Sun 11 Feb 2007
Norton Personal Firewall Blocks NetBIOS
Posted by Michael Brandonisio under How To , PersonalDigg This Entry , [6] Comments
Hello,
No surprise here, Norton Personal Firewall blocks NetBIOS. The assumption by Norton Personal Firewall is that it is the only line of protection for your computer and the only you do not have a windows network. However, in an office environment any personal firewall can create a problem if the network is not planned properly and rollout policies noted. Often it is not enough to simple install a piece of software these days, especially a firewall. Once in stalled the default configure should be checked to verify compatibility with the installed environment.
For example, a client contacted me about having a new laptop added to the office network. They need drives mapped and the computer should be added to the domain. Their network is a domain controller with Active Directory. I was thinking it should take no more than an hour or so to get these tasks completed. It turned out to be more of a learning experience. To add, this was my first exposure to Windows Vista. It took me some time hunting around to find the tools I needed to get my work done. Once I found them, I ran into a road block. I could not get the laptop to join the domain. I threw a few darts left and right. They missed. I see that it is a NetBIOS issue. I could not reach the server by typing ‘\\server’. I could reach it by ‘\\192.168.0.10’. However NetBIOS is required for the domain controller to be found via it’s name space. I first thought a Firewall must be blocking NetBIOS but the Windows Firewall was off and I did not notice that this laptop had Norton Personal Firewall installed on it as well. It was a pre-installed 30-day trial. When I finally discovered Norton Personal Firewall was on, it all came together. Only when I turned off the Norton Personal Firewall was I able to use NetBIOS names and join the domain. This was not the fix but a confirmation that Norton Personal Firewall was blocking NetBIOS.
The 2 challenges that I was faced with was pre-installed trial software and a new operating system. I should have taking a few minutes to review what the laptop had installed on it from the manufacturer before starting my work.
My Personal opinion:
You can take a few routes. If the network is a new network and does not have a domain controller running on it, use all IP based URI’s (Universal Resource Identifier). This way you will not have to deal with NetBIOS issues, ever.
If you have an existing network and it does not have a domain controller running on it, update all your existing URI’s to IP based URI’s. It may take some time but this will set you up for the next item.
By running a personal firewall on all your workstations, even if your shared internet connection is protected via a router/ Firewall, will prevent worms and viruses from running rampant on your local network. This will add another level of protect for your workstations from those worms and viruses that are brought into the network on portable media like flash drives, CD-ROMs and good old fashion floppies disks. You may even go as far as blocking SMTP port 25 and configuring your email server to operate on an alternate port of 26 for outgoing mail. This will prevent viruses from emailing themselves from your network.
If you are in a network environment that makes use of NetBIOS names in URI’s extensively or has a Domain Controller running on the network, either unblock NetBIOS from your personal firewall or turn it off. Turning it off should only be done as a last resort since you will be more vulnerable without the firewall operating. Unblocking these port is less risky: 137-UDP-NetBIOS Name Service; 138-UDP-NetBIOS Datagram Service; 139-TCP-NetBIOS Session Service.
According to the Norton user guide, you need to organize your local computers, printer servers and servers into network zones. Place the local computers, printer servers and servers into your Norton Trusted zone. Do not place computers that connect over the internet in your trusted zone unless they are also running properly installed firewall software and can be trusted, really trusted. If a trusted computer is compromised your computer can be at risk.
Microsoft Personal Firewall also blocks NetBIOS. Here is a link to Microsoft Personal Firewall. It has more detailed information on how to unblock these ports.
This is not a definitive explanation of firewall rules or usage. You must consider your own risk comfort level before performing any of these tasks. Use at your own risk.
Sincerely,
Mike
It’s NETBIOS, not NETBOIS. How can anyone take you seriously if you can’t even spell it correctly?
Hi Al,
Thanks for noticing. I corrected the title. Unfortunetly I cannot edit the Digg posting. Did you see anything else in there that was a glaring error? I thought it was an informative post.
Great article. I’m up at 12.41am trying to figure out why I can map to network shares using active directory, but the XP Pro client can’t browse the network shares. I think this is getting me closer to a solution… if not, still interesting (and yes – I am suffering from pre-installed software)
Hi David,
Can you browser them if you use the servers IP instead of netbios name? If so it could be netbios is blocked in the client’s firewall.
Mike
It didn’t work for me, can you give us some more information?
Hi Bob,
Can you tell me more about what your challenge is? Do you see a difference with the firewall on vs. off? Have you checked to see if you have more than one firewall on?
Mike