Internet Connection Security for Windows Users |
by Steve Gibson, Gibson Research Corporation |
Network Discipline for Windows 9x As we saw on the previous page, Microsoft's default binding of "everything to everything" results in very insecure networking. Once we understand which (very few) bindings are actually needed, the security of any Windows system can be greatly enhanced by simply "unbinding" everything else. This page provides detailed directions to help you do exactly that. Changing these bindings does not delete or remove anything from your system, so you'll be able to undo any changes you make and update your network bindings at any time in the future if your needs ever change.
|
Necessity is the Mother of Invention . . .
To recap: All versions of Windows 9x have an annoying bug that causes installed network components without any bindings to "disappear" from the Network properties listing. This occurs even though they are still installed and functioning! Subsequent reconfiguration becomes difficult since the component's listing has disappeared and this disappearing trick will mislead and confuse anyone who later attempts to examine the system's configuration. Microsoft has presumably never even noticed this bug. Since they bind everything to everything by default ... But, as you've probably guessed, YOU are about to embark upon a major "unbinding spree" because, believe it or not, the ONLY bindings you need for total Internet access look like this! . . . Therefore, since we don't want the components we've unbound disappearing from the component list (except for the unneeded IPX/SPX transport which we'll allow to float away), a configuration similar to the following will be our goal . . . Therefore, although it's not strictly necessary,
into all well configured Windows networking systems. Aside from giving us something to use as a safe anchor for the usually-unneeded Microsoft Networking components, NetBEUI has the additional advantage of supporting the evolution of your system by providing safe local file and printer sharing at any time in the future. And, if you are already running a local network of computers you will gain immediate benefit from the use of the safe NetBEUI transport. ALSO . . . The sample screen shots shown on this page will probably be different from what you see on your computer. They are intended only to help keep you synchronized with the instructions. You should NEVER install anything other than the NetBEUI transport protocol as explained below. If your system is operating without some of the services shown in my sample screen shots, you should consider yourself fortunate for getting by with less junk loaded!
So . . . here's what we're going to do:
|
(To avoid needless, annoying, and time consuming system reboots, try to avoid clicking this box's "OK" button until everything has been reconfigured.)
With the Network dialog box open, scroll through the installed component listing (similar to what's shown above) to see whether your system already contains the NetBEUI transport. You'll see one or more lines starting with the transport icon and word "NetBEUI" as shown at the upper left of this paragraph.
the NetBEUI Transport" section that follows and continue at #2 - Set the Hardware Adapter Bindings section.
Begin by opening the Windows Networking configuration dialog box if it's not still open. (See the inset box above for details.)
|
Since bindings work as anchors to prevent higher-level components from drifting off, we'll start at the bottom-most network layer (the hardware) and work our way up. Returning to the list of installed network components, scroll to the top and identify your system's installed hardware adapters. Each adapter is identified by a circuit-board like icon and name as depicted in the image to the left. Your particular adapters will probably differ from those shown. Dial-Up Networking users may only have a "Dial-Up Adapter" whereas Cable Modem and DSL users may only have a single entry for their "NIC" (Network Interface Card).
This will display the adapter properties dialog box. If the "bindings" tab is not currently in front, click the "bindings" tab once to bring it to the front:
The bindings list will contain one entry for each protocol currently installed in your system. You should at least find entries for the NetBEUI and TCP/IP protocols since TCP/IP is required to use the Internet (which you're using right now!) and you will have just installed the NetBEUI protocol if it wasn't already installed. Many systems also have IPX/SPX installed (for no reason). One way to visualize this is to refer to the binding diagram below and imagine that each adapter is "looking up" to see the array of protocols which are available to it on the level just above. All available protocols are shown in the "Bindings" list for each adapter. The "checkmarks" at the beginning of each line show to which of the protocols this chosen adapter is currently bound. As you'd expect, the adapter can be bound and unbound to and from each respective transport by clicking in the checkbox to toggle the checkmark on and off.
each of your system's adapters in turn, setting their bindings as appropriate.
Here are some example scenarios to demonstrate the application of these guidelines:
|
Looking again at the now-familiar Network properties dialog box, you'll see a group of lines that all start with the "protocol" icon. (Shown enlarged to the left of this paragraph.) The listing of protocols will take either of two different forms, depending upon whether you have more than one hardware adapter: If your system has a single adapter, your protocol list will look something like this: But if your system has two adapters your protocol list will be a bit more complex, looking something like this: As you can see, multi-adapter systems have one listing per adapter per protocol. In other words, each adapter-protocol pairing has a listing in the components window. This could be useful since it would allow you to bind individual services not only to a particular transport protocol, but even to individual adapters used by that protocol. Although you might think of some nifty way to make use of this (now that you know you can), for our purposes we'll be setting each instance of each protocol identically.
This will display the transport protocol properties dialog box. If the "bindings" tab is not currently in front, click the "bindings" tab once to bring it to the front:
As when we edited the hardware adapter bindings, "Checkmarks" at the beginning of each line show to which of the system services this chosen transport protocol (or protocol/adapter pairing) is currently bound. And, of course, the service may be bound and unbound by clicking the checkbox to toggle the checkmark on and off.
If you follow the three steps above to set the service bindings for each of your system's installed transports (or transport/adapter pairings) you will completely secure your system against NetBIOS information leakage and completely hide it from all passing NetBIOS service and shares scanners!
the system for NetBIOS-Safe Internet access!
|
After unbinding all services from all TCP/IP transport protocol lines, then rebooting to allow those unbindings to take effect, the "I want to enable NetBIOS over TCP/IP" option on the NetBIOS tab of each TCP/IP properties dialog (as shown above) will no longer be greyed-out. And it will usually but not always no longer be checked. If this option is still checked you must be sure to uncheck it for every TCP/IP transport protocol line in your Network components listing. Once that's been done, reboot your system one last time . . . and you will have secured your system's NetBIOS system and firmly closed port 139!
|
Since you will have moved your file and printer sharing from the TCP/IP transport over to NetBEUI, all other systems participating on your local area network must also have their file and printer sharing enabled for use with the NetBEUI transport. After repeating the instructions above for every machine, local communication will be securely enabled throughout your entire network.
|
Unfortunately, my ability to help you personally or directly is hampered by this site's tremendous success and traffic. We average nearly ten thousand visitors per day so there's just no way for me to interact individually with even a fraction of all those people. I really would, if I could. But I need to be working on the next generation of really cool Internet security software that you want from me. If my days are spent answering specific questions we'll never see anything else from me. So, I've assembled a bunch of self-help material on this site that should go a long way to helping you with odd events and empowering you to find solutions to your specific dilemmas: What could go wrong? Perhaps, despite unbinding everything as described above, for some reason your port 139 is still showing as "wide open" and you're worried. Or, perhaps the "unbinding" of something has had some unexpected side-effect on your system or its Internet connectivity. The most useful bits of advice I have are:
|
Taking intelligent and deliberate control of your computer's network bindings is the single best thing you can do for your system's Internet connection security. The "second generation" guidelines presented above:
Although I'm a BIG fan of Personal Firewall products, as you'll see on page 7, "Personal Firewalls", the tremendous power of these straightforward "component unbinding" techniques has allowed you to disable an unwanted and unneeded capability from your system. This solution is superior to depending upon some other product or technology to "suppress" that unwanted capability. That's an important distinction in the realm of robust security. AND, if neutering your system's networking is not possible because you do still need to share files across the Internet then full security will require the suppression of unwanted networking capabilities. The following two pages, "Evil Port Monitors" and "Personal Firewalls" detail your options and discuss pitfalls.
|
Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |
Last Edit: Dec 31, 2004 at 17:09 (7,224.43 days ago) | Viewed 4 times per day |