NOW SpinRite 6.1 – Fast and useful for spinning and solid state mass storage!



Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation
Network Bondage
Discipline your network bindings in the privacy of your own home.


Microsoft's networking technology is only required for sharing files and printer services with other Microsoft-based PC's. It is not needed for connecting to the Internet or for using any Internet services. Using it in wide area networking (WAN - like the Internet) situations, dramatically lowers your security by divulging information about you and your computer, exposing Microsoft's weak password protection system to password crackers over the Internet, bringing your machine to the attention of Internet scanners and intruders and making you a target for attack.

ShieldsUP! Advice: 
  Version 2  

I have learned a great deal from the feedback and experiences of the quarter of a million visitors who came through this web site during its first 30 days of life. And this site's shocking popularity caused me to invest much more time than I originally had in working out the most foolproof solutions to securing Windows NetBIOS networking.

As a result, the following "Advice and Instruction" pages have been significantly revised. Frankly, I am extremely excited about the new super-solid solutions I've worked out, and I believe you'll be very pleased with the well-deserved feeling of mastery you'll soon have over your Windows networking system.


The second generation guidelines
presented on these pages:
Completely close your system to all NetBIOS name and resource sharing leakage, and firmly shut the three NetBIOS "scanner bait" ports 137, 138, and 139.
Cost nothing to implement, other than the time taken to read and understand these pages, and do not depend upon any external software.
Present a single, uniform, solution that is very likely to be appropriate for everyone to use in every situation.
Will not in any way disturb your current Windows or network logon procedures and will not disrupt your dial-up networking or other stored passwords.
Do not rely upon any "hacking tricks" or undocumented procedures. No warranties will be voided and no one can refuse to support your system on the grounds that you've done something "strange" to it. (You won't have.)
Can be completely and easily reversed. If you don't like any outcome of following these simple instructions you will have learned how to easily reverse the simple changes you have made.
Create a solid foundation for establishing a secure local area network — today or tomorrow. When you have read and understood this page and the one that follows, you will have gained a solid understanding of the theoretical and practical aspects of network component binding.
Return CONTROL of a significant and important aspect of your personal computing experience — your computer's networking — back to YOU where it always belonged!

    
Please Note:

These "Version 2" instructions ALMOST COMPLETELY eliminate all need for my previous NoShare and LetShare utilities. If you previously used NoShare to shut down NetBIOS and close port 139, you should run LetShare one last time to reverse the effects of NoShare, then delete both programs because they are no longer required and have no purpose.

This is true for all versions of Windows 95, 98, and NT, except for the very first version of Windows 95 (build 950). The very first release of Windows 95 will require NoShare to shut port 139. See the notes below during the discussion of the "missing NetBIOS tab."



Understanding Adapter, Protocol, and Service Binding


The key to taming your computer's network configuration is understanding what is meant by "binding". For example, we say that a network adapter is bound to TCP/IP or that NetBEUI is bound to File and Printer sharing.

The clearest way of visualizing these "binding" relationships is to organize the various network components into three layers:

The Network Services Layer
contains client and server
services which are used by
the local machine's software:
   
Client for
Microsoft
Networks
File and Printer
Sharing for
Microsoft Netwk
Microsoft
Family
Logon



The Transport Protocol Layer
contains protocol drivers that
implement various network
communication protocols:
   
TCP/IP
NetBEUI
IPX/SPX



The Hardware Adapter Layer
contains the actual peripheral
adapters which connect the
system to the external world:
   
Dial-Up
Adapter
Cable/DSL
Interface
Local Network
Interface

As you can see from this layered perspective, the components in each network layer are isolated and insulated from the components in other layers.

The process known as "binding" bridges the layer
boundaries to interconnect pairs of individual
components residing in adjacent layers.

Faithful to Microsoft's typical philosophy of "we're going to turn everything on so you won't ask us how to", the default bindings for a system with the components shown above would look like this mess:

In other words ... By default EVERYTHING on each layer is BOUND to EVERYTHING on the adjacent layer!

Each red line above represents one "binding" between two network components on adjacent layers. This "binding" allows the two "bound" network components to communicate with each other. The diagram above shows a system with eighteen network bindings.

You don't need to be a rocket scientist to easily see why this is unsafe: The insecure Microsoft networking components — the Client for Microsoft Networks and File and Printer Sharing — are bound to the Internet's worldwide routable TCP/IP protocol, and the TCP/IP protocol is bound to ALL of the system adapters! Thus, anytime this system has any contact with the Internet, the machine's guts are spilling out for the whole world to access!

By comparison, the following binding diagram shows a deliberately minimal binding configuration that provides all the communication required by most Internet users and no more! (Note that this "ultra-minimal" binding is not recommended due to a bug in all versions of Windows 9x ... but more about that on the next page.)

As you might imagine, this configuration is much more secure. And what's amazing is that it still does everything that's needed — but nothing more. As you can see, there's NO WAY for the unsafe Microsoft services to touch the Internet!

To provide for safe Internet communication, the system's TCP/IP protocol is bound to the interfaces that have contact with the Internet. Since the various Internet-using clients like web browsers, eMail and FTP clients, and so forth, do not use or need the Microsoft Networking services, there is absolutely no need to bind those Microsoft services to the Internet's world-wide routable TCP/IP protocol. (They should never have been!)

And what about that stranded IPX/SPX protocol component that's no longer hooked up? Since it's no longer connected to anything it will disappear all by itself after a reboot.

You can clearly see that by taking control of your
system's network bindings you can immediately
secure and streamline your system's operation.


Are YOU your system's administrator?

Rebinding Windows network components limits the communications protocols that are allowed to travel across your network connections. In corporate settings, this can have a significant impact on your system's ability to interact with other network resources. If you are not your system or network administrator, please run all this by them before making any changes to your system.

A Note Regarding Unreleased Operating Systems:

We take our contractual obligations seriously. As a developer of Microsoft-related application software, we often enter into Microsoft's Non-Disclosure Agreements (NDA's) which dramatically curtail our subsequent ability to disclose and comment. Thus, we are completely unable to comment, publicly or privately, regarding any unreleased operating system software. Please don't ask. Thanks for your understanding.



Okay . . . So Let's Do It!


Taking intelligent and deliberate control of your computer's network bindings is the single best thing you can do for your system's Internet connection security.

This is where Windows NT users part company from users of Windows 95 and 98. The very different heritages of the systems cause them to take quite different approaches to expressing the solutions to the same problem.

So choose the path you want to follow and we'll continue . . .

      

To continue, please see: Evil Port Monitors

You are invited to browse these pages for additional information:

1  Shields UP! Home 
5  Network Bondage 
9  Public Forum 
2  Explain this to Me! 
6  Evil Port Monitors 
10  Be Notified 
3  Am I in Danger? 
7  Personal Firewalls 
11  FAQ 
4  What Can I Do? 
8  Further Reading 
12  Site Evolution 

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Oct 06, 2003 at 14:29 (7,674.61 days ago)Viewed 13 times per day