close

Endpoint Security For Windows 10

By Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003Microsoft Certified TrainerMicrosoft MVP: Directory ServicesActive Directory, Exchange and Windows Infrastructure Engineer

Do you need NetBIOS? That Depends …

Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.

With Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. That’s because Windows 2000 and newer will try to connect simultaneously over NetBIOS (port 139) and DirectSMB (port 445). If no response from the target on 445, it reverts back to 139. This offers legacy support for NetBIOS based apps.  That is why if you disable NetBIOS on a server, it will still connect to other servers, but any NetBIOS based apps that require connectivity to that server will fail.

If you run a netstat -a, you can see port 445. It may even define it as Microsoft-DS, which means Microsoft DirectSMB. I know Vista doesn’t, but Windows 2003 will.

What’s TCP port 445 used for in Windows 2000/XP?

Quick Brief on NetBIOS and Those Noisy Broadcasts

Any machine that is NetBIOS capable (Windows, or Unix/Linux machines with installed), will participate in a NetBIOS environment and with the browser service. Any NetBIOS capable machine will broadcast their NetBIOS computer name every 60 seconds, “Hey, my computer name is Computer1, and my IP address is <enterIP>, and I am offering the Workstation Service and Server Service on such and such workgroup and/or domain.”

WINS is a NetBIOS name to IP database. It’s a flat database with no hierarchal structure – simply one name to one IP. It’s similar to DNS, but DNS is hierarchal (child3.child2.child1.domain.com, etc.).

When you install WINS and configure all machines to use WINS, then the NetBIOS aware processes and functions will recognize there is a WINS server configured, and instead of broadcasting every 60 seconds, it simply registers its name and related services to the WINS database instead of repeatedly broadcasting, or simply put, it shuts up yelling out its name every 60 seconds.

Without WINS, it’s like a grade school cafeteria with all the background chatter, conversation, etc. With WINS, think of it as the kids in the cafeteria quietly enter their names, thoughts into a database and the other kids can read the database, so there is no more noise. Kind of like if every kid were to be yelling back and forth using Facebook using a table or smartphone in front of them, instead of peeping one word.

Therefore, WINS literally quiets the network. Period. But all machines must be configured with WINS to make this happen.

When a WINS enabled client needs to resolve a name, it really tries to resolve it first by DNS (hostname resolution process), and if only that doesn’t work, only then does it query WINS. If WINS isn’t configured, it would have used broadcast to find it, and if WINS doesn’t have the name entered in the database, it will use broadcast to find it.

The Computer Browser services enumerates and assembles the Browse List (the neighborhood) using Broadcasts. If WINS is configured, it will use the WINS database to assemble the browse list. This is why without WINS, the browse service can only assemble the local subnet, since NetBIOS does not travers across subnets. WINS provides multi-subnet support for NetBIOS resolution as well as enterprise-wide browse list so any machine anywhere in a network can browse to a machine anywhere else in a network, such as a machine in NY can browse to a machine in San Fran.

Joining a machine to the domain.

Yep, you need it to join a machine.

Windows 7 or Windows Server 2008 R2 domain join displays error “Changing the Primary Domain DNS name of this computer to “” failed….”

Network and Printer Browsing

The only complaints I’ve heard is losing network and printer browsing capabilities across subnets, since the browser service compiles the browse list from broadcasts, but broadcasts do not traverse routers to reduce excessive traffic across WAN links.However, I can’t substantiate the complaints, since all small to medium sized installations I’ve worked with kept NetBIOS enabled and used WINS.

Then again, you can use AD printer publishing for that feature and search AD for printers (when you share a printer, there’s a checkbox to publish it in AD).

WINS

Your best bet for smooth sailing with multi-subnet browsing and to support legacy apps is to use WINS.

WINS – What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:

Legacy Apps Require NetBIOS

So the biggest caveat is with legacy apps that rely on NetBIOS. For example, SEP and McAfee ePO uses the browser service, not DirectSMB, and they will fail with central control, updates, etc.

If you disable NetBIOS over TCP/IP, it causes functionality issues with ePO 4.x

Environmental requirements for agent deployment from the ePO 4.x server

Same with Backup Exec and backup agents. There are many other apps that require NetBIOS functionality.

What I can say is that some legacy applications and services still require WINS that AD DirectSMB doesn’t support, some of these apps include, but not limited to are:

  • Exchange 2003 with certain Outlook features
  • McAfee Enterprise ePolicy Orchestrator
  • Symantec Endpoint Protection
  • Symantec Backup Exec
  • Computer Associates AV
  • SQL
  • Mapped Drives
  • Printer sharing (not published in AD)
  • and many more….

Exchange 2000/2003 Need NetBIOS

Yea, I know this is the day and age of Windows 2012 and Exchange 2013, but believe it or not, there are still installations out there that are running legacy operating systems and Exchange, so I had to throw this in there.

Exchange 2000/2003require NetBIOS is Exchange 2003 for Outlook-Exchange Free/Busy communications.

WINS is still required with both Exchange 2000 and 2003Aug 8, 2005 … See why Exchange needs WINS and how you can get a WINS server up and running and configure Exchange to use it. …

WINS and Exchange 2003 Server Dependencies:I had been laboring under the delusion that Windows and Exchange 2003 servers no longer need WINS, it seems that I was wrong. However, what I now believe …

Exchange Server 2003 and Exchange 2000 Server require NetBIOS name …You may have to use NetBIOS name resolution across different subnets for the … The following Exchange functionality still depends on WINS name resolution: …

So you have to ask yourself, what else are you running?

Search Suffixes

Search Suffixes are used to facilitate single name resolution. As long as the search suffix is properly configured for your infrastructure, you should be ok.

Configuring DNS Search Suffixes

Suggestions, Corrections, & Comments are welcomed.

Ace Fekay


endpoint security download checkpoint     endpoint security client

TAGS

CATEGORIES