iis security: We've been informed by a security auditor that we need to disable NETBIOS on
our network. That seems simple enough to do, but we are concerned that doing
so may affect NTLM authentication which we use for several web based
applications (as well as kerberos). Does NTLM or Kerberos utilize NETBIOS?

Thanks
Brad

Disabling NetBT (Netbios/tcp) will not impact authentication,
nor fileshares, nor domain membership (gpo application, etc.)
and short hostnames (e.g. \\server, http://server) will fly if your
naming and DNS are aligned.
I have yet to have such auditors explain to me just what they are
thinking the recommendation/mandate solves/avoids. Pretty much
all Netbios activity can/will continue without NetBT if DNS and
AD (i.e. ldap) can support name resolution / host location services.

Roger

[quoted text, click to view]

Hi Brad,

I think what you mentioned is the NetBIOS over TCP/IP options in TCP/IP
advanced setting of a network adapter.

Disabling NetBIOS over TCP/IP on IIS server will not affect integrated
authentication i.e: NTLM and Kerberos. The only impact should be that you
can no longer use NetBIOS names to access web sites on the server locally,
e.g: http://localhost/ or http://servername/ .

Please update here if you have any further question.

Have a great week.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Roger -

Everything you said seems to jive with what I am seeing in our lab
environment . However I do have one question.

You mentioned:
"Pretty much all Netbios activity can/will continue without NetBT if DNS and
AD (i.e. ldap) can support name resolution / host location services."

I don't know a lot about NETBIOS myself so I'm relying a lot on the auditor
to provide us with guidance - however your comments make me question how
knowledgable our auditor really is.

Is it really even possible to disable NETBIOS entirely in a Windows network?
What additional steps would be required besides disabling NETBT?

Thanks,
Brad


[quoted text, click to view]

Hmm - how are you proposing to disable NetBIOS?

I'm not aware of any dependancy of NTLM AuthN over HTTP on NetBIOS, and
Kerberos shouldn't have any dependancy on NetBIOS (not from client to KDC,
nor client to IIS).

Cheers
Ken

[quoted text, click to view]