NetBios Over TCPIP

[caddo65590]

Hi Everyone,
In windows 2000 OS, microsoft provided the option to disable Netbios over
tcpip.
1. My question is, In what situations can you use this feature and what are
the implications when you are in a purely Microsoft network environment ?
2. What will also be the implications when you have a pure win2k domain
without WINS and Netbios over TCPIP is disadble. You also have an NT4.0
domain with a bidirectional trust relationship with the win2k domain.
Since NT4 is Netbios based, will this implimentation be possible ?
Any ideas or articles regarding this configurations will be appreciated.
Thanks

 

[Kevin D. Goodknecht Sr. [MVP]]

In caddo65590 <[email protected]>
posted their concerns,
Then Kevin D4Dad added his reply at the bottom.

Hi Everyone,
In windows 2000 OS, microsoft provided the option to disable Netbios
over tcpip.
1. My question is, In what situations can you use this feature and
what are the implications when you are in a purely Microsoft network
environment ?
2. What will also be the implications when you have a pure win2k
domain without WINS and Netbios over TCPIP is disadble. You also have
an NT4.0 domain with a bidirectional trust relationship with the
win2k domain. Since NT4 is Netbios based, will this implimentation be
possible ?
Any ideas or articles regarding this configurations will be
appreciated. Thanks

If you disable NetBIOS over TCP/IP Network Neighborhood won't work you will
have to access shares with the FQDN

 

[Herb Martin]

Kevin D4 Dad Goodknecht Sr. [MVP]

If you disable NetBIOS over TCP/IP Network Neighborhood won't work you will
have to access shares with the FQDN

Kevin gave you the worst of it -- Browsing is a legacy
application that most people still depend upon.

You need NetBios to support legacy machines (NT/9x) or
legacy applications (browsing, 3rd party stuff perhaps).

There are also a handful of other small irritations that may or
may not bother any particular network, e.g., you cannot
specify WHICH machines a user may use (AD Users and
Computers User Properties. It won't work anyway.)

 

[Ace Fekay [MVP]]

In

Kevin gave you the worst of it -- Browsing is a legacy
application that most people still depend upon.

You need NetBios to support legacy machines (NT/9x) or
legacy applications (browsing, 3rd party stuff perhaps).

There are also a handful of other small irritations that may or
may not bother any particular network, e.g., you cannot
specify WHICH machines a user may use (AD Users and
Computers User Properties. It won't work anyway.)

Yes, it soley depends on your network requirements and any applications
still running on the network. You would have to inventory your apps, look
them over, determine what is being used, contact the vendors if not sure. If
pure MS, there are *still* apps that require NetBIOS that you may not even
be aware of.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jim Carlock]

Very very important to keep NetBIOS around. Except on your connection to the
Internet, if you have a connection to the Internet. DO NOT use NetBIOS on
the adapter that connects you to the Internet.

(I hope I'm correct in this advice.) ;-)

 

[Ace Fekay [MVP]]

In

Very very important to keep NetBIOS around. Except on your connection
to the Internet, if you have a connection to the Internet. DO NOT use
NetBIOS on the adapter that connects you to the Internet.

(I hope I'm correct in this advice.) ;-)

Yes, I would agree. One of my standard procedures with a mutli homed machine
and one of the NICs is on the outside. Disable NetBIOS, disable F&P
Services and the MS Client service. It pretty much disables 135, 137, 139,
and 445.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[John Coutts]

Better yet, just block the ports on the network boundary router and don't worry
about NetBios.

137/udp
138/udp
139/tcp
445/tcp

Port 445 doesn't perform any useful function anyway (duplicates 137/139
function), so disable it by adding the following registry value:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Value: SmbDeviceEnabled
Type: DWORD value (REG_DWORD)
Content: 0 (to disable)

Port 135 is a little more difficult to disable because it is bound by default
to all network cards, and must be specifically disabled on each interface. I
have not yet found sufficient justification to go to that much trouble. With a
little bit of work, you can reduce the open ports on non-server XP/2000 to:

Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 192.168.1.6:139 0.0.0.0:0 LISTENING
UDP 192.168.1.6:137 *:*
UDP 192.168.1.6:138 *:*

J.A. Coutts
Systems Engineer
MantaNet/TravPro
************** REPLY SEPARATER ****************

 

[Ace Fekay [MVP]]

In

Better yet, just block the ports on the network boundary router and
don't worry about NetBios.

137/udp
138/udp
139/tcp
445/tcp

Port 445 doesn't perform any useful function anyway (duplicates
137/139 function), so disable it by adding the following registry
value:

Key:



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Value: SmbDeviceEnabled Type: DWORD value (REG_DWORD) Content: 0 (to
disable)

Port 135 is a little more difficult to disable because it is bound by
default to all network cards, and must be specifically disabled on
each interface. I have not yet found sufficient justification to go
to that much trouble. With a little bit of work, you can reduce the
open ports on non-server XP/2000 to:

Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 192.168.1.6:139 0.0.0.0:0 LISTENING
UDP 192.168.1.6:137 *:*
UDP 192.168.1.6:138 *:*

J.A. Coutts
Systems Engineer
MantaNet/TravPro
************** REPLY SEPARATER ****************

I couldn't agree more to stop it at the network entry point, as I do with my
own network and my clients' networks. I think with adding the reg entries is
extra administration, but works just fine (except as you said 135, since
that's the RPC port), but another way to do it, or even easier, if the
network has no entry point firewall/access-list/ISA-Proxy, go with BlackIce,
Zone Alarm or any one of those personal firewalls.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory