Microsoft Windows 2000 NetBIOS Name Server Protocol Spoofing Patch Description:
eliminates a security vulnerability in a protocol implemented in Windows systems which could be used to cause a machine to refuse to respond to requests for service. The NetBIOS Name Server (NBNS) protocol, part of the NetBIOS over TCP/IP (NBT) family of protocols, is implemented in Windows systems as the Windows Internet Name Service (WINS).
By design, NBNS allows network peers to assist in managing name conflicts. Also by design, it is an unauthenticated protocol and therefore subject to spoofing.
A malicious user could misuse the Name Conflict and Name Release mechanisms to cause another machine to conclude that its name was in conflict. Depending on the scenario, the machine would either be unable to register a name on the network, or would relinquish a name it already had registered.
The result in either case would be the same: the machine would not respond to requests sent to the conflicted name anymore.
If normal security practices are followed, and port 137 UDP (User Datagram Protocol) is blocked at the firewall, external attacks would not be possible.
The patch changes the behavior of Windows systems in order to give administrators additional flexibility in managing their networks. It enables administrators to configure a machine to only accept a name conflict datagram in direct response to a name registration attempt, and to configure machines to reject all name release datagrams.
This can reduce but not eliminate the threat of spoofing. Customers needing additional protection may wish to consider using IPSec in Windows 2000 to authenticate all sessions on ports 137 to 139.