Disabling NetBIOS over TCP/IP?

[Joel D. Kraft]

I have been considering disabling NetBIOS over TCP/IP in the
computers in my domain. I have a couple of computers with it
turned off, and there haven't seemed to be any problems with
this setup. I just want to run my observations by and see if
there are any glaring errors.

The domain is a Windows 2000 native domain with Windows 2003
servers, and all of the clients are running Windows XP. I've
never been a fan of NetBIOS, but in an educational environment,
it just screams for trouble. So the biggest advantage of change
seems to be the disabling of computer disovery through browsing
from both the client and server perspective. I think this is
great because it should reduce our exposure for student network
scanning "experiments", as well as for viruses that might use
NetBIOS. It also keeps folks on our machines from browsing for
other machines to get into mischief at work. (I know they can
still access things if they know the name of the computer.)

Other than that, everything else appears to work exactly the same
as before! I can still share files and printers, access shared
files and printers, and use the remote management tools. Is there
any functionality that might be hampered that I am missing? Is
there anything that might happen by doing this on a server? or
a domain contoller?

If I decide to proceed, is there a way to get this to happen
across the entire domain via Group Policy or in the registry?

Thanks,
Joel (jdk6 at case dot edu)

Joel D. Kraft
Case Western Reserve University

 

[Lanwench [MVP - Exchange]]

I have been considering disabling NetBIOS over TCP/IP in the
computers in my domain. I have a couple of computers with it
turned off, and there haven't seemed to be any problems with
this setup. I just want to run my observations by and see if
there are any glaring errors.

The domain is a Windows 2000 native domain with Windows 2003
servers, and all of the clients are running Windows XP. I've
never been a fan of NetBIOS, but in an educational environment,
it just screams for trouble. So the biggest advantage of change
seems to be the disabling of computer disovery through browsing
from both the client and server perspective. I think this is
great because it should reduce our exposure for student network
scanning "experiments", as well as for viruses that might use
NetBIOS. It also keeps folks on our machines from browsing for
other machines to get into mischief at work. (I know they can
still access things if they know the name of the computer.)

Other than that, everything else appears to work exactly the same
as before! I can still share files and printers, access shared
files and printers, and use the remote management tools. Is there
any functionality that might be hampered that I am missing? Is
there anything that might happen by doing this on a server? or
a domain contoller?

Only the loss of browsing - if you're OK with that, it's fine. Personally, I
secure my shares pretty tightly - use hidden shares, control security
through NTFS permissions, so I don't really mind if people can browse stuff
as long as they can't get into it. Then again, I don't support overly
curious students as my user base. With regard to viruses, it goes without
saying that you need good centralized desktop AV software that they can't
unload, set to update as often as possible (I like OfficeScan - it is set to
update hourly) and users should have no local admin rights.

If I decide to proceed, is there a way to get this to happen
across the entire domain via Group Policy or in the registry?

Presuming XP or 2000 Pro clients, in your DHCP properties on the server, I
think you can go to your scope options, advanced, choose "microsoft options"
in Vendor Class, and then select 001 - Microsoft Disable NetBIOS option.
I've never tried this, but it might do the trick....

 

[Joel D. Kraft]

Only the loss of browsing - if you're OK with that, it's fine.

Personally, I
secure my shares pretty tightly - use hidden shares, control security
through NTFS permissions, so I don't really mind if people can browse
stuff
as long as they can't get into it. Then again, I don't support overly
curious students as my user base. With regard to viruses, it goes
without
saying that you need good centralized desktop AV software that they can't
unload, set to update as often as possible (I like OfficeScan - it is set
to
update hourly) and users should have no local admin rights.

Well we are locked down with AV as well, but I don't miss the
opportunity to keep one step ahead wherever possible. I just
wanted to be sure there wasn't anything non-obvious with some
lingering dependency on NetBIOS!

Presuming XP or 2000 Pro clients, in your DHCP properties on the server,
I
think you can go to your scope options, advanced, choose "microsoft
options"
in Vendor Class, and then select 001 - Microsoft Disable NetBIOS option.
I've never tried this, but it might do the trick....

Anything for those of us that don't have any control over the DHCP
servers?

Thanks,
Joel (jdk6 at case dot edu)

 

[Bill Grant]

The only problem I can think of is that some apps may be hard-coded to
use Netbios. (Things like backup software, AV software, printer drivers
sometimes do this.) If you do have any, they will fail. Anything that uses
SMB should work fine using direct hosting on port 445.

AFAIK, the DHCP option would only definitely work if the clients are set
to use the default option in the advanced TCP/IP settings (which is use the
setting from DHCP or enable Netbios if DHCP is not used). Actually choosing
the "enable Netbios over TCP/IP" option on the client would override it, I
think. But that would require local admin privilege. And it wouldn't do much
good if the servers and other workstations had Netbt disabled.

Fiddling with the Advanced TCP/IP properties (where you set the Netbios
options) is usually blocked for non-privileged accounts. But it would be
tedious to have to go to every machine to disable Netbt.