Hepix/Hepnt Desktop NetBIOS Port Block Survey Results

Jack Schmidt, Fermilab, Winter 2003

Updated 18-Mar-03. Added information from DESY.

Background

Fermilab began re-evaluating their policy regarding the blocking of incoming NetBIOS port traffic in the Fall of 2002. To get a better feel of what the HEP community is doing in regards to netBIOS blocks a survey was sent to the hepix-hepnt@fnal.gov email list in January 2003.

Survey

The survey consisted of 4 questions:

Do you block any NetBIOS ports?
If yes, which ports do you block:

135 NetBIOS Remote procedure call

137 NetBIOS name service

138 NetBIOS datagram

139 NetBIOS session (file/print sharing)

445 CIFS (much like port 139- XP, W2K)
Do you block any other Microsoft related ports than listed above? If so why?
How do you provide offsite users with a way to access resources? (VPN, specific file server exemptions)

Survey Results

Labs/Universities that responded were:SLAC,Oxford,RAL,Triumf,CERN,NIKHEF,Saclay,PSI,JLAB,IN2P3,DESY.
Below is a compilation of the responses:

1) Do you block any NetBIOS ports?

Yes:SLAC,Oxford,RAL,Triumf,CERN,NIKHEF,Saclay,PSI,JLAB,IN2P3,DESY

2) If yes, which ports do you block:

135 NetBIOS Remote procedure call
137 NetBIOS name service
138 NetBIOS datagram
139 NetBIOS session (file/print sharing)
445 CIFS (much like port 139- XP, W2K)

ALL Listed:SLAC,Oxford,RAL,Triumf,CERN,NIKHEF,Saclay,PSI,JLAB,IN2P3,DESY

3) Do you block any other Microsoft related ports than listed above? If so why?

Yes:

Lab	Comment
SLAC	default block below 1024, 1723 pptp, 3389 rdp.
RAL	Default to block everything and open only needed ports.
CERN	Teminal server and DFS.
NIKHEF	Block most ports below port 1024, this includes the NetBIOS ports.(ssl port open)
PSI	Block everything but ssh and AFS.
JLAB	Block most everything by default.
IN2P3	All windows related ports
DESY	Everything is blocked per default. Some exceptions are made, where it is necessary.

No:

Lab	Comment
Saclay	No comment.
Triumf	No
Oxford	No comment

4)How do you provide offsite users with a way to access resources? (VPN, specific file server exemptions)

Lab	Comment
SLAC	Reasonably happy. Even with daily updates some things slip through.
Oxford	VPN.
RAL	VPN (pptp server),ssh 'bastion host' and a RAS dial-in service.
Triumf	SSH, HTTPS and a server that allows 445 connections.
CERN	VPN service available. Examining F-secure SSH windows servers.
NIKHEF	Dial-in solution in place. Exploring VPN technology.
Saclay	Callback solution in place. Exploring VPN technology.
PSI	ssh.
JLAB	ssh or scp/SafeTP. Looking to explore VPN solution in the future.
IN2P3	No comment.
DESY	VPN via IPSec, ssh to some special hosts, mindterm applet, dial-in service.

Summary Comments

Fermilab is moving toward blocking all incoming netBIOS traffic. At the time of this writing, netBIOS and LDAP traffic to the Windows 2000 domain controllers is blocked. The next phase will block all windows machines in early spring. Exceptions to the block will be permitted but requires approval from the Windows Policy Committee and Computer Security. We are presently evaluating a VPN solution. Once this is in place the exceptions will be removed and connection will be forced through the VPN.