Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation
Network Discipline for Windows NT4

As we saw on the previous page, Microsoft's default binding of "everything to everything" results in very insecure networking. Once we take control of the (very few) bindings which are actually needed, the security of any Windows system can be greatly enhanced. This page provides detailed directions to help you do exactly that for Windows NT.

Changing these bindings does not delete or remove anything from your system, so you'll be able to undo any changes you make and update your network bindings at any time in the future if your needs ever change.

Please note that the instructions on this page only apply to Windows NT. The "Network Discipline for Windows 9x" page contains instructions specific to Windows 95 and 98.

What follows . . .
This page is intended for NT users and presumes familiarity with the ins and outs of the computer, the user interface, and network components. It does not skip over any important details, nor does it skimp on explanation, but neither is it as deeply tutorial as the Windows 9x page.

Feeling Impatient?  

If you're a Windows NT jock, I wouldn't want to slow you down. So here's a picture which simply and completely expresses the goals of this page.

If this is all you need, go to it tiger!. . .


The "dummy" MS Loopback Adapter is installed and configured to give the insecure WINS Client(TCP/IP) transport protocol something to bind to other than our real network LAN adapter.
The NetBEUI transport protocol is (optionally) installed to enable safe local area networking today or tomorrow. (You could also choose IPX/SPX if networked gaming is your thing.)
The WINS Client(TCP/IP) transport is unbound (disabled) from our real LAN adapter and the dummy MS Loopback Adapter is disabled from our active NetBEUI and TCP/IP transport protocols.
If you have a local area network with shared file and/or printer resources, repeat these procedures for all other machines on the network.

That's all there is to it!

If you plan to follow the detailed step-by-step instructions below, the "for Windows NT jocks only" summary above will give you a useful overview of the four steps that follow.

The reconfiguration procedures will require a reboot of Windows NT (big surprise). So, you should prepare for this first by saving all unsaved data and closing any programs that are not currently in use.

Our Windows NT network reconfiguration work will be accomplished through the Network configuration dialog box. The detail below provides instructions for opening and displaying the Network configuration dialog box:

To open the Network configuration dialog box. . .
First open the Windows Control Panel (from the Start button choose "Settings" then "Control Panel"). Then open the Network configuration dialog box by double clicking on the Control Panel's "Network" icon (see the icon above/left). You should be presented with a dialog box similar to the one shown above.

When you are asked to reboot your computer, this dialog box will be closed. Please reopen it after your system has finished restarting.

Install the MS Loopback Adapter
Under Windows NT, the "NetBIOS over TCP/IP" functionality is provided by a single transport protocol service known as the "WINS Client(TCP/IP)" — hereafter shortened to "WINS Client." If this service is disabled and prevented from running, a handful of related services fail to operate. The result is a mess of startup error messages, event log postings, and a system that just doesn't run right.

Since the WINS Client must therefore run and be "bound to" some adapter, we have two choices:
If the Windows NT system already has an available adapter that does not connect to the Internet, the WINS Client transport may be safely bound to it instead of to the dummy "MS Loopback Adapter." You may immediately skip to step #2.
If the system has only one adapter, or if all of the system's available adapters have occasion to come into contact with the Internet, the "dummy" MS Loopback Adapter can be installed to give the WINS Client an adapter that's completely "off the Net" for it to hang onto.
If you have decided that you do need a "dummy" adapter onto which you can park the unwanted TCP/IP WINS Client, the following instructions will guide you through the process of installing and configuring the dummy MS Loopback Adapter . . .


Installing & Configuring the MS Loopback Adapter

With the Network configuration dialog open (see "To open the Network configuration dialog box" above if it's not already open) select the "Adapters" tab by clicking it with the mouse.
Click the "Add..." button to begin adding another adapter.

After a slight delay while the adapter list is being built, you will be presented with the following selection dialog:
With the selection highlight inside the listing, press the keyboard "M" key followed by the "S" key in rapid succession. This should instantly scroll the listing to the first line beginning with "MS", which should be the line shown in the image above "MS Loopback Adapter".
If this line is not selected as shown in the example above, manually scroll the listing to this line then click the mouse on it once so it is selected.
With "MS Loopback Adapter" highlighted, click the "OK" button to confirm the selection and dismiss the selection dialog.

You will be presented with the following "MS Loopback Adapter Card Setup" dialog:
The default frame type of 802.3 is correct, so simply click this dialog's "OK" button to accept and dismiss the dialog.
Windows NT will then want to read the MS Loopback Adapter driver from the original Windows NT CD-ROM. Direct it to the proper location for the Windows setup files and press "OK" to begin reading and dismiss the dialog:
After the driver has been read you will be returned to the Adapters tab of the Network configuration dialog with the newly loaded MS Loopback Adapter installed and appearing in the adapter listing:
Even though we have more work to do in this dialog box, a bug in NT's binding management for newly installed adapters requires us to immediately accept and dismiss the Network configuration dialog to force NT to process and save this new adapter's bindings.

Once this is done, the Microsoft TCP/IP Properties dialog will be displayed because the new adapter will have blank TCP/IP properties:
As shown in the image above, first select the MS Loopback Adapter in the "Adapter" selection box, then fill-in the adapter's IP Address as [10.0.0.1] and Subnet Mask as [255.0.0.0] exactly as shown above. Leave the Default Gateway field blank.
Click "OK" to dismiss the TCP/IP Properties dialog, then "No" in answer to the question about restarting Windows NT at this time. NT does not need to be restarted before we can proceed.

The MS Loopback Adapter is
now successfully installed.

Since the Network configuration dialog box was closed, it must now be re-opened before we can proceed. Do so now . . .

(Probably) Install the NetBEUI Transport
You'll find that Windows file and printer sharing (NetBIOS) runs discernibly faster and "smoother" over the NetBEUI protocol than it did over TCP/IP. For example, newly created resource shares and computers appear and disappear more quickly and solidly. Thus, switching the NetBIOS transport from TCP/IP to NetBEUI has the side benefit of improving the resource sharing performance of your entire local area network!

Even so, You would NOT need to install the NetBEUI transport . . .
If you have a single machine that does not participate on a local area network. You only need to install the NetBEUI transport to provide a safe conduit for NetBIOS file and printer sharing. But you don't need NetBIOS or file and printer sharing if your computer stands alone.
If the NetBEUI transport protocol is already installed in your system. The "Protocols" tab on the Network configuration dialog lists the protocols currently installed in your system. If NetBEUI is already listed then you wouldn't need to install it again.
If you have a "multi-adapter" system with multiple network interfaces where the interfaces over which you want to share files never touches the Internet. In this case, you could simply disable the WINS Client on those adapters which do have contact with the Internet, and leave it enabled for NetBIOS file sharing over your other, safe, interfaces.
A Special Note for Network Gamers

Many real-time local area network based games pre-date the Internet's IP protocol and have traditionally required the use of the IPX/SPX transport for inter-game communication. If you are currently using networked games over the IPX/SPX transport, or if you plan to in the future, you can — and probably should — substitute the IPX/SPX protocol for NetBEUI throughout this entire discussion. You will need IPX/SPX for your gaming and it can be seamlessly substituted for NetBEUI with little impact to your system's security.


Installing the NetBEUI Transport Protocol

With the Network configuration dialog open (see "To open the Network configuration dialog box" above if it's not already open) select the "Protocols" tab by clicking it with the mouse.
Confirm that NetBEUI is not already listed as an installed protocol, then click the "Add..." button to begin adding another protocol.

After a slight delay while the protocol list is being built, you will be presented with the following selection dialog:
Click the mouse on the "NetBEUI Protocol" line to select and highlight it, then click "OK" to confirm the installation and dismiss the protocol selection dialog.
Windows NT will then want to read the NetBEUI protocol driver from the original Windows NT CD-ROM. Direct it to the proper location for the Windows setup files and press "OK" to begin reading and dismiss the dialog:
After the NetBEUI protocol driver has been read you will be returned to the Protocols tab of the Network configuration dialog with the newly installed NetBEUI appearing in the protocols listing:
If you'd like to see that even Microsoft knows that what we're doing here is correct (even through they didn't care enough to do it for us) simply click once on each of the protocols listed — specifically TCP/IP and NetBEUI — and read the corresponding description appearing below the list!
Click "OK" to dismiss the TCP/IP Properties dialog, then "No" in answer to the question about restarting Windows NT at this time. NT does not need to be restarted before we can proceed.

The NetBEUI Transport Protocol
is now successfully installed.

Since the Network configuration dialog box was closed, it must now be re-opened before we can proceed. Do so now . . .

Enable and Disable Adapter-to-Protocol Bindings
At this point, by hook or by crook, we will have created or confirmed the availability of the following network resources:
A "safe" adapter to which the dangerous WINS Client transport protocol can be bound in order to keep it alive but out of harms way.

In most cases this will be the dummy "MS Loopback Adapter" which apparently exists to satisfy exactly this need. The alternative would occur in multiple-adapter systems where the WINS Client transport protocol can be bound to an adapter which never touches the Internet.
A safe, non-routable, local area transport protocol that can be used for local NetBIOS file and printer sharing.

In most cases this will be the NetBEUI transport which was designed from the beginning to carry NetBIOS traffic across small local networks. The alternative would occur in stand alone systems without any need to locally share files with other computers or in networked systems where the IPX/SPX transport is already in use.
Given those resources, we are now ready to perform the final step of network reconfiguration . . .

Let's begin by again opening the Network configuration dialog. If it's not open see "To open the Network configuration dialog box" at the top of this page. Perform the following steps to configure dialog box's display as shown below:

Switch to the Bindings view by clicking the mouse on the "Bindings" tab.
Set "Show Bindings for:" to "all protocols" by clicking the down-arrow to open the drop-down listbox and clicking on "all protocols." This establishes a "protocol-centric" view of the network device bindings.
Click on every displayed [+] plus sign to open the outline view and display the adapters currently bound to each displayed protocol.
Except for the red cross-out circles (which you almost certainly won't have yet) your display should closely resemble the one shown below:

We're now ready to selectively bind and unbind the Adapter-Protocol pairings to deliberately configure the network's operation:


Disabling the WINS Client(TCP/IP) over our Internet-Using Adapters

To unbind the unsafe NetBIOS and firmly close the NetBIOS ports 137, 138, and 139 on all adapters carrying Internet traffic, simply click on each adapter listed underneath the "WINS Client(TCP/IP)" line to select it, then click either the Enable or Disable to set the binding appropriately.

The WINS Client must remain bound to (enabled) on at least one adapter so that it starts up at system boot. So be sure to leave at least one adapter enabled underneath the WINS Client. (Probably the MS Loopback Adapter if it is now installed.)

In the typical case shown in the image above, the WINS Client has been disabled on the system's actual LAN adapter, the "Novell NE2000 Adapter" to prevent its use and it has been left bound to (enabled) the dummy "MS Loopback Adapter" that we installed for exactly this purpose.

If your system is more complex, with multiple adapters interconnecting multiple networks, you probably have all the information you need now to intelligently and deliberately bind and unbind the WINS Client where necessary.


Disabling the Dummy "MS Loopback Adapter" Wherever else it Appears.

Since we only want the WINS Client to use the dummy "MS Loopback Adapter", it is prudent to unbind (disable) its use for all other transports in the system. You can see that this was done in the sample above.

Simply select other instances of the "MS Loopback Adapter" and click the Disable button to label it with a red cross-out symbol.



Wrapping it all up . . .

After deliberately enabling and disabling the bindings for each adapter/protocol pair, press the "OK" button to confirm the changes and dismiss the Network configuration dialog for the last time.


When you are presented with the question about restarting NT, this time answer "Yes" since all the work is done and you've just reconfigured your NT system for safe, closed-NetBIOS operation over the Internet!

After the system restarts you will have disciplined
the system for NetBIOS-Safe Internet access!


DO IT NOW!

Since the Windows NT 4.0 CD is growing pretty old, don't forget to reapply whatever NT Service Pack you are running on your system. This will replace any newly installed, but obsoleted, components which you might have just loaded into your system.

Repeat For All Other Local Machines . . .
If you have a local area network sharing resources, you will also need to install the NetBEUI transport (or whatever you used for this system) on those other machines so they can all communicate using the same local area network transport protocol.

Since you will have moved your file and printer sharing from the TCP/IP transport over to NetBEUI, all other systems participating on your local area network must also have their file and printer sharing enabled for use with the NetBEUI transport. After repeating the instructions above for every machine, local communication will be securely enabled throughout your entire network.

What if it Doesn't Work?
Now I've got you all worked up and worried about your security and port 139, and you've done everything I've recommended — and checked it all twice — yet something's wrong?

Unfortunately, my ability to help you personally or directly is hampered by this site's tremendous success and traffic. We average nearly ten thousand visitors per day — so there's just no way for me to interact individually with even a fraction of all those people. I really would, if I could. But I need to be working on the next generation of really cool Internet security software that you want from me. If my days are spent answering specific questions we'll never see anything else from me.

So, I've assembled a bunch of self-help material on this site that should go a long way to helping you with odd events and empowering you to find solutions to your specific dilemmas:

What could go wrong? Perhaps, despite unbinding everything as described above, for some reason your port 139 is still showing as "wide open" and you're worried. Or, perhaps the "unbinding" of something has had some unexpected side-effect on your system or its Internet connectivity. The most useful bits of advice I have are:
You must first and foremost be absolutely certain that this ShieldsUP! site is really testing your computer (not some other machine on the Internet).

Windows NT/2000/XP users can do this by checking their machine's current IP address with Windows' built-in (but little known) "IPCONFIG" utility. While you're online and connected to the Internet, open a system command prompt window then enter the command "ipconfig" and press enter. Your local computer's current Internet Protocol (IP) address will be displayed. Verify that it's the same as what ShieldsUP! is showing you. If the ShieldsUP! page shows a different address, or for another solution. . .

Note that if your network is "behind" one of the increasingly popular small office and home residential "NAT" routers the address shown by the Windows WinIPcfg utility will NOT be your network's public address on the Internet but rather the private IP address that was automatically assigned to your computer by the router. This is normal and expected behavior.
Evil Port Monitors are "evil" specifically because they hold ports, including port 139, wide open and hoping to catch something that comes along! If you're running an Evil Port Monitor like NukeNabber (just one of the many evil ones) nothing you do will close your ports until you wake up and remove those nasty monitors! I plan to write a "blessed port monitor" before long, but until you have mine you're much better off with nothing!
Be sure to check the ShieldsUP! FAQFrequently Asked Questions page. (Page 11 of this site.) This page contains thorough treatments of the most often asked questions and common confusions associated with this web site and these instructions. It's a terrific resource that's there for you.
Read through the ShieldsUP! Discussion Forum. (Page 9 of this site.) This is the place where ShieldsUP! visitors can ask questions and get answers to questions and confusions that have not been covered anywhere else. Since many knowledgeable people are reading and replying to questions, I am able to stay focused upon the creation of new cool software, while you're able to find or get answers to your questions.
Experiment and figure it out for yourself! Really. Take matters into your own hands and see if you can't figure out what's going on. One of the reasons I've been as long-winded and "tutorial" as I have been on this site — aside from wanting to empower you with a true understanding of this aspect of networking technology — is so that you could acquire the ability to tackle odd results for yourself. I really don't know anything more than than I've shared here. And these instructions do work perfectly for the vast majority of users. So if your system is somehow different or weird in some way that prevents this from working for you, you are in a much better position to experiment and come up with the answer than I am. Give it a shot. I'll bet you'll succeed!
I sincerely hope that these resources will be useful for you. It is the best I've been able to do.

Concluding Comments
If you follow the guidelines given above — then REBOOT — your system will be secured against NetBIOS information leakage, it will finally stop advertising its presence across the Internet to every passing scanner, and Microsoft's "never meant for global networking" insecure file and printer sharing NetBIOS technology will be kept safely within your own computer and local network.

Taking intelligent and deliberate control of your computer's network bindings is the single best thing you can do for your system's Internet connection security.

The "second generation" guidelines presented above:
Completely close your system to all NetBIOS name and resource sharing leakage, and firmly shut the three NetBIOS "scanner bait" ports 137, 138, and 139.
Cost nothing to implement, other than the time taken to read and understand these pages, and do not depend upon any external software.
Present a single, uniform, solution that is likely to be appropriate for everyone to use in every situation (with the slight exception of some @Home users.)
Will not in any way disturb your current Windows or network logon procedures and will not disrupt your dial-up networking or other stored passwords.
Do not rely upon any "hacking tricks" or undocumented procedures. No warranties will be voided and no one can refuse to support your system on the grounds that you've done something "strange" to it. (You haven't.)
Can be completely and easily reversed. If you don't like any outcome of following these simple instructions, simply bind everything to everything once again and restart your computer.
Create a solid foundation for establishing a secure local area network — today or tomorrow. If you have read and understood this page and the one which precedes it, you will now have a solid understanding of the theoretical and practical aspects of network component binding.
Return CONTROL of a significant and important aspect of your personal computing experience — your computer's networking — back to YOU where it always belonged!

Although I'm a BIG fan of Personal Firewall products, as you'll see on page 7, "Personal Firewalls" two pages from now, the tremendous power of these straightforward "component unbinding" techniques has allowed you to disable an unwanted and unneeded capability from your system. This solution is superior to depending upon some other product or technology to "suppress" that unwanted capability. That's an important distinction in the realm of robust security.

AND, if neutering your system's networking is not possible because you do still need to share files across the Internet then full security will require the suppression of unwanted networking capabilities. The following two pages, "Evil Port Monitors" and "Personal Firewalls" detail your options and discuss pitfalls.

To continue, please see: Evil Port Monitors

You are invited to browse these pages for additional information:

1  Shields UP! Home 
5  Network Bondage 
9  Public Forum 
2  Explain this to Me! 
6  Evil Port Monitors 
10  Be Notified 
3  Am I in Danger? 
7  Personal Firewalls 
11  FAQ 
4  What Can I Do? 
8  Further Reading 
12  Site Evolution 

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Dec 31, 2004 at 17:15 (4,500.49 days ago)Viewed 8 times per day