Step 4. Protocols | Improving Web Application Security: Threats and Countermeasures

By preventing the use of unnecessary protocols, you reduce the potential for attack. The .NET Framework provides granular control of protocols through settings in the Machine.config file. For example, you can control whether your Web Services can use HTTP GET, POST or SOAP. For more information about configuring protocols in Machine.config, see "Step 16. Machine.config."

During this step, you:

Disable or secure WebDav .
Harden the TCP/IP stack .
Disable NetBIOS and SMB .

Disable or Secure WebDAV

IIS supports the WebDAV protocol, which is a standard extension to HTTP 1.1 for collaborative content publication. Disable this protocol on production servers if it is not used.

Note	IISLockdown provides an option to remove support for WebDAV.

WebDAV is preferable to FTP from a security perspective, but you need to secure WebDAV. For more information, see Microsoft Knowledge Base article 323470, "How To: Create a Secure WebDAV Publishing Directory."

If you do not need WebDAV, see Microsoft Knowledge Base article 241520, "How To: Disable WebDAV for IIS 5.0."

Harden the TCP/IP Stack

Windows 2000 supports the granular control of many parameters that configure its TCP/IP implementation. Some of the default settings are configured to provide server availability and other specific features.

For information about how to harden the TCP/IP stack see "How To: Harden the TCP/IP Stack" in the "How To" section of this guide.

Disable NetBIOS and SMB

Disable all unnecessary protocols, including NetBIOS and SMB. Web servers do not require NetBIOS or SMB on their Internet- facing network interface cards (NICs). Disable these protocols to counter the threat of host enumeration.

Note	The SMB protocol can return rich information about a computer to unauthenticated users over a Null session. You can block null sessions by setting the RestrictAnonymous registry key as described in "Step 9. Registry."

Disabling NetBIOS

NetBIOS uses the following ports:

TCP and User Datagram Protocol (UDP) port 137 (NetBIOS name service)
TCP and UDP port 138 (NetBIOS datagram service)
TCP and UDP port 139 (NetBIOS session service)

Disabling NetBIOS is not sufficient to prevent SMB communication because if a standard NetBIOS port is unavailable, SMB uses TCP port 445. (This port is referred to as the SMB Direct Host.) As a result, you must take steps to disable NetBIOS and SMB separately.

Task To disable NetBIOS over TCP/IP

Note	This procedure disables the Nbt.sys driver and requires that you restart the system.

Right-click My Computer on the desktop, and click Manage .
Expand System Tools , and select Device Manager .
Right-click Device Manager , point to View , and click Show hidden devices .
Expand Non-Plug and Play Drivers .
Right-click NetBios over Tcpip , and click Disable .

This disables the NetBIOS direct host listener on TCP 445 and UDP 445.

Disabling SMB

SMB uses the following ports:

TCP port 139
TCP port 445

To disable SMB, use the TCP/IP properties dialog box in your Local Area Connection properties to unbind SMB from the Internet-facing port.

Task To unbind SMB from the Internet-facing port

Click the Start menu, point to Settings, and click Network and Dial-up Connections.
Right-click your Internet-facing connection, and click Properties .
Clear the Client for Microsoft Networks box.

Clear the File and Printer Sharing for Microsoft Networks box.

Note	The WINS tab of the Advanced TCP/IP Settings dialog box contains a Disable NetBIOS over TCP/IP radio button. Selecting this option disables the NetBIOS session service that uses TCP port 139. It does not disable SMB completely. To do so, use the procedure above.