Robert said:
I have two separate hard drives, each being configured
separately at widely different times.
To close a number of ports, GRC suggests to use the Network
icon and re-configure bindings to a certain indicted form.
As a point of reference, i did that on 2 yet different HDs
with Win98SE and the procedure worked very well.
But this is not possible (yet) on either Win2K HD, as the
Network icon does not exist and i do not know how to fix that.
Help?
John said:
Right click "My Network Places" and click on Properties.
Robert said:
Well...all that got me was the Network Dialup connections,
which is available in the Control Panel.
And Properties on my ISP dialup does not have any of the
controls needed.
There seems to be no control of Server Types, no way to
uncheck "i want to enable NetBIOS over TCP/IP" on any and all
protocol lines, no way to install (much less configure or bind)
NetBEUI, and no way to change/set hardware adaptor bindings.
What i want is TCP/IP and NetBEUI to be bound to DialUp
Adaptor, and Microsoft Family Logon bound to NetBEUI, period - no
other bindings.
So,how do i get that done?
John said:
NetBEUI??????!!!!!! Is your computer part of an MS-DOS network?
Do you have any (old) applications that specifically require
NetBEUI? Is your computer even part of a network, or is it a
stand alone? The settings you ask about are not needed on stand
alone machines and in this day and age the NetBEUI protocol is
hardly ever required or used. I don't know where you are getting
the information but I think it must be severely out of date! The
settings you seek to change are bound to the network adapter.
Robert said:
See
http://www.grc.com/default.htm
I have a stand-alone computer, no network cards, use an external
modem for dial-up.
NetBEUI is recommended to be used with the described bindings
because it is safe and appears to not be related to any
application(s).
With the specified bindings, all ports from the 1024 region and
down are closed to the outside.
Works wonders; no firewall necessary.
John said:
So, how do you think that your computer connects to the internet?
And what makes you think that ports above 1024 aren't used for
security exploits? (Search for Back Orifice, just for one). And do
you think that NetBeui is invulnerable, that it can't be used for
security exploits? What is the purpose of having additional
unneeded protocols installed?
Robert said:
Be so kind as to log to the GRC website and do a bit of research.
Adding NetBEUI was fairly easy, but i still cannot see, much less
change any bindings.
How can i see and change bindings in Win2K?
John said:
Supply a link to the GRC site and the information that you are
reading. I can only suspect that the information that you are reading
is severely out of date or that it is meant for W9x machines. I don't
know why anyone would want to bind NetBEUI to the Dial-Up adapter, and
I know even less why anyone would even want to enable it on a stand
alone machine, to me it makes no sense. Maybe in special modem to
modem network access scenarios NetBEUI would be bound to the adapter
but I have never done things like that, the internet is accessed on
the TCP/IP transport protocol, that is usually the only protocol that
you need on a stand alone machine, some people who game online
sometimes use other protocols but that is a different thing than what
we are generally talking about here.
Robert said:
Several points need to be made here:
1- The information on the GRC page is severely out of date, it was
written pre Windows 2000, it makes absolutely no mention at all of any
operating systems post 1998. Do not think for one minute that they are
no NetBEUI exploits!
2- You appear to be following instructions intended for Windows 95/98.
If you are new to Windows 2000 may I suggest that you leave Windows
95/98 fixes and solutions behind, do not think or assume that Windows 9x
tweaks and fixes apply to Windows 2000, most don't. While the operating
systems may have the same feel or look as presented by Windows Explorer
and the Desktop GUI (Graphic User Interface), almost everything else
under the hood is completely different. The differences between Windows
9x and Windows 2000 is like the difference between a Cessna plane and a
Learjet, both have wings, both fly, both carry passengers and both have
landing wheels, but that is about it, nothing else is the same!
3- If you are trying to accomplish something with Windows 2000 and if
specific instructions or information is unavailable for Windows 2000,
read NT4 or XP instructions and information instead of relying on
literature written for Windows 9x. Windows NT and Windows XP are in the
same family of operating system as Windows 2000, their architecture is
very similar, the Windows 9x architecture is completely different. Of
course, there are some subtle as well as significant differences between
NT4, 2000 and XP, do not take it for granted that everything or anything
that applies to one also applies to others, use caution and sound
judgment when trying to adapt instruction meant for one NT version to
another version.
4- You have misunderstood the purpose of the information on the GRC
site. Read the information again. The purpose is to (supposedly)
lessen the chances of attacks against a Local Area Network (LAN).
Basically what Steve Gibson is saying is to use the NetBEUI protocol on
the LAN and unbind TCP/IP from the network adapter, and, of course, use
the TCP/IP protocol only on the Dial-up adapter, the NetBEUI protocol is
non-routable so it cannot be resolved by internet servers, the TCP/IP
protocol is required to access the internet. There is absolutely no
need whatsoever to bind NetBEUI to the Dial-up adapter and nowhere in
his instructions does he mention to do this, binding NetBEUI to the
dial-up adapter makes absolutely no sense at all! Furthermore,
installing unnecessary protocols on computers does not offer additional
security, quite to the contrary it only offers an offers additional
attack vectors and opens up more holes in your security plans.
5- Steve Gibson isn't without his fair share of critics, some of which
are very vehement. Personally I think he has done a fairly good job of
making people aware of certain security risks. At a time when Microsoft
was nearly oblivious of security risks and concerns he was beating the
drums. Certainly anyone who followed his advice on port 135 was well
served when the blaster worm came out. He has written some good
utilities and his Shields Up!! utility is a great resource for people
who want to test for open ports, he has helped in making people more
aware of security risks and more responsible computer users. Personally
I don't have anything against Mr. Gibson, but I wouldn't necessarily
follow his advice to put my LAN on the NetBeui transport protocol.
You need to consult different sites and do more reading on Windows 2000
security. Much of the information on Steve's site is solid, but you
have misunderstood some of the things mentioned there. Forget this
nonsense of binding NetBEUI to the dial-up adapter! Get rid of all
protocols except for TCP/IP. To secure your Windows 2000 installation
disable unneeded services like the Server service (File & Print sharing)
and NetBT (NetBIOS over TCP)services. Do more research on Windows 2000
security. And for heaven's sake get yourself a firewall! Be it a
hardware or software firewall, just get one! Running an NT installation
without a firewall is asking for trouble! You said earlier that you had
closed all ports below port 1024, how exactly did you close those ports?
And what about ports above 1024? Get a firewall!
John
