NetBEUI for file and printer sharing on my existing network, adding an XP machine requires conversion to NetBIOS over TCP/IP?

Some info about file and printer sharing when adding an XP PC to an existing network with other versions of Windows.

I've found many third-party recommendations to use the NetBEUI protocol for File & Printer Sharing with Windows XP, even though this protocol is no longer supported and Microsoft recommends the NetBIOS over TCP/IP protocol for File & Printer Sharing on XP. NetBEUI for XP may be found on the XP re-installation CD or downloaded from the web. One site recommends using the W2K version of NetBEUI instead of the version on the XP CD.

As noted in my original post, I'm adding a laptop running Windows XP to an existing network consisting of several PC's running various other versions of Windows. File and Printer Sharing is already configured with the NetBEUI protocol on these other PC's, so this seems particularly convenient over the option of installing the NetBIOS over TCP/IP protocol on each of the other PC's. I intend to install NetBEUI on the XP laptop, but will do some further study to determine whether the W2K version is more desirable than the XP version.

GM

I've performed the binding adjustments as recommended by Steve Gibson so that File and Printer Sharing is inaccessable from the internet.

Since all the machines are behind the wireless router (they are, aren't they?), the various ports involved with Windows Networking (File and Printer Sharing) are already inaccessable from the Internet unless you specifically open the ports on the router. As you know, NetBEUI is not really supported on XP, but is available.

So, rather than installing NetBEUI on the XP system, I'd uninstall it from the rest of the machines and enable NetBIOS over TCP. NetBIOS is presently running over NetBEUI on the rest of the systems. NetBIOS over TCP is supported on all the platforms you listed. Here's an article explaining how to enable NetBIOS over TCP on Win95, Win98, and NT.

Your comment about password-based security would be correct if the machines were directly connected to the Internet. But since they're all behind the wireless router, the only device that's directly connected to the Internet is the router itself.

You'll need to allow Windows Networking traffic to your LAN through the XP firewall. I don't think the XP firewall supports the notion of "trusted networks". Other products such as ZoneAlarm, support that concept as well as the ability to block unwanted/unexpected traffic to the Internet. This PCWorld article discusses several of the available personal firewall products, and some of the ideas associated with personal firewalls.

(edit) Your mention of Steve Gibson reminded me of his analysis of "Universal Plug and Play" (UPnP) issues. Here's an article from UpdateXP.com that provides a more balanced analysis, but which reaches the same conclusion. Since there are now routers avaliable that support UPnP, I think this is an issue that deserves more attention when analyzing the security of home networks.

Jim

Message Edited by jimw on 04-12-2004 02:36 PM

Message Edited by jimw on 04-12-2004 07:12 PM

Yes, my PC's are all behind a wireless router. I'm not educated enough to know how to open a port on the router, or what software might be capable of doing that without me realizing it.

That's why I wanted you to note the "features" of UPnP. The link's correct now, thanks to you!

Wireless security is a topic unto itself. Keep in mind that without the most recent wireless security features installed on all the clients and the router, you may be vulnerable to unwanted wireless "visitors".

There's also the possible scenario where my router fails, and in the midst of troubleshooting I bypass it and connect directly to the DSL modem. I'm fairly ignorant (references available upon request), so I leave it connected like that while I browse the web and shop for a replacement router. That reminds me, I'd better go make sure I've got all my shared files set to read-only!

In fact, some DSL providers will ask you to do that while troubleshooting. But when you make the connection, you'll be getting a new IP address, on the DSL provider's network. If you have something like ZoneAlarm installed, you can limit the trust placed in that network, as well as the rest of the Internet.

Jim

Thanks for the perspective, jimw!

Yes, my PC's are all behind a wireless router. I'm not educated enough to know how to open a port on the router, or what software might be capable of doing that without me realizing it.

There's also the possible scenario where my router fails, and in the midst of troubleshooting I bypass it and connect directly to the DSL modem. I'm fairly ignorant (references available upon request), so I leave it connected like that while I browse the web and shop for a replacement router. That reminds me, I'd better go make sure I've got all my shared files set to read-only!

GM

P.S. - The third link (UpdateXP.com) on your post takes me back to the PCWorld article.

I recently finished downloading and installing some 46 Windows Critical Security updates for this XP machine. I haven't yet checked whether the UnPnP patch was included among them. I did run Gibson's UnPlug n' Pray utility, but it looks like I should go in and manually turn off the SSDP Discovery Service too. Thanks for the link.

My point in the previous post was that a new user such as myself may not immediately comprehend the implications of bypassing a NAT router, particularly with a previously developed and hazy understanding of NetBIOS over NetBEUI unbound to TCP/IP. The links provided and this discussion have helped. I hadn't realized that ZoneAlarm had any impact on File & Printer Sharing until you mentioned it and I looked. Sure enough, my internet zone slider is set on high and it says no sharing is allowed in that zone. This blocks File & Printer Sharing even with NetBIOS over TCP/IP? If so, then my normal firewall settings are valid for NetBIOS over TCP/IP whether I'm behind a NAT router or connected directly to a broadband modem? I certainly hadn't realized that.

I've yet to comprehend the advantage that NetBIOS over TCP/IP offers to replace NetBIOS over NetBEUI, but the disadvantages I had presumed have been somewhat mitigated. I understand a little bit more than I did this morning. Thanks.

GM

My point in the previous post was that a new user such as myself may not immediately comprehend the implications of bypassing a NAT router, particularly with a previously developed and hazy understanding of NetBIOS over NetBEUI unbound to TCP/IP.

That's a serious problem. Microsoft has finally become aware of the issues associated with shipping network-ready operating systems in a state that's insecure by default. Their previous concern has been making it easy for users to set up small networks, and connect them easily to the Internet. Fortunately, that seems to be changing. But if you obtain a copy of Windows XP today, and attempt to install all the critical updates over an unprotected Internet connection, the chances are very good that the machine will be attacked and crashed by the "Blaster" worm or one of its variants - while you're trying to download the fix that eliminates the vulnerability that "Blaster" exploits.

I think one of the implications of the changes Microsoft is making is that connecting a home PC or network to the Internet isn't going to be quite as "easy" as it has been. People have never had any trouble understanding door locks and their use. With the increasing availability of fast Internet connections, firewalls should be understood as the equivalent of door locks. So there's an educational process involved, as well as a change in the security stance of the products that are being shipped.

This blocks File & Printer Sharing even with NetBIOS over TCP/IP?

Yes. Blocking NetBIOS over TCP by an IP firewall device implies not allowing traffic to/from certain IP ports to traverse the firewall.

If so, then my normal firewall settings are valid for NetBIOS over TCP/IP whether I'm behind a NAT router or connected directly to a broadband modem? I certainly hadn't realized that.

Yes. Typically, though, the security settings in a personal software firewall like ZoneAlarm are different for traffic to/from the Internet and traffic to/from other machines on the same LAN as the machine the firewall's operating on.

Here are sections of a longer discussion of NetBIOS and NetBEUI that you may find interesting. The first one describes some of the history associated with NetBIOS/NetBEUI. As you'll see, they've been around for a long time. The  second discusses encapsulation of NetBIOS packets. It includes discussion of IP and IPX encapsulation. Note that there are standards documents (RFCs) associated with these encapsulations. The de facto standard for NetBEUI is an IBM document, referenced in the first link.

Another thing you'll notice from the first link is that the common use of the terms NetBIOS and NetBEUI is very imprecise. That's part of the confusion surrounding any discussion of their use in Windows.

I've yet to comprehend the advantage that NetBIOS over TCP/IP offers to replace NetBIOS over NetBEUI, but the disadvantages I had presumed have been somewhat mitigated. I understand a little bit more than I did this morning.

The principal technical issue with NetBEUI is lack of scalability, since the traffic cannot be routed. That's obviously not an issue on a very small LAN. The other issue is the fact that support for NetBEUI has become almost non-existent by Microsoft.

The advantage cited by Gibson is that since NetBEUI is inherently unrouteable, unlike TCP/IP or IPX, it is inherently "safer". That depends on what you're protecting. If, for example, a program arrives through an EMAIL message and is executed, it could do a great deal of damage to a network employing NetBIOS over NetBEUI simply by using the NetBIOS "applications programming interface" (API). Without doubt, NetBEUI and IPX traffic will never be observed on the Internet, since it's fundamentally an IP network. Properly installed firewalls can prevent IP traffic transporting NetBIOS packets from entering or leaving a LAN. What a firewall can't do is prevent execution of a malicious mail attachment. If a system's antivirus software detects the attachment as malicious, the threat will stop there. The only real defense is an educated user who understands the security implications of various kinds of network connections, and what steps can be taken to mitigate or eliminate those threats.

Jim

Message Edited by jimw on 04-13-2004 06:22 PM