Firewall rule improvements and security recommendations - Blog 3

 

NetBIOS

NetBIOS typically runs over TCP/IP via the NetBIOS over TCP/IP (NBT) protocol. This results in each computer in the network having a NetBIOS name and an IP address corresponding to a (possibly different) hostname. The main reason for using NetBIOS is for two machines to communicate on a local network which rarely is needed except for file and printer sharing on a local network but leaves the door wide open for being hacked. You can remove this risk in two ways and I personally do it both ways.

A firewall should Block ports 135-139 plus 445 in and out. These can be used by hackers to steal your info and take control of your pc and after doing so will use NetBIOS to then use your computer to take over another, etc, etc.. Port 137-139 is for Windows Printers and File Sharing but also creates a security risk if unblocked. But if we share a printer on the network you will have to allow this one but I recommend just going to the pc the printer is hooked up to and using. Port 135 is for RPC service on a remote machine. Port 136 is used for Profile Name Service which I don't even think is used any longer but opens a door for hackers.

DNS Zone Transfers

DNS Zone transfer is the process where a DNS server passes a copy of part of its database (which is called a "zone") to another DNS server. It's how it can have more than one DNS server able to answer queries about a particular zone; there is a Master DNS server, and one or more Slave DNS servers, and the slaves ask the master for a copy of the records for that zone.

A basic DNS Zone Transfer Attack isn't very fancy: it just pretends you are a slave and ask the master for a copy of the zone records. And it sends you them; DNS is one of those really old-school Internet protocols designed when everyone on the Internet knew everyone else's name and address, so servers trusted each other implicitly.

It's worth stopping zone transfer attacks, as a copy of your DNS zone may reveal much topological information about your internal network. In particular, if someone plans to subvert your DNS, by poisoning or spoofing it, for example, they'll find having a copy of the actual data very useful. So best practice is to restrict Zone transfers. At the bare minimum, you tell the master what the IP addresses of the slaves are and not to transfer them to anyone else. In more sophisticated setups, you sign the transfers. So the more sophisticated zone transfer attacks try and get around these controls.