XP networking without NetBIOS or Active Directory

[v8625]

Need to network a few XP machines, Windows 2003 (standalone) server
and a Linux box (obviously needs Samba to talk to Windows). Setting up
Active Directory would require setting up a domain, a DNS server and
all that other good stuff that I am actually trying to avoid because
some of the machines, including Windows server, can be powered down at
times.
I would also like to keep things secure and block all NetBIOS traffic
on ports 135-139. Sufficient networking can be had with "NET USE" or
by running \\hostname\sharename in Windows Start>Run. I would still
keep port 445 for Samba.
1. Does it make sense?
2. Is there anything else I could do to improve
security/reliability/performance?

 

[Steven L Umbach]

You can disable nebios over tcp/ip if you do not have any applications that
rely on it nor care to use My Network Places to browse for network
resources. I am not sure how much it will secure your network and from who
in your case. The biggest vulnerability to netbios is from the internet for
which you are going to need a firewall anyhow. The firewall would be the
biggest item to use to implement security followed by virus protection that
also scans emails, keeping current with critical updates, and using complex
passwords along with enabling auditing of logon events and having a password
lockout policy. There is certainly much more you can do to secure your
Windows machines beyond that, but that is a good start. Refer to the links
below for more help on securing your XP/2003 computers. --- Steve

http://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

 

[v8625]

I agree that firewall is the single most important issue in securing
(any) network. And I am working on that - besides software firewalls
on each machine, I am implementing a hardware firewall on gateway.
Currently looking for information on how to set up that without
wrecking havoc on the users - which ports to block, which ones to
allow, etc.
Your other point - from who am I going to secure the network by
disabling traffic on ports 135-139 internally - also made sense.
Especially considering that XP does not appear to have a capability to
password-protect a share - it's either open for sharing by literally
anyone or fully closed for everyone. Now this is a hard one. I was
hoping I would be able to control that.
Thanks for the useful links.

 

[Steven L Umbach]

It sounds like you are using XP Home?? As in XP Pro you can control access
to shares based on users/groups [after disabling simple file sharing] and
further use Local Security Policy to lockdown a machine. I have never used
XP Home, so it is hard for me to comment but I hear you can configure ntfs
somewhat by booting into safe mode as the local administrator. If you
disable netbios over tcp/ip and do not have an internal dns server you will
also need to use hosts ot lmhosts files on your computers so that they can
find one another because the ISP dns server will not be able to provide that
information for them.

As far as a gateway firewall, unless you are providing services to internet
users on your network, it is best to leave the default block all uninitiated
inbound traffic rule in place. If you are going to do the same for outbound
traffic to the internet you will probably want to have at least 53 udp and
tcp, 80 tcp for http, and 443 tcp for https allowed for basic web browsing
and add whatever else you need such as 25, 110, 119 all tcp for mail and
news and 21 tcp for ftp. If you want to see what ports a computer is using
for a network application try using TCPView from Sysinternals,which is also
good for checking for trojans and unwanted intrusions. --- Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml
http://www.iss.net/security_center/advice/Exploits/Ports/default.htm --- common
ports.