WINS question

Discussion in 'Server Networking' started by Sam, Aug 5, 2004.

  1. Sam

    Sam Guest

    Hi,

    I'll setting up a new Windows 2003 server network. Do I need to set up WINS?
    Clients on this network will be Windows XP Pro clients. May be later on some
    Mac clients. As far as I know, starting Windows 2000, everything is based on
    DNS so I'm wondering if there's a need for WINS in this new network? Thanks,

    Sam
     
    Sam, Aug 5, 2004
    #1
    1. Advertisements

  2. Thanks,

    Some Applications still require netbios naming to function. Older Outlook
    clients need it. I don't know about the MACs, but I doubt it is relevant to
    them since all the newer MACs at least or based on Unix/Linux now.
     
    Phillip Windell, Aug 5, 2004
    #2
    1. Advertisements

  3. Sam

    Sam Guest

    In other words, it's not necessary for me to worry about WINS if I know that
    everything on this network will be Windows/Office XP or better.

    Thanks,

    Sam
     
    Sam, Aug 5, 2004
    #3
  4. You could still have Applications that require it (like older versions of
    Outlook). You will know when they stop communicating over the network, then
    add a WINS Server to get them going again.
     
    Phillip Windell, Aug 5, 2004
    #4
  5. This seems to be a classic Microsoft "We don't want NetBIOS" scenario. I
    would suggest that you, if possible, turn off NetBIOS on all computers
    too. If this is possible you've removed a security issue from your
    network.
     
    Ole Kristian Bangås, Aug 6, 2004
    #5
  6. Outlook XP does not (as far as I know) require NetBIOS.
     
    Ole Kristian Bangås, Aug 6, 2004
    #6
  7. Yes, and you can't browse.
     
    Lanwench [MVP - Exchange], Aug 6, 2004
    #7
  8. In
    Actually hate to be contradicatory, but it DOES require NetBIOS for proper
    Exchange/MAPI functionality...

    837391 - Exchange Server 2003 and Exchange 2000 Server require NetBIOS name
    resolution for full functionality:
    http://support.microsoft.com/default.aspx?scid=837391

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Aug 6, 2004
    #8
  9. I am fully aware of that. However, how important is the ability to browse
    when you have an AD infrastructure? In my opinion, I would preffer
    enhanced security to ability to browse the network.
     
    Ole Kristian Bangås, Aug 6, 2004
    #9
  10. Thanks for correcting me. I hate NetBIOS, and I hope that Microsoft
    products will run smoothly without it as soon as possible. However, I
    fear that even Longhorn in some areas are going to require NetBIOS for
    full functionality.
     
    Ole Kristian Bangås, Aug 6, 2004
    #10
  11. I personally really like being able to browse - although it isn't mandatory
    for AD, of course. However, I don't see why having NetBIOS enabled indicates
    a security risk....
     
    Lanwench [MVP - Exchange], Aug 6, 2004
    #11
  12. NetBIOS is an old protocol, known for several vulnerabilities over the
    years. One of these is:

    Flaw in NetBIOS Could Lead to Information Disclosure (824105)
    <url: http://www.microsoft.com/technet/security/bulletin/MS03-034.mspx>

    There are also numerous worms [1] spreading using NetBIOS. Thus, NetBIOS
    does indicate a security risk. I do not belive that Microsoft has been
    able to fully secure NetBIOS yet, and most likely we just have to wait
    to see the next worm spreading over NetBIOS.

    [1] As far as I know, many worms are actually a combination of worms and
    trojans. They get in to a corporate network as a trojan, and then spread
    as a worm.
     
    Ole Kristian Bangås, Aug 6, 2004
    #12
  13. Flaw in NetBIOS Could Lead to Information Disclosure (824105)
    With that logic TCP/IP should be totally banned since most all of them spead
    using it. You also have to consider the likelyhood of an exploit even being
    performed in the first place,...TCP/IP = very likely,...Netbios=very
    unlikely.
     
    Phillip Windell, Aug 6, 2004
    #13
  14. Not to mention OSI Level 1-3. However, as I see it, there are some
    differences, unless you are using a different protocol you can't have
    a network without TCP/IP. NetBIOS on the other hand, has very limited
    use. So the cost of removing it is very low.

    When I read technical documentation written by Microsoft I often tend
    to disagree somwhat, but regarding NetBIOS I totally agree. In the
    courses I've attended recently they alwasys state that unless you have
    applications that requires NetBIOS, this NetBIOS should be disbled.

    Let me quote MOC 2823 - Implementing and Managing Security in a Windows
    Server 2003 Network, Module 7 page 34:

    "In most cases, file sharing uses NetBIOS, so the file server
    will probably have NetBIOS enabled. Having NetBIOS
    enabled can significantly increase the attack surface of the
    computer by exposing additional ports and services that are
    extremely vulnerable to attacks."

    As of Windows Server 2003 / Windows XP NetBIOS is no longer needed,
    and should thus in my opinion be disabled wherever possible. If you
    have older clients like Windows 98 / Windows NT it's needed however.

    I am very well aware that this is not enough to secure a computer.
    It's not even the most severe security issue. But, it helps, and in
    many occasions it has very few and insignicant (if any) negative
    consequeces in pure Windows Server 2003 / Windows XP environments.
     
    Ole Kristian Bangås, Aug 6, 2004
    #14
  15. I guess if we could get rid of it that would at least be one less thing to
    worry about and have to deal with, but unfortuneately the real world keeps
    getting in the way :)
     
    Phillip Windell, Aug 6, 2004
    #15
  16. In
    Unfortunate, but I think it will be here for quite some time. After all, the
    good old fashion Network Neighborhood is NetBIOS based and one cannot get
    around that, unless it's changed to use SMBs (port 445) but I can't see how
    and still have legacy compatibility. Exchange/Outlook would fall under this
    category as well, but then one needs to look at compatibility again! There
    are many legacy apps as well that require it. If the vendors updated it to
    use soley DNS, that would eliminate that. So taking it a step further, can
    MS actually make the Browser service work with SMBs only? If the Browser
    service were made to depend on only DNS, then that means EVERYTHING must
    register into DNS. Some places, like large universities opt NOT to allow
    registration due to transient clients (PDA, laptops in the quad, etc) that
    do not belong to the domain and are just passers by.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Aug 6, 2004
    #16
  17. In
    Hi Ole, didn;t know you were a trainer! Cheers to that!

    Just want to theoretically point out to everyone, and conjecturing, what
    would take to stop an attacker anyway with coming up with a new method to
    exploit DNS or SMB (say if a new method where DNS is used along with SMBs
    instead of NetBIOS for browser functionality) to exploit that? I'm not
    trying to contradict or anything, but having taught this class along with
    Security +, 2810 and 2830, there;s nothing in there conjecturing future
    possiblities. If one has access to the internal systems, maybe just having
    NetBIOS turned off is not enought. I can use Netmon and tell you what's
    going on in a network very easily, if I have access to it. One can also use
    tools like eEye's Retina to grab and organize packets. For most, a door lock
    is just to keep the friendlies out, where a burgalur uses other means to
    break into an establishment, and not necessarily thru the front door. Scary
    isn't it? For feature functionality that is added and offered in Windows
    operatiing systems for increased user productivity, it always opens a door
    to exploits and an attacker with an agenda and a mission. With anything,
    monitoring and auditing will help, but nothing is fool proof, unfortunately.
    I've seen the best locked down tight systems still get broken in thru simple
    social exploits. Wham, got a user acct and pwd, and now their in thru the
    OWA and into Pub Folders, is one example. Or even thru their VPN, if the VPN
    IP, means and clients are known. Ouch!

    Like I said, just wanted to conjecture about this and point these out.
    Cheers!

    btw- where do you teach at?

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Aug 6, 2004
    #17
  18. English is not my native language, so I made myself misunderstood.
    I've taken several courses lately, I've not taught them. I hope to
    become a trainer in the future though :) Sorry to have written in
    a way so that you though I was a trainer.
     
    Ole Kristian Bangås, Aug 7, 2004
    #18
  19. In
    Oh, sorry, my misunderstanding! It's an interesting job being a trainer. :)
    I wish you luck in your endeavors. You will enjoy a training position.

    btw- I hope my security explanation was helpful.
    Cheers!
    :)

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Aug 7, 2004
    #19
  20. Oh yes. Indeed. Thanks a lot.
     
    Ole Kristian Bangås, Aug 7, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.