Chapter 18: Implementing Security for WINS Servers

Chapter 18

Implementing Security for WINS Servers

Windows Internet Name Service (WINS) server provides resolution of computer and group NetBIOS names to IP addresses. The WINS server provides resolution of both computer and group names, such as a workgroup name, to IP addresses. For example, when you log on to the network from a pre Windows 2000 computer, the computer, by default, will query the WINS server configured in the TCP/IP properties to find a domain controller for network authentication.

NetBIOS names can be broken into two general categories: unique registrations and group registrations. A unique registration is registered by a single user or computer. By default, if a record exists, that record is not modified. The only time a record is modified is when the current owner cannot be contacted by the WINS server. A group registration is registered by mapping a NetBIOS name to multiple IP addresses. For example, the first 24 domain controllers in a domain will register their IP address in the Domain[1C] group NetBIOS name.

The following records are unique registration NetBIOS records you generally will see. Attackers can attempt to hijack these registrations by registering the NetBIOS names with the WINS server, preventing the correct host or user from registering the names, or performing a denial-of-service attack against the registered user or computer, thereby preventing that user or computer from responding to the WINS server verification.

  • Computer[00]

    The Workstation service registration for a computer. Enabled when the Workstation service is enabled.

  • Computer[20]

    The Server service registration for a computer.

  • Computer[03]

    The Messenger service registration for a computer account. This service allows NET SEND messages to reach the computer.

  • User[03]

    The Messenger service registration for a user account. This service allows NET SEND messages to reach the user.

  • Domain[1B]

    The domain master browser registration.

    Typically, this NetBIOS name is registered by the domain controller holding the Primary Domain Controller (PDC) Emulator role in a Microsoft Windows 2000 domain or the PDC in a Microsoft Windows NT 4.0 domain. If the PDC is unavailable, another domain controller in the domain will register the Domain[1B] registration.

For group registrations, the behavior depends on the specific group record. For example, the Domain[1C] record contains the first 24 IP addresses of domain controllers in a domain. Any additional domain controllers will simply add their IP addresses to the current list. Other group registrations might indicate only the domain or workgroup of which a computer is a member (for example, Domain[20]).

The Death of NetBIOS

With Windows 2000, NetBIOS is not necessarily required. In fact, you can remove NetBIOS support in the TCP/IP properties of Windows 2000 computers. Rather than connecting to a computer on the NetBIOS port (Transmission Control Protocol port 139), Windows 2000 and Microsoft Windows XP computers can implement file shares by using Common Internet File System (CIFS), an evolution of NetBIOS that does not require NetBIOS implementation. CIFS-compliant applications will connect to TCP port 445, rather than to TCP port 139.

You can remove NetBIOS support from the TCP/IP stack, thereby eliminating the need for WINS servers. Before you perform this task, make sure that no applications or pre Windows 2000 computers that require NetBIOS remain.



Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net