|Your Report Card|
|Conclusion: Possible Problem! We did get information from scanning your ports, this information could encourage attackers to probe further. Do you know why you are advertising these services to the net? perhaps installation of a firewall, or reconfiguration of your firewall to be more secure, would provide peace of mind.|
|other TCP ports
|We received a response that this port was closed.|
|TCP port 139
|Advice for OS : windows
by Mikey B
NetBIOS is a protocol that was originally developed by IBM in the mid 1980's. Microsoft later adopted the protocol, and it is now used to provide all native services under Windows. While this in itself is not a problem, the way that the protocol is implemented can be.
NetBIOS is used for File, and Print sharing under all versions of Windows. This service is provided with the Windows operating system to allow users on the same network segment to share resources, such as directories on the users hard disk drive, and their printer with any other user that is on the same network. While these shares can be very useful, and generally are, the way that file, and printer sharing is implemented isn't. When Windows is installed, it binds everything to everything else. This means that where usually a file share would only available on the local network, when it is bound over TCP/IP (The protocol used on the internet), these files can be shared over the entire internet, and anyone with a little knowledge can connect to your system, and view, modify, add, or even delete the files in the shared directories.
The damage that can be done to a system depends on which directories are actually shared, for example sharing your windows directory has more dire consequences for your system than sharing a documents folder. If the Windows directory is shared then there is nothing to stop an attacker from adding lines to your start-up files, or uploading remote access trojans, such as "Back Orifice", "Sub7" or "NetBus", to your Windows\Start Menu\StartUp directory, which would then providethe intruder with unlimited access to your system.
You may be sitting reading this, and thinking "I don't have any file shares set-up, so I'm safe". Well, possibly, but there is also the possibility that you could be sharing directories without even knowing about it. I have come across many people who have unwittingly shared out directories of their hard disk, either due to human error, or malicious activity. For example on one network that I came across, in a university halls of residence, while a group of people were "kindly" helping others to set-up their machines and connect to the internet, they also helped themselves to some of their disk space by sharing directories of their hard disk drives.
Sharing is the most common attack form of against Windows machines, but is not the only one. Any system that has port 139 open is also vulnerable to DoS (Denial of Service) Attacks. The majority of systems are now patched against the most common for of DoS, but there is nothing to suggest that others won't also appear. Any machine with NetBIOS enabled should be considered a risk. The best way to consider this is to compare it with a house. If you are out there on the internet with all of your doors open, then eventually someone is going to walk in. If you slam those doors shut, and lock them, then nobody can come in.
Both Windows 9x, and Windows NT are vulnerable to attack via the NetBIOS protocol, and there are some similarities in the measures that can be taken to secure your system, but there are also some significant differences between action that needs to be taken to secure each system, so as well as the information below there are also two sections at the bottom that contain information specific to each operating system.
The best piece of advise that I can offer as to the best way to protect your system, is to disable file sharing altogether especially on a Windows 9x machine. If you must share files then there are some simple precautions to take.
Make sure that *all* file shares have string alphanumeric passwords, which preferably also contain non-alphabetic characters, such as '｣',#', etc. This will make it as difficult as possible for unauthorised intruders to gain access to your machine, and NEVER put the password in the description of the share. You should also always give your file share unimaginative names and descriptions. No cracker is going to be bothered about looking at your family photographs, but may well be interested in the files in a directory called "Important Documents".
You should also concatenate a "$" to the end of the name of each of the shares to make them invisible to the casual snooper who is using the NET VIEW command.
You must also be aware though that even with all of these precautions taken then you may not be completely safe. There are programs available that will brute force the password of a file share, by trying every possible combination of letters to attack it, and may also use a dictionary file to try the most common passwords that are used. You should make sure that you always use a long password, and one that isn't a word in the dictionary. Concatenating a number to a word is also unsuitable as there are crackers that will also use these strings.
And finally whenever NetBIOS is enabled you can be leaking out information about your system to the entire internet, such as your computer name, and workgroup name. While this may not seem to be very serious, it can be used against your system.
As I said previously, there is only one way to be safe when using Windows 9x, and that is to turn off file and printer sharing. If you must use any form of sharing though, there this is how to secure it, in addition to taking the advise that is offered above.
If you are in charge of a number of systems, and are sure that you have turned file and printer sharing off, but are worried about one of your users turning it back on, then the best course of action to take is to use the Policy editor, which you can use to disable sharing centrally, as follows
Run the policy editor, and select the "Default Computer", and then "Properties". One of the options in the list that you are presented with is "File and Printer Sharing for Microsoft Networks". If you expand this tree, then there will be two opens here, "Disable File Sharing", and "Disable Printer Sharing". Ensure that both of these are checked, this will ensure that file and printer sharing are both disabled. The policy editor can be found in the \TOOLS\RESKIT\NETADMIN\ directory on your Windows 9x CD-ROM, or if you don't have that then you can also get the policy editor direct from Microsoft at http://support.microsoft.com/support/kb/articles/Q135/3/15.ASP.
** NB THIS SECTION IS BASED ON THE INFORMATION THAT IS AT GRC.COM, NONE OF IT IS COPIED, BUT THE CONCEPT CAME FROM THERE, THIS IS THE ONLY SITE THAT I HAVE FOUND THAT CONTAINS THE INFORMATION ON UN-BINDING NETBIOS **
With Windows 9x Microsoft have the annoying practice of binding everything to everything else. If you install the TCP/IP protocol on your system, then by default, TCP/IP will be bound to both your Dial-Up connection, and to any Network cards that you may have. The same also happens in the next layer up, where you will find that TCP/IP will also bind itself to "NetBIOS", which is where the problem lies with Windows 9x file and print sharing.
So that you can safely share your files and directories, you will want to unbind TCP/IP from all of your adapters that aren't used to connect to the internet, and to unbind NetBIOS from those that need TCP/IP.
Although you will be using TCP/IP only for your dial-up connection you will still need a protocol to run NetBIOS over, so that you can still share your files. There are two possible replacements for this NetBEUI, and IPX/SPX. Personally I recommend NetBEUI as the protocol is not routable, meaning that non of your file share can escape beyond your local network.
NetBEUI is installed as follows (you may need your Windows CD for this one)
From the Windows control panel, open the "Network", icon. This will present you with a list of all of the adapters, protocols, and services that your machine is running, but for the minute we don't need to consider these. Select the "Add..." button from this dialog box, and this will present you with another dialog box, which gives you the choice of adding a "Client", "Adapter", "Protocol", or "Service", from here you want to highlight "Protocol", and then click the "Add..." button. This will present you with yet another dialog box, which this time is split into two different panes, in one it gives a list of different manufacturers, from this you should select "Microsoft". This will lead to the right hand pane being updated with a list of the possible protocols that can be added, from here you want to select "NetBEUI", and then click the "OK" button. Windows will then look for the drivers on the Windows CD, and install them when it finds them. You will then be asked if you want to restart the computer, you do, so click the "OK" button.
Now that NetBEUI is installed it is time to unbind TCP/IP from all of your network adapters other than the one that you use to connect to the internet. You can do this again using the control panel, and then selecting the "Network" option, this time highlight your network adapter, and then click the "Properties..." button. This will bring up a dialog box which has three tabs along the top, labelled, "Driver Type", "Bindings", and "Advanced. Here you want to select the "Bindings". This will bring up a list of each of the bindings between your network adapter, and the protocols. Uncheck each of these boxes in turn, apart from the NetBEUI one. This is what you'll be using to communicate now that you have unbound TCP/IP. Once you have done this, do the same thing with each of the other adapters that are on your system, APART from the adapter that you use for your internet connection.
Considering we have now unbound the lowest and middle layers, you will now need to move further up. This isn't dissimilar to the previous step, but this time you must select each of the protocols in turn, except NetBEUI, and NetBIOS. Select the TCP/IP protocol by highlighting it, and then click the "Properties" button. You will be presented with a dialog box that has an array of tabs along the top. The actual number will vary depending on the protocol. Select the "NetBIOS" tab. The dialog box will then be updated to show, the line of text.
"NetBIOS support allows you to run NetBIOS applications over the TCP/IP protocol"
There will be a check box underneath where you select whether you want to enable NetBIOS over TCP/IP, you want to make sure that this box is not selected. You will also want to select the "Binding" tab, and make sure that each of the protocols are bound to the NetBEUI protocol. Finally you will want to select the TCP/IP protocol in the same way by highlighing it, and then clicking "Properties", now select the "Bindings" tab, you will want to make sure that all protocols are unbound from TCP/IP, by un-checking each of the boxes.
Then click "OK". You will be asked to restart your computer, click "OK", when you restart your system, your system should be as secure as it can ever be in respect to file, and print sharing, and the NetBIOS ports should no longer be open. You can test this by running the Port Probe again.
I've already said it twice, but I'm afraid that I am going to have to say it again. The only way that you can be completely safe is to disable all file, and print sharing services. Although fortunately, this is still relatively simple under Windows NT. To disable the file and print sharing services, you need to open the Control Panel, and then select "Services".
But if you must use any form of sharing, then it is best to make it as secure as possible. NetBIOS is not a routable protocol, which means that it is only supposed to be used on local sub-nets, and not over a wider area. It is the way that NetBIOS can be bound over TCP/IP that causes NetBIOS to be routable, so the best way to ensure security is to unbind NetBIOS from TCP/IP, which means that the shares are only accessible on the local sub-net once more, as was originally intended.
First of all, if you only have one network adapter installed on your system, then you will need to install the "MS Loopback Adapter" onto your system. What this does is basically create a network connection back to your local machine. This is needed to bind the "WINS Client" to, as without having this installed you will be presented with a lot of error messages when you start your system. Installing the loopback client gives you something to bind the WINS client to without using an adapter to bind it to.
If you have more than one adapter installed on your system, and at least one of them is only used internally, then there is no need to install the Loopback Adapter, as you can use this adapter to bind the WINS client to.
To install the loopback adapter, you will need to open the control panel, and select the "Network" icon, when you open this box, select the "Adapters" tab, this will give you a list of all of the adapters on your system. You want to install a new adapter, so click the "Add..." button. You will then be show another dialog box with a list of network adapters in, scroll down the list until you come to the adapter "MS Loopback Adapter", now with this highlighted select the "OK" button, you will then be presented with another dialog box, this one asking you about the "Frame Type", this will be correct (802.3), so you just need to click "OK" again. Finally you will be asked for your Windows NT CD, insert this into the CD-ROM drive, click "Continue", and the adapter will be installed. Now you will want to close this box by clicking the "OK" button, which will save the new configuration to disk. When you confirm the new configuration, you will be presented with a new dialog box, this time it is used to configure TCP/IP for the adapter, as there are not settings for it yet, as you have just installed it. Where there is the "Adapter" list box, you will want to select your new adapter, the "MS Loopback Adapter" if it isn't already selected, now you need to set the "IP address", for this you want to enter 192.168.0.1, this is an IP address that will not be routed to the internet. You will now need to set the "Subnet Mask" as 255.255.255.0. You don't need to enter anything for the "Default Gateway". Now click the "OK" button to save these settings, you will then be asked if you want to restart Windows NT. You don't need to at this point so click the "No" button. The loopback network is now set-up correctly.
Now that the loopback network is set-up correctly you will now need to install NetBEUI. You can do this by opening the control panel, then open "Network", and then the "Protocols" tab. If NetBEUI isn't already installed then you will need to install it, so click the "Add..." button. You will then be presented with a list of network protocols, highlight "NetBEUI Protocol", and then click "OK", windows will ask you for your Windows NT CD-ROM, inset it, and then the "NetBEUI Protocol" will be installed, click "OK" when the "TCP/IP Properties" are displayed. Now click the "No" button when asked if you want to restart windows.
Now you will need to open the "Network Configuration" dialog box again, from the Control Panel, followed by the network icon. From the set of tabs along the top of the screen select the last one, which is the "Bindings" tab. Where there is the "Show Bindings for:" list box, change it to display "all protocols". You will be presented with a list of all of the protocols installed on your machine, with the adapters that are bound to that protocol coming off the protocol icon, if you can't see the adapters you may need to click the [+] sign next to the name of the protocol.
Now we want to close all of the NetBIOS ports on your system, so we will need to disable NetBIOS over TCP/IP, the WINS client. Select the protocol name "WINS Client(TCP/IP)". Now you will want to unbind it from your internet connection. Select the"MS Loopback Adapter", or the network card that you only use internal, and highlight the copy that is under "WINS Client(TCP/IP)", now if it isn't already enabled (there is a red crossed out circle instead of the picture of a network card), then you will want to click the "Enable" button. Now, you will want to select all of the other adapters, especially the adapter that you use to connect to the internet, highlight them, and click the "Disable" button. Considering that you only installed the "MS Loopback Adapter" so that you could unbind the "WINS Client", you will want to select each of the other copies of the "MS Loopback Adapter", and click the "Disable" button to disable it.
The NetBIOS ports on your system should now be closed, you can test this by running the port probe against your machine again, ports 137, 138, and 139 should now all be closed.
|TCP port 1405
|We have no specific hints for this port number just yet. We are monitoring results though, and we add advice for port numbers that come up frequently.|
|TCP port 2000
|We have no specific hints for this port number just yet. We are monitoring results though, and we add advice for port numbers that come up frequently.|
|ALL UDP ports
|No response (open or closed) to an open request was received.|