https



Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation
Network Discipline for Windows 9x

As we saw on the previous page, Microsoft's default binding of "everything to everything" results in very insecure networking. Once we understand which (very few) bindings are actually needed, the security of any Windows system can be greatly enhanced by simply "unbinding" everything else. This page provides detailed directions to help you do exactly that.

Changing these bindings does not delete or remove anything from your system, so you'll be able to undo any changes you make and update your network bindings at any time in the future if your needs ever change.
Windows NT4: The instructions on this page only apply to Windows 95 and 98. The "Network Discipline for Windows NT" page contains instructions specific to Windows NT.
Win98 ICS: The Internet Connection Sharing (ICS) technology included in the Second Edition of Windows 98 provides "Network Address Translation" (NAT) services to hide the IP addresses of your local machines and creates good security all by itself. (As you may have already found.) Even though NAT makes unbinding somewhat less critical, since excess networking bindings are never a good thing, the following instructions are still useful for users of Network Address Translating systems.

Necessity is the Mother of Invention . . .

To recap: All versions of Windows 9x have an annoying bug that causes installed network components without any bindings to "disappear" from the Network properties listing. This occurs even though they are still installed and functioning! Subsequent reconfiguration becomes difficult since the component's listing has disappeared and this disappearing trick will mislead and confuse anyone who later attempts to examine the system's configuration. Microsoft has presumably never even noticed this bug.

Since they bind everything to everything by default ...
. . . there's probably never been a situation where a network component was given the opportunity to float off into the sunset after being cut loose from all of its neighbors!

But, as you've probably guessed, YOU are about to embark upon a major "unbinding spree" because, believe it or not, the ONLY bindings you need for total Internet access look like this! . . .
The problem with using this truly optimal and minimal binding configuration is that, as I said above, that annoying bug in all versions of Windows 9x causes any completely unbound components to disappear from the network components listing.

Therefore, since we don't want the components we've unbound disappearing from the component list (except for the unneeded IPX/SPX transport which we'll allow to float away), a configuration similar to the following will be our goal . . .
As you can see from the diagram above, a safe network binding configuration depends heavily upon a non-TCP/IP transport (NetBEUI in the diagram above) to "anchor" the various Microsoft network services. It is not safe to bind them to TCP/IP, but if we don't bind them to something they will stay installed but disappear from sight.

Therefore, although it's not strictly necessary,

I advocate installing the "benign" NetBEUI transport
into all well configured Windows networking systems.

Aside from giving us something to use as a safe anchor for the usually-unneeded Microsoft Networking components, NetBEUI has the additional advantage of supporting the evolution of your system by providing safe local file and printer sharing at any time in the future. And, if you are already running a local network of computers you will gain immediate benefit from the use of the safe NetBEUI transport.

ALSO . . . The sample screen shots shown on this page will probably be different from what you see on your computer. They are intended only to help keep you synchronized with the instructions. You should NEVER install anything other than the NetBEUI transport protocol as explained below. If your system is operating without some of the services shown in my sample screen shots, you should consider yourself fortunate for getting by with less junk loaded! 

A Special Note for Network Gamers

Many real-time local area network based games pre-date the Internet's IP protocol and have traditionally required the use of the IPX/SPX transport for inter-game communication. If you are currently using networked games over the IPX/SPX transport, or if you plan to in the future, you can — and probably should — substitute the IPX/SPX protocol for NetBEUI throughout this entire discussion. You will need IPX/SPX for your gaming and it can be seamlessly substituted for NetBEUI with little impact to your system's security.

So . . . here's what we're going to do:

    Install the safe NetBEUI Protocol (if it's not already present).

    Establish minimal and secure hardware adapter bindings.

    Establish minimal and secure network transport bindings.

    Restart the system to "make it so!"

Install the NetBEUI Protocol
To begin, follow the instructions in the box below to open the Network configuration dialog box.

(To avoid needless, annoying, and time consuming system reboots, try to avoid clicking this box's "OK" button until everything has been reconfigured.)

To open the Network configuration dialog box. . .
First open the Windows Control Panel (from the Start button choose "Settings" then "Control Panel"). Then open the Network configuration dialog box by double clicking on the Control Panel's "Network" icon (see the icon above/left). You should be presented with the following dialog box (the exact contents will differ):

With the Network dialog box open, scroll through the installed component listing (similar to what's shown above) to see whether your system already contains the NetBEUI transport. You'll see one or more lines starting with the transport icon and word "NetBEUI" as shown at the upper left of this paragraph.

If NetBEUI is already listed you should skip over the "Installing
the NetBEUI Transport" section that follows and continue at
#2 - Set the Hardware Adapter Bindings section.


Installing the NetBEUI Transport

Installing a protocol that's new to Windows will require copying some files from the master Windows CAB files. These may have been copied onto your system's hard drive (usually underneath the c:\windows directory), or they might only be located on your original Windows 9x CD-ROM. Since you've probably installed other software that resulted in a dialog box saying "Windows needs to copy some files ..." you probably know the drill. So, you'll need to do whatever you normally do to have this eventuality.

Begin by opening the Windows Networking configuration dialog box if it's not still open. (See the inset box above for details.)

With the Network properties dialog box open . . .
Click the "Add ..." button just below the list of installed network components. This will present the following Network Component Type selection dialog box:
Click the "Protocol" type once with the mouse to select it, then click that dialog's "Add..." button to the right. This will display the following Network Protocol selection dialog box:
Click "Microsoft" on the left to select among the available Microsoft provided protocols, then scroll the list on the right down until the line with "NetBEUI" (as shown above) appears and click on it once to select it.

Click the "OK" button at the bottom of this dialog to confirm your choice and dismiss this dialog box. (Note: It's better not to dismiss the main Network dialog box until we're finished since it will require a time-consuming reboot of Windows.)

Set Your Hardware Adapter Bindings
After making sure that we have NetBEUI available to serve as our "unwanted services anchor" we're ready to establish the system's network component bindings.

Since bindings work as anchors to prevent higher-level components from drifting off, we'll start at the bottom-most network layer (the hardware) and work our way up.

Returning to the list of installed network components, scroll to the top and identify your system's installed hardware adapters. Each adapter is identified by a circuit-board like icon and name as depicted in the image to the left. Your particular adapters will probably differ from those shown. Dial-Up Networking users may only have a "Dial-Up Adapter" whereas Cable Modem and DSL users may only have a single entry for their "NIC" (Network Interface Card).


Changing Each Adapter's Bindings

Each adapter's transport bindings can be viewed and edited by clicking once on the adapter's name in the networking components list, then clicking the "Properties" button just below the list (or you can just double-click on the adapter name).

This will display the adapter properties dialog box. If the "bindings" tab is not currently in front, click the "bindings" tab once to bring it to the front:

The bindings list will contain one entry for each protocol currently installed in your system. You should at least find entries for the NetBEUI and TCP/IP protocols since TCP/IP is required to use the Internet (which you're using right now!) and you will have just installed the NetBEUI protocol if it wasn't already installed. Many systems also have IPX/SPX installed (for no reason).

One way to visualize this is to refer to the binding diagram below and imagine that each adapter is "looking up" to see the array of protocols which are available to it on the level just above. All available protocols are shown in the "Bindings" list for each adapter. The "checkmarks" at the beginning of each line show to which of the protocols this chosen adapter is currently bound.

As you'd expect, the adapter can be bound and unbound to and from each respective transport by clicking in the checkbox to toggle the checkmark on and off.


Establishing Optimal Adapter Bindings

Referring again to this network bindings diagram:

Our goals for optimal adapter bindings are:
Bind the TCP/IP transport only to adapter(s) that connect to the Internet. This is not strictly necessary, since there's really no harm in leaving TCP/IP bound to all hardware adapters (if you have more than one), but there's also no good reason to have your system cluttered with unnecessary bindings. NetBEUI — which was designed for local area networking — much more elegantly handles all local area networking needs with absolutely NO configuration. TCP/IP — which was designed for global networking — requires significant configuration.
Bind the NetBEUI transport only to adapters that will be used for local area networking, if any. To keep NetBEUI from disappearing due to the Windows 9x network configuration bug, it must always be anchored to at least one adapter. So, if your system only has a single network adapter be sure to bind NetBEUI to it. But if you have a choice of adapters and one or more are not used to connect to the Internet, you can bind NetBEUI to those and unbind it from any others.
Unbind all other unneeded network transports (like IPX/SPX in the example above) from ALL network adapters. This will release the unneeded and unused transports along with any services which are bound only to them.

Following the guidelines above, examine
each of your system's adapters in turn,
setting their bindings as appropriate.

Here are some example scenarios to demonstrate the application of these guidelines:

 Users who connect to the Internet through a Dial-Up Adapter, and who do not also have a local area networking adapter will simply want to leave TCP/IP and NetBEUI bound to their Dial-Up adapter while unbinding anything else (like the IPX/SPX transport protocol.)

 Users who connect to the Internet through a Cable Modem or DSL connection will have a Network Adapter of some sort installed. This adapter should be bound to TCP/IP and NetBEUI and unbound from anything else (like the IPX/SPX transport protocol.) If the system also has a Dial-Up Adapter it can be unbound from the NetBEUI transport since the network interface card will serve as NetBEUI's anchor.

 Users with local area networks who want all of their machines to have access to the Internet should bind TCP/IP and NetBEUI to their network adapters and unbind anything else. And within that network, machines which do not need (or should not have) Internet access (such as, perhaps, a young child's computer) should only have NetBEUI bound to the network interface since that machine would have no need for the Internet's TCP/IP transport.

Set Your Network Transport Bindings
With the hardware adapter bindings optimized, we're ready to move up to the next level. Here we'll establish the optimum bindings between each network transport protocol and the network services above them ...

Looking again at the now-familiar Network properties dialog box, you'll see a group of lines that all start with the "protocol" icon. (Shown enlarged to the left of this paragraph.) The listing of protocols will take either of two different forms, depending upon whether you have more than one hardware adapter:

If your system has a single adapter, your protocol list will look something like this:


But if your system has two adapters your protocol list will be a bit more complex, looking something like this:


As you can see, multi-adapter systems have one listing per adapter per protocol. In other words, each adapter-protocol pairing has a listing in the components window. This could be useful since it would allow you to bind individual services not only to a particular transport protocol, but even to individual adapters used by that protocol. Although you might think of some nifty way to make use of this (now that you know you can), for our purposes we'll be setting each instance of each protocol identically.


Changing Each Protocol's Bindings

As with adapter bindings, the bindings for each transport protocol (or transport/adapter pair) can be viewed and edited by clicking once on the protocol's name in the networking components list, then clicking the "Properties" button just below the list (or you can just double-click on the adapter name).

This will display the transport protocol properties dialog box. If the "bindings" tab is not currently in front, click the "bindings" tab once to bring it to the front:

TCP/IP Dial-Up Information:

When the TCP/IP Properties dialog box for a Dial-Up Adapter is opened, an information dialog box may appear explaining that you may want to be editing the TCP/IP properties for a particular dial-up connection, rather than these properties which will apply to all dial-up connections. Network service bindings can not be set on an individual dial-up connection basis. Therefore, we do want to be editing these. Dismiss the dialog by pressing "OK", then proceed. . .

As when we edited the hardware adapter bindings, "Checkmarks" at the beginning of each line show to which of the system services this chosen transport protocol (or protocol/adapter pairing) is currently bound. And, of course, the service may be bound and unbound by clicking the checkbox to toggle the checkmark on and off.


Establishing Optimal Protocol Bindings

Referring again to our very familiar network bindings diagram:

The steps required to configure your system for optimal protocol binding are:
Unbind ALL network services from EVERY instance of the TCP/IP protocol!
This is the THE SINGLE MOST IMPORTANT INSTRUCTION on this entire website! If you do NOTHING ELSE, examine every line beginning with "TCP/IP" and remove all of the checkmarks from the services listed on the bindings tab! (Note that when you click "OK" after unbinding everything, Windows will think you're nuts and will warn you that you "have not selected any drivers to bind with." Just click "NO" to proceed.)

After a reboot, the information-leaking port 139 will finally be closed . . . but ONLY IF every service is unbound from every instance of the TCP/IP protocol. If ANY one of the services remains bound to ANY instance of the TCP/IP protocol (i.e. TCP/IP for ANY adapter), then unsafe NetBIOS services will be available for ALL hardware adapters!

The one unfortunate exception to this advice
applies to a FEW users of the @Home network!

Some unfortunate @Home users may find that they are unable to reconnect to the Internet without the presence of Microsoft's NetBIOS. A handful of @Home's DHCP servers actually depend upon the customer's NetBIOS name leakage in order to identify the customer on their network! This is NOT true for most @Home users, but it is for some.

Since the Client for Microsoft Networks can be easily "rebound" to the TCP/IP transport used by your @Home LAN adapter, my advice is for all @Home users to first follow this advice to unbind everything. If you find that you're cut off from your network do two things: 1. Rebind just the Client for Microsoft Networks to the TCP/IP transport to re-enable Microsoft's NetBIOS protocol — and your Internet connection. Then: 2. Write an angry letter to your @Home provider complaining about their requirement for the presence of the "insecure NetBIOS for DHCP Host Name Resolution" and urge them to upgrade their equipment to use "DHCP Options" (which provides for Host Name Resolution in a much more secure fashion.)

NOTE: The exact content of your services listing will probably be different from the one shown above. It is fine if your system does not show any of the "services" lines shown above and also if it contains items not shown. There is no need to add them just to have them listed.
Bind ALL network services to at least one of the NetBEUI transport instances. Binding the network services to the NetBEUI transport protocol will keep the services from disappearing from the network components listing (in case you need to rebind them in the future) and will also prepare your system for completely safe local area network file and/or printer sharing either now or in the future.
Unbind ALL network services from any other unused transport protocols. If your system has any other transport protocols installed — like an unneeded IPX/SPX transport — you can unbind all of the services from every instance of those unneeded protocols. Since they won't be bound to anything they will quietly disappear from the components list after the next system reboot.

If you follow the three steps above to set the service bindings for each of your system's installed transports (or transport/adapter pairings) you will completely secure your system against NetBIOS information leakage and completely hide it from all passing NetBIOS service and shares scanners!



Wrapping it all up . . .

After setting the bindings for each category, be sure to press that level's "OK" button to confirm and save the new settings and return to the main Network configuration dialog. When all of the changes have been made in each category, click "OK" to close the main Network configuration dialog.

After the system restarts you will have disciplined
the system for NetBIOS-Safe Internet access!


DO IT NOW!

Verify that NetBIOS over TCP/IP is Disabled!
After re-booting your system (you should have rebooted by now) Windows normally, but not always, automatically enables and unchecks this option under all TCP/IP protocol properties.

But if it is still checked, you must uncheck it yourself! . . .


After unbinding all services from all TCP/IP transport protocol lines, then rebooting to allow those unbindings to take effect, the "I want to enable NetBIOS over TCP/IP" option on the NetBIOS tab of each TCP/IP properties dialog (as shown above) will no longer be greyed-out. And it will usually — but not always — no longer be checked.

If this option is still checked you must be sure to uncheck it for every TCP/IP transport protocol line in your Network components listing. Once that's been done, reboot your system one last time . . . and you will have secured your system's NetBIOS system and firmly closed port 139!

If you are using the very first release of Windows 95 (build 950) your TCP/IP Properties dialog will NOT have a NetBIOS tab! Nor will you be able to close port 139 by unbinding all Microsoft services! I waited until now to mention this since unbinding unneeded services is still what you want to do for security. If you want to close port 139, you can either rename the file "c:\windows\system\vnbt.386" to something else (remember what you renamed it to in case you need to renamed it back!), or use my otherwise obsolete NoShare and LetShare utilities. NoShare and LetShare also simply rename the file back and forth.

Repeat For All Other Local Machines . . .
If you have a local area network sharing resources, you will also need to install the NetBEUI transport on those other machines.

Since you will have moved your file and printer sharing from the TCP/IP transport over to NetBEUI, all other systems participating on your local area network must also have their file and printer sharing enabled for use with the NetBEUI transport. After repeating the instructions above for every machine, local communication will be securely enabled throughout your entire network.

What if it Doesn't Work?
Now I've got you all worked up and worried about your security and port 139, and you've done everything I've recommended — and checked it all twice — yet something's wrong?

Unfortunately, my ability to help you personally or directly is hampered by this site's tremendous success and traffic. We average nearly ten thousand visitors per day — so there's just no way for me to interact individually with even a fraction of all those people. I really would, if I could. But I need to be working on the next generation of really cool Internet security software that you want from me. If my days are spent answering specific questions we'll never see anything else from me.

So, I've assembled a bunch of self-help material on this site that should go a long way to helping you with odd events and empowering you to find solutions to your specific dilemmas:

What could go wrong? Perhaps, despite unbinding everything as described above, for some reason your port 139 is still showing as "wide open" and you're worried. Or, perhaps the "unbinding" of something has had some unexpected side-effect on your system or its Internet connectivity. The most useful bits of advice I have are:
You must first and foremost be absolutely certain that this ShieldsUP! site is really testing your computer (not some other machine on the Internet).

Windows 9x users can do this by checking their machine's current IP address with Windows' built-in (but little known) "WinIPcfg" utility. While you're online and connected to the Internet, enter its name into the "Run..." field under your system's Start menu. It will instantly show your machine's IP address. Make sure it's the same as what ShieldsUP! is showing you. If the ShieldsUP! page shows a different address, or for another solution. . .

Note that if your network is "behind" one of the increasingly popular small office and home residential "NAT" routers the address shown by the Windows WinIPcfg utility will NOT be your network's public address on the Internet but rather the private IP address that was automatically assigned to your computer by the router. This is normal and expected behavior.
If your concern is that port 139 remains open:
Despite my working to be very clear, some people still don't "get it" that the only way to close port 139 is for every single service to be unbound from every single instance of TCP/IP. In other words, if ANY service is bound to ANY TCP/IP line in the Network properties . . . port 139 will remain open for business.

When you have accomplished this, the "I want to enable NetBIOS over TCP/IP" option shown below will no longer be disabled, and it can and should be unchecked for all of your TCP/IP property items:

Evil Port Monitors are "evil" specifically because they hold ports, including port 139, wide open and hoping to catch something that comes along! If you're running an Evil Port Monitor like NukeNabber (just one of the many evil ones) nothing you do will close your ports until you wake up and remove those nasty monitors! I plan to write a "blessed port monitor" before long, but until you have mine you're much better off with nothing!
Be sure to check the ShieldsUP! FAQFrequently Asked Questions page. (Page 11 of this site.) This page contains thorough treatments of the most often asked questions and common confusions associated with this web site and these instructions. It's a terrific resource that's there for you.
Read through the ShieldsUP! Discussion Forum. (Page 9 of this site.) This is the place where ShieldsUP! visitors can ask questions and get answers to questions and confusions that have not been covered anywhere else. Since many knowledgeable people are reading and replying to questions, I am able to stay focused upon the creation of new cool software, while you're able to find or get answers to your questions.
Experiment and figure it out for yourself! Really. Take matters into your own hands and see if you can't figure out what's going on. One of the reasons I've been as long-winded and "tutorial" as I have been on this site — aside from wanting to empower you with a true understanding of this aspect of networking technology — is so that you could acquire the ability to tackle odd results for yourself. I really don't know anything more than than I've shared here. And these instructions do work perfectly for the vast majority of users. So if your system is somehow different or weird in some way that prevents this from working for you, you are in a much better position to experiment and come up with the answer than I am. Give it a shot. I'll bet you'll succeed!
I sincerely hope that these resources will be useful for you. It is the best I've been able to do.

Concluding Comments
If you follow the guidelines given above — then REBOOT — your system will be secured against NetBIOS information leakage, it will finally stop advertising its presence across the Internet to every passing scanner, and Microsoft's "never meant for global networking" insecure file and printer sharing NetBIOS technology will be kept safely within your own computer and local network.

Taking intelligent and deliberate control of your computer's network bindings is the single best thing you can do for your system's Internet connection security.

The "second generation" guidelines presented above:
Completely close your system to all NetBIOS name and resource sharing leakage, and firmly shut the three NetBIOS "scanner bait" ports 137, 138, and 139.
Cost nothing to implement, other than the time taken to read and understand these pages, and do not depend upon any external software.
Present a single, uniform, solution that is likely to be appropriate for everyone to use in every situation (with the slight exception of some @Home users.)
Will not in any way disturb your current Windows or network logon procedures and will not disrupt your dial-up networking or other stored passwords.
Do not rely upon any "hacking tricks" or undocumented procedures. No warranties will be voided and no one can refuse to support your system on the grounds that you've done something "strange" to it. (You haven't.)
Can be completely and easily reversed. If you don't like any outcome of following these simple instructions, simply bind everything to everything once again and restart your computer.
Create a solid foundation for establishing a secure local area network — today or tomorrow. If you have read and understood this page and the one which precedes it, you will now have a solid understanding of the theoretical and practical aspects of network component binding.
Return CONTROL of a significant and important aspect of your personal computing experience — your computer's networking — back to YOU where it always belonged!

Although I'm a BIG fan of Personal Firewall products, as you'll see on page 7, "Personal Firewalls", the tremendous power of these straightforward "component unbinding" techniques has allowed you to disable an unwanted and unneeded capability from your system. This solution is superior to depending upon some other product or technology to "suppress" that unwanted capability. That's an important distinction in the realm of robust security.

AND, if neutering your system's networking is not possible because you do still need to share files across the Internet then full security will require the suppression of unwanted networking capabilities. The following two pages, "Evil Port Monitors" and "Personal Firewalls" detail your options and discuss pitfalls.

To continue, please see: Evil Port Monitors

You are invited to browse these pages for additional information:

1  Shields UP! Home 
5  Network Bondage 
9  Public Forum 
2  Explain this to Me! 
6  Evil Port Monitors 
10  Be Notified 
3  Am I in Danger? 
7  Personal Firewalls 
11  FAQ 
4  What Can I Do? 
8  Further Reading 
12  Site Evolution 

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Dec 31, 2004 at 17:09 (3,401.08 days ago)Viewed 9 times per day