From: Clark Lebarge [LClark@HEINZE-INSTITUTE.COM]
Sent: Friday, May 05, 2000 3:01 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: More NetBIOS over TCP/IP in Win2K: TCP/IP NetBIOS Helper,
not just for NetBIOS?

I've received a few replies to my question about the TCP/IP NetBIOS Helper
service under Windows 2000.

A couple of people, Paul Leach from Microsoft being one, have asked what
this service has to do with disabling NetBIOS on Windows 2000.
A few people are confused as to what I'm getting at with mentioning the
problem of not being able to have a functional Windows 2000 network without
this service running.

So I'll try to clear up the picture so that everyone can get something out
of this.

As I see it, there are three issues in this thread. The first issue being:
Is information still available over NetBIOS when an Administrator selects
"Disable NetBIOS over TCP/IP" on the properties of a LAN connection?

I'll look at this first.

On 4/25/2000 Anthony Skipper reported that after disabling NetBIOS over
TCP/IP using a utility that scans for "NetBIOS Information" he could still
enumerate shares and discover the usernames on that system. The
functionality and purpose of this anonymous connection is described in MS
Knowledge Base article Q143474, this article along with article Q246261
describe how to restrict the access to this information to authenticated
users.

My attempts to verify this issue were done using the Cerberus Internet
Scanner using its NetBIOS test. My test setup consisted of two stand-alone
Windows 2000 computers running only TCP/IP on a 10BaseT network. On the
target system I disabled NetBIOS on the TCP/IP properties of the LAN
connection. I then restarted the computer and verified that no NetBIOS names
were registered on the target system.
On the target system I started Network Monitor to view what information was
being sent over the wire. I then started the NetBIOS scan on the attacking
host.

The results of the scan were as Anthony pointed out, CIS was able to
successfully read the list of shares and usernames on the target system.
However, the results in Network Monitor show a slightly different scenario
taking place. Network Monitor shows that all communication between the
attacking system and the target system occurred via direct hosting of SMB on
port 445.
This makes me wonder if the result Anthony was seeing was not due to NetBIOS
ports still being open but due to SMB still being enabled. As he pointed
out, the surest way to stop the enumeration of this information was to stop
the Server service. I would like Anthony to confirm whether his test of
anonymous access was performed on the NetBIOS ports or not. If like in my
situation the attacking system was a Windows 2000 computer then it may be
that it also was connecting via direct hosting of SMB on port 445.

Now, onto the second issue: Is NetBIOS truly disabled in Windows 2000?

To decide whether NetBIOS is truly disabled in Windows 2000 it must first be
decided at what point is a function considered disabled. In computer terms I
consider disabled to mean not functioning in any manner.

Does disabling NetBIOS over TCP/IP on the properties of a LAN connection
truly disable NetBIOS throughout the OS?
To make it simple and short, the answer is no.
After performing this task it can still be seen through Device Manager that
the NetBIOS over TCP/IP device is still enabled and functioning.
Does disabling NetBIOS over TCP/IP on the properties of a LAN connection
stop NetBIOS from being transmitted on the network?
Yes, it seems to have this effect. However based on the fact that the device
is still functioning in the OS the conclusion that I draw is that the
disabling of NetBIOS over TCP/IP is in fact the enabling of a filter that
blocks the NetBIOS communication from reaching the wire. This is just
conjecture however as it is not possible to view what is happening inside
the code of the OS.

So then, what if you go into Device Manager and disable the NetBIOS over
TCP/IP device?
Well, this does have the desired effect of completely nuking the NetBIOS
functionality of the OS. However it also renders the OS useless on a
Microsoft network as you can no longer use UNC names to connect to Windows
2000 based servers. This is caused by the fact that the TCP/IP NetBIOS
Helper service is dependant on the NetBIOS over TCP/IP device. As I pointed
out in my original message to NTBugTraq disabling this service causes the
loss of UNC resolution via host names.

This takes us to our last issue: Why is the TCP/IP NetBIOS Helper service
needed for host name resolution in a UNC path?
I've been told by Joern Wettern, a person under contract with Microsoft to
produce curriculum for Microsoft training, that the function of resolving
names in a UNC is performed by the TCP/IP NetBIOS Helper service.
The problem that I have with this answer is not that it is necessarily
incorrect but that there is no documentation, available to all
administrators, existing for Windows 2000 that states that this service is
required for host name resolution. Not in the included help files, not in
the Resource Kit, and not on Microsoft's Knowledge Base at Support Online.
Without this documentation it is only time before an unknowing administrator
thinking this is an unneeded service will disable this service on his
servers and workstations leaving them unable to connect to any UNC path.
After all, the description, which is the most documentation on this service
in any one place, states that it is for NetBIOS name resolution.
Don't forget that in addition to losing the ability to connect to UNC paths
Group Policy is not applied. The fact that Group Policy is not applied is a
major security concern as this is the primary method of applying security
settings to all computers in an organization. Any system that is not running
this service will not have any Group Policy applied to it.

The lack of concern about this potential situation from Microsoft has not
impressed me at all.