Connected Home
Home   

Networking   

Home Controls   

Mobile   


Audio   

Visual   

Home Theater   

Xbox   

N-Gage   

Search   

Forums   
<-- prev. page     1 [2] 3 4     next page -->

October 23, 2002  |  Paula Sharick  |  Feature Articles
8 Steps to a Secure SOHO

4. Exposure Evaluation
The next step is to evaluate your SOHO's exposure to the Internet. If you're not convinced you have a problem, this experience will be sobering. You can easily find an Internet site that probes systems for commonly exploited Windows-specific vulnerabilities. If you don't have a specific site in mind, I suggest you visit the popular Gibson Research site (http://grc.com/default.htm). At this site, you can evaluate two types of exposure: NetBIOS exposure and service-based port exposure. Many firewall vendors also provide online-security and port-scanning analysis tools.

NetBIOS exposure. At the Gibson Research Web site, scroll down and click the ShieldsUP! option. Scroll down the ShieldsUP! page until you see the Test My Shields! and Probe My Ports! buttons. Click Test My Shields! and wait for the test to finish. If your system is typical, you'll see that NetBIOS port 139 is open and accessible and that the test can easily retrieve your username, computer name, and local share name from this port. Because of its nonsecure nature, NetBIOS is the most common target for intruders. (To learn how to eliminate this vulnerability, see Step 5.) Save the results of this test so that you'll be able to compare before and after reports. After you implement this article's tips, you can run this report again to verify that you've successfully reduced your vulnerability.

Port exposure. International standards associate a specific port number with each Win2K or third-party service that supports network communication. A total of 65,535 ports exist, and to maintain some semblance of order for worldwide communication, many of the ports below 1024 (called well-known ports) are associated with a specific protocol (e.g., FTP, HTTP) and with the service that uses the protocol. When a service is running, it listens for requests and responds to requests according to port number.

For example, the FTP service responds to incoming and outgoing requests on TCP port 21; the SMTP service you activate when you send mail listens on TCP port 25; the POP3 service you activate when you receive mail listens on TCP port 110; and the HTTP service listens for nonsecure connections on port 80 and secure connections on port 443. NetBIOS broadcasts names on port 137 and creates connections to local shares on port 139. If you're interested in determining which protocol is associated with a certain port, you can download a definition file for all 65,535 ports from http://www.iana.org/assignments/port-numbers or http://www.sockets.com/services.htm.

Run the Probe My Ports! test. This port scanner asks each Win2K service whether it's listening to and responding to incoming connections. A port can be open, closed, or invisible, depending on how you configure and protect your system. An open port means that the associated service will accept incoming connections—an opportunity for both authorized and unauthorized access. A closed port means the service is available but won't accept an incoming connection. An invisible (stealth) port gives no indication that the service is loaded and running. (In Step 8, you'll learn how to use a personal firewall to implement port-level protection.) Read the Probe My Ports! report to learn about your system's port exposure.

5. Secure Your Internet Connection
Next, I want to provide Win2K configuration tips that can eliminate potential vulnerabilities. Microsoft includes NetBIOS components in Win2K for backward compatibility with Windows NT 4.0 and Windows 9x platforms, but you don't need NetBIOS to browse or communicate with systems on the Internet. When you install TCP/IP (but not NetBIOS), you can always connect to LAN shares with the IP address and share name (e.g., \\www.xxx
.yyy.zzz\share), but you can't connect with Universal Naming Convention (UNC) share names (e.g, \\server\share). You should install only TCP/IP on the Internet network adapter. If you don't need to share resources on the Internet machine with other internal systems, you should also disable NetBIOS on the LAN adapter. The fewer the network protocols and services, the fewer the opportunities you present for a malicious user to exploit. Fewer network protocols also make your system run more efficiently.

Eliminating NetBIOS vulnerabilities. Each time you install a network adapter, Win2K automatically installs and binds two NetBIOS components to each NIC: Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks. These components provide backward compatibility for NT 4.0 and Win9x systems that use Microsoft's propri-
etary and nonsecure NetBIOS (WINS) name resolution. However, you don't need either of these functions on your Internet connection. Here's why.

To locate computers and share names on your LAN (i.e., the names that appear in the My Network Places browse list), Client for Microsoft Networks sends out NetBIOS name-resolution broadcast requests. These unsolicited broadcasts announce your system and its internal resources and draw unnecessary attention to your Internet connection. Because NetBIOS name resolution is proprietary to Microsoft, few Internet-connected systems require this function. When you disable Client for Microsoft Networks, you close the associated NetBIOS ports (e.g., ports 137 and 139) that are standard targets for intruders.

File and Printer Sharing, a counterpart of Client for Microsoft Networks, publishes NetBIOS names for local shares. Regardless of whether your Internet machine has shares, you don't want to publish their NetBIOS names on the Internet. To disable these components and eliminate NetBIOS over TCP/IP (NetBT) traffic, open Network and Dial-up Connections, click Advanced on the menu bar, and click Advanced Settings to bring up the window that Figure 4 shows. Highlight the network adapter for your Internet connection, and clear the check boxes for both components. The changes take effect immediately, without requiring a reboot.

In a pure Win2K environment, DNS replaces proprietary NetBIOS name resolution, and Win2K systems don't need either of these networking components to successfully browse the network and connect to shares. When you disable them, you stop announcing your Internet presence with NetBIOS broadcasts, and you also eliminate a lot of unnecessary network traffic. If your SOHO consists of Win2K systems and you're running Win2K DNS, you can safely disable Client for Microsoft Networks and File and Printer Sharing on all your systems to eliminate NetBIOS vulnerabilities.

<-- prev. page     1 [2] 3 4     next page -->

Article Information
Email this Article

Printer-Friendly


Reader Comments    
 


Your Comments (required):

Name (required): -February 23, 2008


READER COMMENTS:
We want to hear what you have to say about this article!
    Acceptable Use Policy

Your email is only used if our editors need to contact you. It is not used or stored for any other purpose, nor posted with your comments.

Enter the text from the image below


Please refresh the page if you have trouble reading this text.




Home   |   About Us   |   Contact Us / Customer Service   |   Media Kit

Windows IT Pro   |   SQL Server Magazine   |   Left-Brain.com   |   Supersite for Windows   |   asp.netPRO
FAQ for Windows   |   WinInfo News   |   Windows IT Pro Europe   |   Office & SharePoint Pro   |   DevProConnections

Connected Home is a division of Penton Media, Inc.

© 2010 Penton Media, Inc. Terms of Use | Privacy Statement |