Very interesting. Trying to assess the implications here.

First of all, if I remember correctly, NetBIOS over TCP/IP should only be required in a mixed network of NT5+ and NT4/9x systems. Is that true? In other words, in any semi-modern network, it can be safely disabled without loss of connectivity / sharing between computers?

Second, they say there that "disabling outbound connections on port 137 will have the same effect". Is that per PC or is it sufficient to do in the gateway only? Basically, the question is whether there is a way to protect from the possible exploit without losing NetBIOS over TCP-IP functionality.

How does any bug on any OS effect firewall on the router?

kixs wrote:

How does any bug on any OS effect firewall on the router?

Software firewalls not hardware.

sliderider wrote:

kixs wrote:

How does any bug on any OS effect firewall on the router?

Software firewalls not hardware.

And isn't "hardware firewall" basically software firewall with lighter weight O/S and more specialized hardware?

Doesn't seem any different to the scare stories we tell each other anyway.

The problem is "NetBIOS over TCP/IP" which is sucks,

if you disable the "over" and use other protocol such as IPX/SPX or even NetBEUI for file/printer sharing purposes then
the internet (TCP/IP) can't reach your local network file sharing services, but you can still access the internet, which is good.

dr_st wrote:

Very interesting. Trying to assess the implications here.

First of all, if I remember correctly, NetBIOS over TCP/IP should only be required in a mixed network of NT5+ and NT4/9x systems. Is that true? In other words, in any semi-modern network, it can be safely disabled without loss of connectivity / sharing between computers?

Second, they say there that "disabling outbound connections on port 137 will have the same effect". Is that per PC or is it sufficient to do in the gateway only? Basically, the question is whether there is a way to protect from the possible exploit without losing NetBIOS over TCP-IP functionality.

if you're NOT using Wndows 7 (vista?) or newer, yes you can!

You can install NetBEUI protocol and disable NetBIOS over TCP-IP,
you'll retain the file sharing functionality and still able to access to internet,
you can even close any TCP ports that known to be accosicated with file sharing purposes.

But do note that performance on medium/large local networks (16+ computers) are quite degraded than using NetBIOS over TCP/IP.
On small local network (8 or less computer) it would be faster than NetBIOS over TCP/IP.

But because of Microsoft and their infinite wisdom,
you can NOT do that route with Windows 7 (vista?) or newer anymore, you pretty much forced to use NetBIOS over TCP-IP if you want the similar functionalities.

If I wanted to share files between a Windows machine and a Linux machine with Samba, would it still work if I disabled NetBIOS? I somehow managed to set up Samba sharing once before but I'd have no clue how to do it now.

That depends on the version of Windows. As per Wikipedia, non-NetBIOS, port-445 SMB was only introduced in Windows 2000.

Joey_sw wrote:

if you're NOT using Wndows 7 (vista?) or newer, yes you can! […]
Show full quote

if you're NOT using Wndows 7 (vista?) or newer, yes you can!

You can install NetBEUI protocol and disable NetBIOS over TCP-IP,
you'll retain the file sharing functionality and still able to access to internet,
you can even close any TCP ports that known to be accosicated with file sharing purposes.

So am I correct in the following summary?

• If your network contains only Win2K machines and newer, you can disable NetBIOS altogether and use direct TCP/IP for sharing
• If your network contains only WinXP machines and older, you can disable NetBIOS over TCP/IP and use NetBEUI
• If your network contains a mix of pre-2K and post-XP machines, and you want to have open sharing between them, you must use NetBIOS over TCP/IP

Questions :
1) Why would you keep internet connection to Win9x/DOS machine at all times ?
2) What a hacker could do from a Win9x PC it just hacked ?
3) Isn't Win9x/DOS kinda... too dumb for viruses/trojans that are use in post Win XP era (ie. today) ?

1) It's not about keeping it connected to the internet, but more like keeping it on the home network (for file sharing / transfer), without artificially blocking its internet access (which is possible, of course).
2) Well, if it's connected to the rest of the network, with file shares and everything, the entire network can be compromised.
3) For the most part, yes.

I used to tunnel Windows network sharing over SSH, which is something of a kludge, but ought to work in a pinch.
https://www.bitvise.com/file-sharing.html

agent_x007 wrote:

1) Why would you keep internet connection to Win9x/DOS machine at all times ?

Because constantly disconnecting it and re-connecting it would be too much trouble, I guess?

2) What a hacker could do from a Win9x PC it just hacked ?

Depending on the hack, I suppose it could run whatever it wants.

3) Isn't Win9x/DOS kinda... too dumb for viruses/trojans that are use in post Win XP era (ie. today) ?

Supposedly there are still things out there scanning for computers with ancient, unpatched vulnerabilities.

If you want LAN access but not internet, just delete the gateway in TCP/IP settings. That's the quickest/easiest way to block access to and from the outside world.

agent_x007 wrote:

Questions : 1) Why would you keep internet connection to Win9x/DOS machine at all times ? 2) What a hacker could do from a Win9 […]
Show full quote

Questions :
1) Why would you keep internet connection to Win9x/DOS machine at all times ?
2) What a hacker could do from a Win9x PC it just hacked ?
3) Isn't Win9x/DOS kinda... too dumb for viruses/trojans that are use in post Win XP era (ie. today) ?

1: It's a daily system?
2: if a hacker knows the ends and out of a dos/9x system? anything.
3: For the most part.

The thing is that with a good router/firewall, a smart user, network level anti malware (not installed on the pc) SEC patches and a few tweaks a 9x system will no different then a xp system on a none targeted network.

Most malware out there today will not run on a 9x system, 2k and newer is what I'd be worried about with malware. It's not to say there is no old malware still going around.
But It's when a hacker is trying to get into a network or system manually that a older 9x/dos system becomes more of a problem.

The big things you need for a old 9x system is to have a good hardware firewall, the right setting in the OS and network level anti malware as most newer anti malware will not run on a 9x system. But there still are holes that can be used by a hacker and worst of all most anti malware does not care about 9x so a lot will sneak by.

You could also setup a proxy for the older systems when online and funnel everything thought a newer system. A network white list is also a good idea. A EoP with a power switch will allow one to quickly kill the network connection to the system.

But all said and done, 9x/dos online is still a bad idea, the same goes for 2k/xp/vista/7/8/10, they all have their own problems. But 9x is the worst of a bad idea.

Anyway here is a quick check list for adding a old system to a network.

1: Does is need to be online?
2: Does is have to be directly connected to the internet?
3:Can the system be isolated on the network?
4:Can you install upto date anti malware on the system?
5: Can you use a software firewall on the system?
6: Can you use the system with a hardware firewall?
7: Will the system be a sec. problems for other system on the network?
8: If the system is compromised will it become a problem?
9: Are there any know holes that are commonly exploited on the system?
10: Can the system be replaced with something newer?

clueless1 wrote:

If you want LAN access but not internet, just delete the gateway in TCP/IP settings. That's the quickest/easiest way to block access to and from the outside world.

Indeed, but it would be a good idea to block outside network assess to the pc form you firewall/router as well.

Jade Falcon wrote:

clueless1 wrote:

If you want LAN access but not internet, just delete the gateway in TCP/IP settings. That's the quickest/easiest way to block access to and from the outside world.

Indeed, but it would be a good idea to block outside network assess to the pc form you firewall/router as well.

That might give some peace of mind, but I don't think it's necessary unless you think your computer might already be compromised. Because of NAT: any unsolicited inbound traffic is automatically dropped by the router. A hacker would already have to have control of a computer behind a NAT router in order to reach it from the outside, and if your computer is not compromised and has no gateway, it can't possibly get outside, so can't get compromised.

But what if you say copy an infected file from a file server on you network? You could compromised a system that way.
Anyway with security you can never have to many layers. That is so long as you can still use the system.

Jade Falcon wrote:

But what if you say copy an infected file from a file server on you network? You could compromised a system that way.
Anyway with security you can never have to many layers. That is so long as you can still use the system.

Then you have bigger problems. 😀 At any rate, that type of infection would not be due to the old Windows version being compromised from the outside. Some other machine on the LAN would have to bring that malware in.

But I agree, lots of layers are important. I guess my point was, it's easy to remove the gateway, but it takes more networking skill to set up a router/hardware firewall to block outside traffic to specific machines. And it depends on the router/firewall--some have that feature, some don't, on some it's easy to do, on others very difficult. Emptying the Gateway field is dead simple, and effective.

I agree, I gues I'm too used to high end routers and firewalls. Running an IT department will do that.

Removing the gateway from the system is much faster and simpler for a run of the mill home network. I jus like the idea of blocking it in the router just incase something hops over from another system.