NT: (The Manual is) "Not There"!

by Phil Cox
<[email protected]>

Phil is a member of the Computer Incident Advisory Capability (CIAC) for the Department of Energy. He also consults and writes on issues bridging the gap between UNIX and Windows NT.


and Tina Darmohray
<[email protected]>

Tina Darmohray, editor of SAGE News & Features, is a consultant in the area of Internet firewalls and network connections, and frequently gives tutorials on those subjects. She was a founding member of SAGE.


I (Tina) recently took a look at the security implications of running SMB applications over the Internet. Initially, I thought the best place to look for information would be on an NT machine itself. I clicked on the Help button and proceeded to form the question. In particular, I asked about network services and bindings. The response to my first query looked promising:

• binding:
• To change the order of bindings for selected network components
• To enable or disable binding paths for selected network components
• To view bindings for network components

I selected the second one; and more help information appeared. The first part was a hand-holding walk-through on how to enable/disable bindings. Fair enough. But I really wanted to know exactly what services would break if I did so. I read on. The accompanying "Notes" section took the wind out of my sails in that regard, saying, "Do not attempt to change binding settings unless you are an experienced network administrator familiar with the requirements of your network software." And that was it! I poked around some more with the "Help" utility, but I couldn't get anything more detailed than the warning. I began to feel frustrated, wondering how one was to "RTM" when the "M" isn't there!

Sheepishly, but having at least tried to RTM, I turned to several NT gurus to ask them more about what services the bindings affect. To my surprise, many of them had the same questions I did. So I decided it was time to go sniffing for answers, and that you might be interested in what I found out.

Microsoft networking was originally designed for small networks. When Microsoft decided to extend it, they needed a capable transport protocol to do so. The result is NetBIOS over TCP/IP, or NBT. NT machines use ports 135 and 137-139 for all their Windows-related networking traffic. A breakdown of the ports looks like this:

135	loc-srv	Location Service
137	netbios-ns	NetBIOS Name Service
138	netbios-dgm	NetBIOS Datagram Service
139	netbios-ssn	NetBIOS Session Service

Location Service is like the UNIX portmapper and is used to get information about the RPC programs registered on the machine. NetBIOS Name Service is used for registering and gaining information about NetBIOS names. The NetBIOS Datagram and Session Services can be viewed as UDP and TCP for NetBIOS packets.

I wanted to turn off selected Microsoft networking services so that an NT machine wouldn't be running the file and printer sharing (a.k.a. Server Service) portion of the SMB applications on the Internet, but could still run a Web server, for instance. In NT you create "bindings" between logical connections and services, protocols, and adapters. I hypothesized that turning off pieces of NetBIOS on the Internet-connected adapter would disallow the targeted SMB services and still allow more traditional Internet services. I used the Network property sheet from the Control Panel, which contains the Bindings tab, to toggle bindings on and off. While I systematically turned on and off the services on the NT machine, I used SAMBA commands from a UNIX machine to look at the NT responses.

First, I turned off the Control Panel--level Server Service. As expected, the NT machine didn't answer a NetBIOS name query at all:

% nmblookup -B 204.146.133.23 -S \*
Sending queries to 204.146.133.23
name_query failed to find name *

I reenabled the Server Service and then, using CONTROL PANEL/NETWORK/BINDINGS [all adapters], turned off WINS Client [TCP/IP]. Again, as expected, the NT machine failed to respond to a WINS name query:

% nmblookup -B 10.31.3.163 -S \*
Sending queries to 10.31.3.163
name_query failed to find name *

Next, I reenabled the WINS Client [TCP/IP] and tested to make sure that the machine was responding. In the successful NetBIOS name query, we see that the machine lists a NetBIOS name type of <20>, which indicates a resource-sharing "server service"; this is what we would expect. Since we have a server service, we can now use a subsequent smbclient query to that server.

% nmblookup -B 10.31.3.163 -S \*
Sending queries to 10.31.3.163
10.31.3.163 *<00>
Looking up status of 10.31.3.163
received 10 names

PI<00> -	B <ACTIVE>
INet~Services	<1c> - <GROUP> B <ACTIVE>
PI <20> -	B <ACTIVE>
IS~PI <00> -	B <ACTIVE>
SUNNYVALE <00> -	<GROUP> B <ACTIVE>
PI <03> -	B <ACTIVE>
SUNNYVALE <1e> -	<GROUP> B <ACTIVE>
ADMINISTRATOR	<03> - B <ACTIVE>
SUNNYVALE <1d> -	B <ACTIVE>
..__MSBROWSE__.	<01> - <GROUP> B <ACTIVE>

num_good_sends=0 num_good_receives=0
% smbclient -L PI -I 10.31.3.163
Added interface ip=10.31.3.161 bcast=10.31.3.255
    nmask=255.255.255.0
Server time is Wed Jan 27 14:32:07 1999
Timezone is UTC-8.0
Password:
Domain=[SUNNYVALE] OS=[Windows NT 4.0]
    Server=[NT LAN Manager 4.0]
security=user

This machine has a browse list:

 Server Comment
 --------- -------
 PI

This machine has a workgroup list:

Workgroup		Master
---------	-------
SUNNYVALE		PI

A machine configured in this way would serve File and Print shares on the Internet, which is the NetBIOS service I ultimately wanted to turn off.

Finally, I expanded the "+" WINS Client [TCP/IP]. It shows three bindings that can be toggled on and off: NetBIOS Interface, Server, and Workstation. With the top-level WINS Client [TCP/IP] binding still enabled, I disabled the "Server" binding (below WINS Client [TCP/IP]). Note that we can still successfully query for the name, but the results show there is no longer a server service, type <20>, on the machine. As a result, the subsequent smbclient query is unsuccessful and requests for File and Print shares would fail.

% nmblookup -B 10.31.3.163 -S \*
Sending queries to 10.31.3.163
10.31.3.163 *<00>
Looking up status of 10.31.3.163
received 5 names

PI <00> -	B <ACTIVE>
INet~Services	<1c> - <GROUP> B <ACTIVE>
IS~PI <00> -	B <ACTIVE>
SUNNYVALE <00> -	<GROUP> B <ACTIVE>
PI <03> -	B <ACTIVE>

num_good_sends=0 num_good_receives=0
% smbclient -L PI -I 10.31.3.163
Added interface ip=10.31.3.161 bcast=10.31.3.255
    nmask=255.255.255.0
Session request failed (131,130) with
    myname=EPSILON destname=PI
Called name not present
Try to connect to another name (instead of PI)
You may find the -I option useful for this

Don't let the lack of detailed online NT documentation dissuade you, or the counterintuitive naming of the WINS "Client" [TCP/IP] binding fool you. Expand the "+" on the WINS Client [TCP/IP] binding to see that underneath the "Client" lies a "Server," which you can enable/disable. It might help to think of the WINS "Client" as NBT, and the bindings underneath as pieces of NetBIOS over TCP/IP. The bottom line is that there is a degree of granular configuration control for NBT using bindings to disable all or pieces of NetBIOS on a single adapter.

References

<[email protected]>. CIFS: Common Insecurities Fail Scrutiny. January, 1997. <http://199.103.168.8:1089/web1/hak/cifs.txt>.

Richard Sharpe. Just What Is SMB? May 14, 1998. <http://anu.samba.org/cifs/docs/what-is-smb.html>.