[转载]Windows Security Checklist——Securing Your Network Configuration
文章作者:Larry Stevenson, aka Prince_Serendip, CastleCops Staff WriterNo one application nor technique can protect you at 100%, but you can still get pretty close to that. When these guidelines are followed by Windows users, it can bring their chances of being infected by malwares almost to zero. Now we begin our next installment of the Windows Security Checklist, Part 4: Securing Your Network Configuration.
It is not as complicated as it may first appear, although there is a lot of information to absorb. The Security Experts, 1st Responders, Special Response Team members and Host Consultants at CastleCops can help you if you have questions about any of these techniques.
Why is it Important to Disable NetBIOS?
NetBIOS is a set of application program interfaces (API's) that can allow the sharing of files or folders across a network with other hosts through Windows network shares. The primary mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). These protocols permit a host to use remote files on another computer as if on their own PC. If enabled and configured, this makes NetBIOS unsuitable for individual privacy and security on the Internet. It also leaves your PC open and vulnerable to anonymous logons, remote Registry accesses, and remote procedure calls, all from total strangers.
The importance to securing your computer network configuration is understanding what is meant by "binding." Binding means that there is a shared and continuous connection between two or more network services, communications drivers, and adapters. The easiest way of seeing these relationships is to organize the various network components into groups.
The Network Services Group contains application and server services which are used by your machine's software:
Applications for Microsoft Networks | Microsoft Family Logons | File and Printer Sharing for the Microsoft Networks
The Communications Protocol Group contains protocol drivers that implement various network communication protocols:
TCP/IP | NetBEUI | IPX/SPX
(NetBeui is the NetBIOS Extended User Interface.)
The Hardware Adapter Group contains the actual peripheral adapters which connect the system to the outside world:
Cable/DSL Interface | Local Network Interface | Dial-Up Adapter
With this grouped viewpoint, the parts in each network group are seperate and divorced from the components in the other groups. However, when you get your computer for the first time, brand new, all of these parts are bound together and interconnected by default. Having this many bindings to drivers, services and protocols allows unauthorized uses of your computer online by hackers or anyone else.
If you are not interested in file-sharing and wish to have a more secure Internet experience, what you need to do is to disable the bindings to all protocols, services and adapters except for TCP/IP bound to either the Dial-up Adapter, the DSL Adapter, Cable Interface, or the the LAN Interface. You need to be the administrator of your PC to change these settings. If you are only a user on another administrator's PC (e.g. students, office workers) you will need to let them know of your concerns and wishes regarding this issue before anything can be done. Some places provide instructions for those who need them.
For safer and more secure communications, the system's TCP/IP protocol is bound only to the interfaces or adapters that have contact with the Internet. Since the various Internet-using applications like web browsers, e-mail and proxies etc, do not use or need the Microsoft Networking services, there is no need to bind them to the global Internet TCP/IP protocol.
Adapters, Protocols, and Service Bindings
What are Network Adapters for Windows?
Click on Start, Parameters, Control Panel and Network.
This will open a window containing a list "The following Network components are installed." This list contains a certain number of lines with an icon on their left. Each of these lines represents a Network Adapter.
A Network Adapter is a program component that helps your computer link a Network peripheral to Windows. Here are some explanations for a few classic Network Adapters.
Network Adapter examples for Ethernet ISA or PCI cards. You have these Adapters if you have an ADSL Internet connection or if your PC is connected to a Local Area Network (LAN).
(icon) 3Com Etherlink 10 ISA
(icon) SN-3200 PCI Ethernet Adapter
Remote Access Card type Adapters are used for telephone modems or ADSL USB modems.
(icon) Remote Access Card
What are Network Protocols?
Using TCP/IP as an example. Transmission Control Protocol/Internet Protocol, the suite of communications protocols used to connect hosts on the Internet. TCP/IP uses several protocols, the two main ones being TCP and IP. TCP/IP is used by all the Internet, making it the global standard for transmitting data over networks. Even network operating systems that have their own protocols, such as Netware, also support TCP/IP.
All communications between devices require that the devices agree on the format of the data. The set of rules defining a format is called a protocol. At the very least, a communications protocol must define the following:
-- rate of transmission (in baud or bps)
-- whether transmission is to be synchronous or asynchronous
-- whether data is to be transmitted in half-duplex or full-duplex mode
In addition, protocols can include sophisticated techniques for detecting and recovering from transmission errors and for encoding and decoding data.
Communications Protocols are compatible formats for transmitting data between two devices. The protocol determines the following:
-- type of error checking to be used
-- data compression method, if any
-- how the sending device will indicate that it has finished sending a message
-- how the receiving device will indicate that it has received a message
There are a variety of standard protocols from which programmers can choose. Each has particular advantages and disadvantages. Some are simpler than others, some are more reliable, and some are faster.
From a user's point of view, the only interesting aspect about protocols is that your computer or device must support the right ones if you want to communicate with other computers. The protocol can be provided either in hardware or in software.
Service Bindings: What are they?
With many server applications, a binding is an association between a network connection point (the combination of an IP address and a port number, for example) and a network service (e.g. a mail server or web proxy). This defines the interface over which a server process will provide service to a computer. It stands to reason that in order for a service to be accessible to a computer, it must be “bound” to an interface that is available to it.
Bindings allow PCs to connect to network services, and allows the administrator to specify which service will respond to the connections, on which interfaces and ports. Security issues are associated with providing remote access to services. Bindings therefore need to be considered a point of security control.
Are You Vulnerable to NETBIOS Problems?
Try these tools to determine your NetBIOS vulnerabilities:
NbtScan - NetBIOS Name Network explores the NETBIOS file-sharing services available on targeted systems. NbtScan is available at: [url]http://www.inetcat.org/software/nbtscan.html.[/url]
NLtest - very powerful tool, included in Windows 2000 and 2003 Support Tools (can be found on product CD) and Windows NT4 Resource Kit. NLtest can obtain a wealth of information about potential configuration vulnerabilities.
For Windows NT (SP4), Windows 2000, Windows XP, and Windows 2003, the Microsoft Baseline Security Analyser will report hosts that are vulnerable to SMB exploits and may be used to fix the problem. The tests can be run locally or on remote hosts.
Windows NT, Windows 2000, Windows XP, and Windows 2003 users can simply type "net share" (without the quotes) from the command prompt to see what resources are being shared. For more information about the net share command, type "net share /?" (without the quotes).
Windows 98 users can find help at Steve Gibson's ShieldsUp!! - Network Bondage.
Important Note: This article contains information about changing shared resources. Before changing any shared resource, make sure you understand how to restore the resource, if a problem occurs. For information about shared resources, click on the following articles to view them in the Microsoft Knowledge Base:
Saving and Restoring Existing Windows Shares
HOW TO Set, View, Change, or Remove Spe...Windows XP
HOW TO Disable Simplified Sharing and P...Windows XP
How to Copy Files and Maintain NTFS and Share Permissions
Safely Block NetBIOS Ports Over TCP/IP to all Internet Traffic
This will prevent outside access to the contents of your hard drives via these ports whether you do file sharing or not. Block incoming and outgoing access to ports 135, 137, 138, 139, and 445 with your firewall.
ZoneAlarm does this by default when you set the Internet Zone Security level to "high". The "medium" default security setting only blocks incoming access to NetBIOS ports, but you can manually change that to include outgoing. Remember that any setting lower than "high" is not recommended for use in the Internet Zone.
Configure TCP/IP Networking While NetBI...000 Server from Microsoft.
Disable NetBIOS Over TCP/IP By Using DHCP Server Options
How to disable NetBIOS on Windows 2000/XP machines
How can I configure TCP/IP networking w...0/XP/2003?
Best regards and always take care of your security.
页:
[1]