Disabled NetBIOS over TCP/IP = Strange Behaviour?

[MulLa]

Hi all

I have recently disable NetBIOS over TCP/IP on all computer systems on my W2K Domain network for better security.

Now the problem is:

Some systems mainly WinXP systems are unable to log onto the Domain Controller first time around. It will authenticate (I am suspection only on cached creditials) but will show the "Single Computer" Icon in the system tray suggesting it's not connected to the network. After a reboot it will work fine. W2K systems tend to be ok.

No systems can browse the network neighbourhood. It's just blank.


Is there any solution to the above 'problems'? Mainly the first one since users have been bugging me a lot. Is the second 'problem' a trade off for disabling NetBIOS? My Domain don't even use WINS it relies completely on DNS. I thought NetBIOS is 'somehow' related to WINS??? Or am I wrong?

NetBIOS ports are closed on the firewall but I just wanted better internal security.


Thanks in advance for any help / suggestions!

 

[Xtremetechie]

What DNS server are you running, Are you clients successfully registering their connections, If its 2K is it Standard Pri. or AD integrated?

 

[spidey07]

you need netbios over TCP for a windows network to function properly.

 

[err]

spidey is extremely right. NETBIOS is required for a windows network to properly function.

You may disable NETBIOS for your external network (ie: when you run multihomed computer) or close the NETBIOS port on firewall, but not your internal host.

Hope this helps

eRr

 

[MulLa]

Thanks for all replies.

Running a W2K DNS server which is a requirement for W2K Domains. There's only one Domain Controller.

I was just reading "Hacking Exposed Windows 2000" which I'm sure many of you would have read. It strongly recommended disabling NetBIOS if it's not needed. It then goes on explaining that I would only need NetBIOS is I use WINS. Hm... Maybe I can't read now!! :Q That's why I suppose that it would be better to be left disabled. It didn't mention anywhere in the book about these potential problems if I disable it in an internal network.

You guys would reckon that it's ok to have NetBIOS enabled in my internal network, security wise?


Thanks a bunch.

 

[Fencer128]

Hi,

I believe that NetBIOS is the protocol used by windows file and print sharing service to allow it to resolve host names to IP addresses. So, no NetBIOS - no file and print sharing - no browseable network neighbourhood.

The WINS service you mebtion is like a central table of hostname/IP address information contained on a server. Usually NetBIOS broadcasts are sent out to machines on the local subnet, so if the machine you're trying to find is on the same subnet it will respond and then be browseable on the network neighbourhood. However, if the machine you're looking for is on a different subnet it will not receive the NetBIOS broadcast as NetBIOS is not a routeable protocol (i.e. it all packets dropped at router). In this case after a failed broadcast it will send a request to a WINS server and be able to locate a machine on a different subnet that way.

Hope that makes sense!

Andy

 

[MulLa]

Fencer128 are you sure that NetBIOS is a protocol??? I am still able to access shares / printers even if I have it disabled. I just remember reading that if I unbind File / Print sharing to an NIC it would disable a particular port that NetBIOS uses and NetBIOS over TCP/IP uses a different port.

I haven't unbound File / Print sharing so obviously NetBIOS is still avaliable in that sense. Oh well I suppose it's not worth the trouble since if they want to get info off me network they can still do it via "File / Print sharing NetBIOS".

 

[Fencer128]

Hi,

ok, to be technical, NetBIOS is an API that allows applications to request services from the lower layers of the OSI protocol model. i.e. session establishment, data transfer, etc. (info lifted from cisco's site).

Microsoft say:

NetBIOS is a session-level interface that is used by applications to communicate over NetBIOS-compatible transports. It is responsible for establishing logical names on the network, establishing sessions between two logical names on the network, and supporting reliable data transfer between computers that have established a session. NetBIOS has been around for more than a decade. Protocols implemented under Microsoft networking components, including TCP/IP, have a NetBIOS interface or a mapping layer (NetBIOS over TCP/IP is called NetBT). This layer is provided to allow non-native NetBIOS components to fit into a NetBIOS environment. NetBIOS-based communications use NetBIOS names to uniquely identify resources and other nodes on the network.

Without NetBIOS, if you have DNS implemeted, you will still be able to access network shares (via "Search" in the start menu for instance) - but the network will not be browseable via "network neighbourhood", which is what a lot of people want. This is because you are able to resolve IP addresses via DNS, which gives you the means to send data to any node on your network. However, the network neighbourhood relies on NetBIOS over TCP names in order to to build up its cache of browseable machines. So, no NetBIOS over TCP - no machines in network neighbourhood.

Please someone correct me if I'm wrong - my head's starting to hurt

Good luck,

Andy

 

[Slowlearner]

You can disable Netbios over TCP/IP only if you have second protocol such as IPX/SPX or Netbeui enabled. Steve Gibson www.grc.com makes a convincing argument about using separate protocols for networking and web browsing, and since Netbeui is no longer supported by MSFT (how many calls have you made them lately?), IPX/SPX is what you are left with. Netbios over TCP/IP needs to be enabled for a pure TCP/IP network to work without problems.

I run a peer to peer network with every flavor of Microsoft's OSs; I prefer Netbeui over IPX/SPX as it has its own problems

 

[Muse]

Originally posted by: Slowlearner
You can disable Netbios over TCP/IP only if you have second protocol such as IPX/SPX or Netbeui enabled. Steve Gibson www.grc.com makes a convincing argument about using separate protocols for networking and web browsing, and since Netbeui is no longer supported by MSFT (how many calls have you made them lately?), IPX/SPX is what you are left with. Netbios over TCP/IP needs to be enabled for a pure TCP/IP network to work without problems.

I run a peer to peer network with every flavor of Microsoft's OSs; I prefer Netbeui over IPX/SPX as it has its own problems

I experimented with NetBEUI in my little W2k peer to peer network. It worked OK but I went back to NetBIOS over TCP/IP because my throughput was around 13% better. However, I hear that the throughput using Net BEUI is usually 25% faster, and of course you get the better security as you've said. When you change to NetBEUI (I enabled it in WINS) you have to disable TCP/IP protocol in your Network and Dial-up Connections, Advanced, Advanced Settings, Bindings for Local Area Connection, File and Printer Sharing for MS Networks and Client for MS Networks.

 

[MulLa]

Hi

Thanks all for the valuable info. I've decided to re-enable NetBIOS over TCP/IP in WINS tab. To get the browseable network back. Since I won't be disabling File / Print sharing on my internal network, there isn't much point for me to disable it in WINS since NetBIOS would still be around.

Oh well so much for trying to be more secure :|

 

[manly]

I'm by no means an expert on Windows networking, but I believe MS introduced a pure TCP/IP implementation of SMB in Windows 2000.

So you can disable NBT and still have file and printer sharing, but I do not have the relevant documentation on hand. Whether you can browse without NBT is again, something I'm not familiar with. As you did allude to, it is possible to rely upon DNS for NetBIOS name lookups rather than WINS.

 

[Saltin]

NetBIOS isnt necessary to enjoy all the bells and whistles of a Windows 2000 network.
SMB will cover file and printer sharing in lieu of NetBIOS.

The only real issue is Network Browsing. The entire architecture relies on NetBIOS. Network Browsing in this manner is slowly being phased out of the Windows environment. Active Directory fills this gap perfectly.

If you don't have an Active Directory, you can always build an LMHOSTS file that contains entries for computers and the Browser Services and distribute that file to the machines on the network. It's cumbersome, but it works.

I've built Windows 2000 networks that run without NetBIOS, and they function perfectly. It certainly is handy to have NetBIOS, but strictly speaking, when MS say it isnt necessary in a WIn2k environment, they mean it.

 

[spidey07]

Saltin,

That's interesting. Because with all the work microsoft does with us they tell a consistent message "you still need wins and netbios"

I challenged them stating that I believed 2000 and XP to be TCP/IP only implementation without the need for NBT. Their answer is always the same. You get 90% of functionality without NBT, but we recommend all customers run of your size to run WINS and NBT even if you DNS and directory are in tip-top shape.

Heck, I'd love to get rid of NBT.

 

[Saltin]

MS support will give you a different answer than MS sales.
The support guys don't want to have to deal with the extra issues turning off NetBIOS creates, so they tell you to leave it on. It makes thier job alot more simple.
No matter what they tell you, in a pure Windows 2000 environment (clients and servers), it is possible to run without NetBIOS and have full functionality.

 

[Muse]

Originally posted by: manly
I'm by no means an expert on Windows networking, but I believe MS introduced a pure TCP/IP implementation of SMB in Windows 2000.

So you can disable NBT and still have file and printer sharing, but I do not have the relevant documentation on hand. Whether you can browse without NBT is again, something I'm not familiar with. As you did allude to, it is possible to rely upon DNS for NetBIOS name lookups rather than WINS.

You could have shortcuts set up in IE to your local machines. That worked for me when I wasn't able to browse to where I wanted in My Network Places in Windows Explorer. That problem kind of mysteriously disappeared when I switched back and forth from using NetBEUI and TCP/IP NetBIOS a few times. I left it using TCP/IP because of the 15% faster data transfer I was getting (up to 68 Mbps). As such, I'm counting on my Zonealarm and router NAT for my required security (not my long suit).

 

[MulLa]

Saltin you mean you can have an AD infrastructure without NetBIOS and is still browse the network? Would you be so kind to point me to the right direction on achieving that?


Thanks

 

[Muse]

Originally posted by: MulLa
Saltin you mean you can have an AD infrastructure without NetBIOS and is still browse the network? Would you be so kind to point me to the right direction on achieving that?


Thanks

I'm not Saltin, but I think this page at practicallynetworked.com is very explicit on how you set up NetBEUI on Win2000.

 

[Saltin]

I wasn't speaking about NetBEUI really. It's a non routable protocol and is pretty much useless in large environments with multiple subnets/sites.

What I mean is that AD makes network browsing (in the traditional sense) obsolete. Shared files/folders should be published in AD, and users can search AD for computers/files/folders/printers/whatever.

It's about the end users re-learning how to navigate the network. In some instances I have helped that along by removing the Network Places icon from the desktop.

 

[MulLa]

Thanks Saltin. How silly of me eh...