Security for a SOHO entails both the prevention and detection of intrusion. Users of Windows 2000 may do a lot to help keep your small office/home office network secure. To seal any remaining openings, setting up a personal firewall is essential. Although taking the below steps won’t make your Internet-connected system completely bulletproof, it will make it less susceptible to attack.
Evaluation of Exposure
The next stage is to assess SOHO Internet exposure. If you’re not sure you have a problem, this will be sobering. A website that scans for Windows-specific vulnerabilities is easy to find. I recommend the popular Gibson Research site (http://grc.com/default.htm) if you don’t have one. This site evaluates NetBIOS and service-based port exposure. Many firewall companies offer online-security and port-scanning analysis capabilities.
Exposed NetBIOS. Scroll down Gibson Research’s website and click ShieldsUP! option. Scroll down ShieldsUP! page until Test My Shields! and Check My Ports! buttons. Select Test My Shields! wait for the test to finish. If your system is typical, NetBIOS port 139 is open and the test can simply extract your username, computer name, and local share name. NetBIOS is the most targeted by intruders due to its insecurity. Step 5 explains how to fix this issue. Save the test results to compare before and after reports. You can run this report again after following this article’s advice to confirm that you’ve decreased your vulnerability.
Exposed port. Each Win2K or third-party network service has a port number assigned by international standards. To preserve order for global communication, many of the ports below 1024 (called well-known ports) are associated with a protocol (e.g., FTP, HTTP) and the service that uses it. There are 65,535 ports. When running, a service listens for and replies to port-numbered requests.
The FTP service responds to incoming and outgoing requests on TCP port 21, the SMTP service where you send mail listens on TCP port 25, the POP3 service where you receive mail on TCP port 110, and the HTTP service where nonsecure connections are on port 80 and secure connections are on port 443. NetBIOS broadcasts names on port 137 and connects local shares on port 139. For all 65,535 ports, visit http://www.iana.org/assignments/port-numbers or http://www.sockets.com/services.htm to download a protocol definition file.
Run Probe My Ports! test. Port scanner asks Win2K services if they’re listening and responding to inbound connections. Depending on system configuration and protection, ports can be open, closed, or invisible. The service accepts inbound connections from open ports, allowing permitted and illegal access. A closed port means the service is available but won’t accept connections. A hidden port doesn’t show that the service is functioning. (In Step 8, you’ll learn how to secure ports with a personal firewall.) Read Probe My Ports! report your system’s port exposure.
Protect Your Internet
Next, Win2K configuration advice to eliminate vulnerabilities. Win2K has NetBIOS components for backward compatibility with Windows NT 4.0 and Windows 9x, but you don’t need it to browse or converse online. With TCP/IP (but not NetBIOS), you can connect to LAN shares using the IP address and share name (e.g., \\www.xxx).
Universal Naming Convention (UNC) share names (e.g., \\server\share) cannot be connected to. Install simply TCP/IP on the Internet adapter. If you don’t need to share Internet machine resources with other internal systems, disable NetBIOS on the LAN adapter. Fewer network protocols and services mean fewer vulnerabilities for unscrupulous users. Your system runs more efficiently with fewer network protocols.
Removing NetBIOS vulnerabilities. Win2K automatically installs and binds Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks to each network adapter. Microsoft’s proprietary NT 4.0 and Win9x systems are backward compatible with these components.
proprietary and insecure NetBIOS (WINS) name resolution. Your Internet connection doesn’t need either of these services. Here’s why.
Client for Microsoft Networks makes NetBIOS name-resolution broadcast requests to find LAN computers and shares (i.e., My Network Places browse list names). Unwanted broadcasts announce your system and resources and draw attention to your Internet connection. NetBIOS name resolution is Microsoft-exclusive, thus few Internet-connected systems need it. When you disable Client for Microsoft Networks, you shut NetBIOS ports 137 and 139, which intruders target.
File and Printer Sharing, like Client for Microsoft Networks, publishes local share NetBIOS names. Whether your Internet machine has shares or not, don’t disclose their NetBIOS names. Open Network and Dial-up Connections, click Advanced on the menu bar, and click Advanced Settings to open Figure 4’s window to disable these components and eliminate NetBT traffic. Select your Internet network adapter and uncheck both components. The adjustments take effect instantly without rebooting.
DNS replaces proprietary NetBIOS name resolution in a pure Win2K environment, and servers can explore the soho network and connect to shares without either. Disabling them stops NetBIOS broadcasts and reduces network traffic. To eliminate NetBIOS vulnerabilities on your Win2K SOHO with Win2K DNS, disable Client for Microsoft Networks and File and Printer Sharing on all computers.
