIOS password security.
- Shields UP!TM is unable to
distinguish a weak (insecure) Scope ID from a strong
(secure) one -- it will indicate that you are secure either
way.
For alternatives to Shields UP!TM, see "Check Your
Security" in the main Navas Cable Modem/DSL
Tuning GuideTM.
Notes:
- You will pass Shields
UP!TM
"Test My Shields" if you set a (strong) Scope
ID, or if you completely disable NetBIOS
over TCP/IP.
- Even assuming 100 trials per second, and that an attacker would
know what kind of attack to use, cracking a simple two-word
password (e.g., "rocktowel") with a minimal (64K)
dictionary-based approach would take on the order of a year or
more of continuous non-stop attack (probably much more).
Long before then the attacker will almost certainly give up and
move on, because there are easier and more productive fish to
fry.
- Steve Gibson (self-proclaimed security guru behind Shields UP!TM) is also spreading a
great deal of hysteria over raw socket functionality in Microsoft
Windows XP. For rebuttal to this hysteria, see:
- "Security
geek developing WinXP raw socket exploit" (The Register)
- "Microsoft
rebuts XP Net instability claims" (The Register)
- "Hostile
Code, not the Windows XP Socket Implementation, is the Real Security
Threat" (Microsoft)
- "Steve
Gibson really is off his rocker" (The Register)
- "Code
Red Tribulation is nigh, Steve Gibson warns" (The Register)
- "To put it simply: 'no'"
(Vmyths.com)
- See also:
- "Unmasking Steve Gibson"
(radsoft.net)
- The
Steve Gibson Saga (Vmyths.com)
- Shields
UP!TM
is not the only case of hysteria from Steve Gibson. He got his start by
promulgating the myth that "hard disks die" due to
degradation of magnetic patterns. He profited from the myth by selling SpinRite,
a program claimed to fix the alleged problem. (more
details)
("Shields UP!" is a claimed trademark of Gibson Research
Corporation.)
[Jump to Contents]
[The Navas Group home
page]
Trademarks belong to their respective owners.