|
|
|
|
|
|
|
  |
||||||
|
|
|||||
|
       |
|||||
|
||||||
|
 |
|||||
|
WolfCall: Locking Down NetBIOS |
|||||
What's NetBIOS?
The AFS Client (both IBM and OpenAFS) rely on a network protocol called NetBIOS to mount AFS drives (J:, K:, etc). Normally, this protocol, which is a part of the so-called Common Internet File System (CIFS), is used to access Windows shares on remote machines. It is part of what Windows calls "File and Print Sharing".
The AFS Client subverts this protocol for its own uses. Since Windows already knows how to access files on a remote NetBIOS share, the AFS Client simply pretends it is such a share. Therefore, one might view the Windows AFS Client as a gateway between the AFS world and the NetBIOS (or "CIFS" or "SMB") world.
A security threat?
Unfortunately NetBIOS is commonly thought of as a security vulnerability, and for good reason. Computers running NetBIOS are routinely hacked into at NC State, usually to be used as courier sites for illegally copied software and media. Probably the most common method of entry is the weak password.
There are two sources of vulnerabilities related to NetBIOS:
- Weak passwords
- This problem can easily be solved by a wary user. When assigning passwords to your accounts, keep in mind that the
password is often the only thing keeping a remote attacker out of your machine.
In the world of high-speed global internet, it is surprising how fast an attacker can try a large number of common passwords in what is commonly called a "dictionary attack".
- Bugs in Microsoft's implementation of the protocol
- In the past, NetBIOS has been notorious for numerous security holes that would
be exposed every few months, and then be sluggishly addressed by Microsoft. However, true compromises in the NetBIOS services are rare now (especially on Windows NT4/2k/XP), and Microsoft is much better about
patching its software.
Keep in mind, though, that Microsoft's patches are useless if they never make it onto your machine. If you are responsible for administrating your own machine, please visit Windows Update often to keep it up to date.
Update: As an example, the RPC vulnerability recently exploited by the Blaster, Stealther, and Welchia worms was part of the NetBIOS interface. Only patching or disabling NetBIOS would have protected computers from these attacks. Undiscovered bugs almost certainly still exist out there, so keep your computer up to date!
Locking down NetBIOS
Ultimately, the AFS Client relies on a service that is somewhat vulnerable to remote attack. Fortunately, it is possible to lock down NetBIOS in Windows without entirely removing it, thereby allowing the AFS Client to operate properly.Strong passwords
The easiest way to lock down NetBIOS is to use strong passwords on all accounts:Unbinding file sharing from network adapters
Please note that this step is not absolutely required.
For the more security conscious ("paranoid"), it is a good idea to completely prevent Windows from
talking to the outside world using the NetBIOS protocol. However, the AFS Client still needs a network adapter with NetBIOS enabled.
We can satisfy this requirement in a secure manner using the Microsoft Loopback Adapter. If the AFS Client and Windows communicate over the virtual network adapter, no vulnerable NetBIOS services need be exposed to the Internet.
Instructions on how to do this can be found at the OpenAFS Wiki.
An automated install for systems administrators can be found on the Microsoft Loopback Adapter page. We would recommend that people follow the manual instructions at least once so as to better understand what is going on.
Technical Documents
Locking down NetBIOS
![< to Top]](../Media/graphics/footer_links/top_arrow.gif){kind=icon}
![[ ENGR Template ]](../Interface/images/banner.gif){kind=small}