| Network Bondage Discipline your network bindings in the privacy of your own home.
Microsoft's networking technology is only required for sharing files and printer services with other Microsoft-based PC's. It is not needed for connecting to the Internet or for using any Internet services. Using it in wide area networking (WAN - like the Internet) situations, dramatically lowers your security by divulging information about you and your computer, exposing Microsoft's weak password protection system to password crackers over the Internet, bringing your machine to the attention of Internet scanners and intruders and making you a target for attack. |
I have learned a great deal from the feedback and experiences of the quarter of a million visitors who came through this web site during its first 30 days of life. And this site's shocking popularity caused me to invest much more time than I originally had in working out the most foolproof solutions to securing Windows NetBIOS networking.
As a result, the following "Advice and Instruction" pages have been significantly revised. Frankly, I am extremely excited about the new super-solid solutions I've worked out, and I believe you'll be very pleased with the well-deserved feeling of mastery you'll soon have over your Windows networking system.
The second generation guidelines presented on these pages:
| Completely close your system to all NetBIOS name and resource sharing leakage, and firmly shut the three NetBIOS "scanner bait" ports 137, 138, and 139. |
| Cost nothing to implement, other than the time taken to read and understand these pages, and do not depend upon any external software. |
| Present a single, uniform, solution that is very likely to be appropriate for everyone to use in every situation. |
| Will not in any way disturb your current Windows or network logon procedures and will not disrupt your dial-up networking or other stored passwords. |
| Do not rely upon any "hacking tricks" or undocumented procedures. No warranties will be voided and no one can refuse to support your system on the grounds that you've done something "strange" to it. (You won't have.) |
| Can be completely and easily reversed. If you don't like any outcome of following these simple instructions you will have learned how to easily reverse the simple changes you have made. |
| Create a solid foundation for establishing a secure local area network today or tomorrow. When you have read and understood this page and the one that follows, you will have gained a solid understanding of the theoretical and practical aspects of network component binding. |
| Return CONTROL of a significant and important aspect of your personal computing experience your computer's networking back to YOU where it always belonged! |
|
|
| Please Note: These "Version 2" instructions ALMOST COMPLETELY eliminate all need for my previous NoShare and LetShare utilities. If you previously used NoShare to shut down NetBIOS and close port 139, you should run LetShare one last time to reverse the effects of NoShare, then delete both programs because they are no longer required and have no purpose.
This is true for all versions of Windows 95, 98, and NT, except for the very first version of Windows 95 (build 950). The very first release of Windows 95 will require NoShare to shut port 139. See the notes below during the discussion of the "missing NetBIOS tab."
|
|
|
Understanding Adapter, Protocol, and Service Binding
The key to taming your computer's network configuration is understanding what is meant by "binding". For example, we say that a network adapter is bound to TCP/IP or that NetBEUI is bound to File and Printer sharing.
The clearest way of visualizing these "binding" relationships is to organize the various network components into three layers:
The Network Services Layer contains client and server services which are used by the local machine's software: |
|
Client for Microsoft Networks |
|
|
|
File and Printer Sharing for Microsoft Netwk |
|
|
|
|
|
|
|
|
The Transport Protocol Layer contains protocol drivers that implement various network communication protocols: |
|
|
|
|
The Hardware Adapter Layer contains the actual peripheral adapters which connect the system to the external world: |
|
As you can see from this layered perspective, the components in each network layer are isolated and insulated from the components in other layers.
The process known as "binding" bridges the layer boundaries to interconnect pairs of individual components residing in adjacent layers.
Faithful to Microsoft's typical philosophy of "we're going to turn everything on so you won't ask us how to", the default bindings for a system with the components shown above would look like this mess:
In other words ... By default EVERYTHING on each layer is BOUND to EVERYTHING on the adjacent layer!
Each red line above represents one "binding" between two network components on adjacent layers. This "binding" allows the two "bound" network components to communicate with each other. The diagram above shows a system with eighteen network bindings.
You don't need to be a rocket scientist to easily see why this is unsafe: The insecure Microsoft networking components the Client for Microsoft Networks and File and Printer Sharing are bound to the Internet's worldwide routable TCP/IP protocol, and the TCP/IP protocol is bound to ALL of the system adapters! Thus, anytime this system has any contact with the Internet, the machine's guts are spilling out for the whole world to access!
By comparison, the following binding diagram shows a deliberately minimal binding configuration that provides all the communication required by most Internet users and no more! (Note that this "ultra-minimal" binding is not recommended due to a bug in all versions of Windows 9x ... but more about that on the next page.)
As you might imagine, this configuration is much more secure. And what's amazing is that it still does everything that's needed but nothing more. As you can see, there's NO WAY for the unsafe Microsoft services to touch the Internet!
To provide for safe Internet communication, the system's TCP/IP protocol is bound to the interfaces that have contact with the Internet. Since the various Internet-using clients like web browsers, eMail and FTP clients, and so forth, do not use or need the Microsoft Networking services, there is absolutely no need to bind those Microsoft services to the Internet's world-wide routable TCP/IP protocol. (They should never have been!)
And what about that stranded IPX/SPX protocol component that's no longer hooked up? Since it's no longer connected to anything it will disappear all by itself after a reboot.
You can clearly see that by taking control of your system's network bindings you can immediately secure and streamline your system's operation.
Are YOU your system's administrator?
Rebinding Windows network components limits the communications protocols that are allowed to travel across your network connections. In corporate settings, this can have a significant impact on your system's ability to interact with other network resources. If you are not your system or network administrator, please run all this by them before making any changes to your system. |
|
|
A Note Regarding Unreleased Operating Systems:
We take our contractual obligations seriously. As a developer of Microsoft-related application software, we often enter into Microsoft's Non-Disclosure Agreements (NDA's) which dramatically curtail our subsequent ability to disclose and comment. Thus, we are completely unable to comment, publicly or privately, regarding any unreleased operating system software. Please don't ask. Thanks for your understanding. |
|
|
Okay . . . So Let's Do It!
Taking intelligent and deliberate control of your computer's network bindings is the single best thing you can do for your system's Internet connection security.
This is where Windows NT users part company from users of Windows 95 and 98. The very different heritages of the systems cause them to take quite different approaches to expressing the solutions to the same problem.
So choose the path you want to follow and we'll continue . . .
|