Disable NetBIOS and NTLM on Windows 2003 Domain Controllers and Exchange 2003?

Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all Windows
2000 and Windows 2003 Domain Controllers and/or Exchange 2003 servers
(within our own child domain) without affecting Windows networking
communications adversely?
We are a child domain in a single forest, we are NOT Enterprise
Administrators. Our DCs and Exchange are currently configured to refuse and
not send LM.
All clients are Windows XP with NetBIOS already disabled and only talk
NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in our child
domain.
We are not sure if this will affect AD replication, especially between other
child domains in the forest not controlled by us - OR if Exchange 2003
relies on NetBIOS and/or less than NTLMv2 to function correctly.

Thanks for any input or help.

hmmm .. about NTLMv1/LM ... I don't think it's a problem disabling them
(maybe only if you have some very old OS on your network). Regarding NETBIOS
.... I think the domain controller need this functionality for the
replication. Anyway, for fully disable NETBIOS and SMB check
http://www.microsoft.com/technet/Sec...n2k/a0604.mspx
(as you can see it's not enough to check Disable Netbios over TCP/IP from
Advanced TCP/IP settings).

Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/



"Research Services" wrote:

> Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all Windows
> 2000 and Windows 2003 Domain Controllers and/or Exchange 2003 servers
> (within our own child domain) without affecting Windows networking
> communications adversely?
> We are a child domain in a single forest, we are NOT Enterprise
> Administrators. Our DCs and Exchange are currently configured to refuse and
> not send LM.
> All clients are Windows XP with NetBIOS already disabled and only talk
> NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in our child
> domain.
> We are not sure if this will affect AD replication, especially between other
> child domains in the forest not controlled by us - OR if Exchange 2003
> relies on NetBIOS and/or less than NTLMv2 to function correctly.
>
> Thanks for any input or help.
>
>
>
>

Thanks for your response.

You indicate that Domain Controllers (may?) need NetBIOS for Active
Directory replication - do you know if there are any Microsoft documents
that address this "requirement" directly?




"Andrei Ungureanu" <(E-Mail Removed)> wrote in
message news:64B7F953-413E-4332-8B53-(E-Mail Removed)...
> hmmm .. about NTLMv1/LM ... I don't think it's a problem disabling them
> (maybe only if you have some very old OS on your network). Regarding
> NETBIOS
> ... I think the domain controller need this functionality for the
> replication. Anyway, for fully disable NETBIOS and SMB check
> http://www.microsoft.com/technet/Sec...n2k/a0604.mspx
> (as you can see it's not enough to check Disable Netbios over TCP/IP from
> Advanced TCP/IP settings).
>
> Andrei Ungureanu
> www.eventid.net
> Free Windows event logs reports
> http://www.altairtech.ca/evlog/
>
>
>
> "Research Services" wrote:
>
>> Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all Windows
>> 2000 and Windows 2003 Domain Controllers and/or Exchange 2003 servers
>> (within our own child domain) without affecting Windows networking
>> communications adversely?
>> We are a child domain in a single forest, we are NOT Enterprise
>> Administrators. Our DCs and Exchange are currently configured to refuse
>> and
>> not send LM.
>> All clients are Windows XP with NetBIOS already disabled and only talk
>> NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in our
>> child
>> domain.
>> We are not sure if this will affect AD replication, especially between
>> other
>> child domains in the forest not controlled by us - OR if Exchange 2003
>> relies on NetBIOS and/or less than NTLMv2 to function correctly.
>>
>> Thanks for any input or help.
>>
>>
>>
>>

You may want to look at this:
http://support.microsoft.com/default.aspx?scid=837391



On Mon, 4 Oct 2004 08:25:31 -0600, "Research Services"
<(E-Mail Removed)0-(E-Mail Removed)> wrote:

>Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all Windows
>2000 and Windows 2003 Domain Controllers and/or Exchange 2003 servers
>(within our own child domain) without affecting Windows networking
>communications adversely?
>We are a child domain in a single forest, we are NOT Enterprise
>Administrators. Our DCs and Exchange are currently configured to refuse and
>not send LM.
>All clients are Windows XP with NetBIOS already disabled and only talk
>NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in our child
>domain.
>We are not sure if this will affect AD replication, especially between other
>child domains in the forest not controlled by us - OR if Exchange 2003
>relies on NetBIOS and/or less than NTLMv2 to function correctly.
>
>Thanks for any input or help.
>
>

Domain controllers do not need NBT to replicate amongst themselves but I
believe there will be a problem with exchange. If you disable NBT keep in
mind that there may be problems with the use of my Network Places if used.
Domain controllers are usually domain master and master browsers, though
elections would happen if other computers on the network still use it.

Keep in mind that Remote Access Servers will not authenticate users if
configured to not allow lm and ntlm. It will work if you disable just lm
which is by far the biggest vulnerability. Also unless you configure
security options on Windows 2003 Servers and modify the registry on W2K
servers, lm hashes of passwords will still be stored and if you disable
that. the lm hash for a users password will still exist until they change
their password. --- Steve


"Research Services" <(E-Mail Removed)0-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for your response.
>
> You indicate that Domain Controllers (may?) need NetBIOS for Active
> Directory replication - do you know if there are any Microsoft documents
> that address this "requirement" directly?
>
>
>
>
> "Andrei Ungureanu" <(E-Mail Removed)> wrote in
> message news:64B7F953-413E-4332-8B53-(E-Mail Removed)...
>> hmmm .. about NTLMv1/LM ... I don't think it's a problem disabling them
>> (maybe only if you have some very old OS on your network). Regarding
>> NETBIOS
>> ... I think the domain controller need this functionality for the
>> replication. Anyway, for fully disable NETBIOS and SMB check
>> http://www.microsoft.com/technet/Sec...n2k/a0604.mspx
>> (as you can see it's not enough to check Disable Netbios over TCP/IP from
>> Advanced TCP/IP settings).
>>
>> Andrei Ungureanu
>> www.eventid.net
>> Free Windows event logs reports
>> http://www.altairtech.ca/evlog/
>>
>>
>>
>> "Research Services" wrote:
>>
>>> Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all Windows
>>> 2000 and Windows 2003 Domain Controllers and/or Exchange 2003 servers
>>> (within our own child domain) without affecting Windows networking
>>> communications adversely?
>>> We are a child domain in a single forest, we are NOT Enterprise
>>> Administrators. Our DCs and Exchange are currently configured to refuse
>>> and
>>> not send LM.
>>> All clients are Windows XP with NetBIOS already disabled and only talk
>>> NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in our
>>> child
>>> domain.
>>> We are not sure if this will affect AD replication, especially between
>>> other
>>> child domains in the forest not controlled by us - OR if Exchange 2003
>>> relies on NetBIOS and/or less than NTLMv2 to function correctly.
>>>
>>> Thanks for any input or help.
>>>
>>>
>>>
>>>
>
>

What about SYSVOL folder? Do you need NETBIOS/SMB for this?

Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

"Steven L Umbach" wrote:

> Domain controllers do not need NBT to replicate amongst themselves but I
> believe there will be a problem with exchange. If you disable NBT keep in
> mind that there may be problems with the use of my Network Places if used.
> Domain controllers are usually domain master and master browsers, though
> elections would happen if other computers on the network still use it.
>
> Keep in mind that Remote Access Servers will not authenticate users if
> configured to not allow lm and ntlm. It will work if you disable just lm
> which is by far the biggest vulnerability. Also unless you configure
> security options on Windows 2003 Servers and modify the registry on W2K
> servers, lm hashes of passwords will still be stored and if you disable
> that. the lm hash for a users password will still exist until they change
> their password. --- Steve
>
>
> "Research Services" <(E-Mail Removed)0-(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Thanks for your response.
> >
> > You indicate that Domain Controllers (may?) need NetBIOS for Active
> > Directory replication - do you know if there are any Microsoft documents
> > that address this "requirement" directly?
> >
> >
> >
> >
> > "Andrei Ungureanu" <(E-Mail Removed)> wrote in
> > message news:64B7F953-413E-4332-8B53-(E-Mail Removed)...
> >> hmmm .. about NTLMv1/LM ... I don't think it's a problem disabling them
> >> (maybe only if you have some very old OS on your network). Regarding
> >> NETBIOS
> >> ... I think the domain controller need this functionality for the
> >> replication. Anyway, for fully disable NETBIOS and SMB check
> >> http://www.microsoft.com/technet/Sec...n2k/a0604.mspx
> >> (as you can see it's not enough to check Disable Netbios over TCP/IP from
> >> Advanced TCP/IP settings).
> >>
> >> Andrei Ungureanu
> >> www.eventid.net
> >> Free Windows event logs reports
> >> http://www.altairtech.ca/evlog/
> >>
> >>
> >>
> >> "Research Services" wrote:
> >>
> >>> Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all Windows
> >>> 2000 and Windows 2003 Domain Controllers and/or Exchange 2003 servers
> >>> (within our own child domain) without affecting Windows networking
> >>> communications adversely?
> >>> We are a child domain in a single forest, we are NOT Enterprise
> >>> Administrators. Our DCs and Exchange are currently configured to refuse
> >>> and
> >>> not send LM.
> >>> All clients are Windows XP with NetBIOS already disabled and only talk
> >>> NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in our
> >>> child
> >>> domain.
> >>> We are not sure if this will affect AD replication, especially between
> >>> other
> >>> child domains in the forest not controlled by us - OR if Exchange 2003
> >>> relies on NetBIOS and/or less than NTLMv2 to function correctly.
> >>>
> >>> Thanks for any input or help.
> >>>
> >>>
> >>>
> >>>
> >
> >
>
>
>

Thank you all for the information and links.

It appears that Exchange 2000 & Exchange 2003 both rely on and require
NetBIOS enabled to function fully.
Does anyone know if we can tighten down our Domain Controllers and Exchange
boxes to only talk/allow NTLMv2? Or can this negatively affect inter-forest
communication and/or replication?

We found this very useful link that is related to this discussion:

Client, service, and program incompatibilities that may occur when you
modify security settings and user rights assignments
http://support.microsoft.com/default...b;en-us;823659








"Andy David - Exchange MVP" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> You may want to look at this:
> http://support.microsoft.com/default.aspx?scid=837391
>
>
>
> On Mon, 4 Oct 2004 08:25:31 -0600, "Research Services"
> <(E-Mail Removed)0-(E-Mail Removed)> wrote:
>
>>Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all Windows
>>2000 and Windows 2003 Domain Controllers and/or Exchange 2003 servers
>>(within our own child domain) without affecting Windows networking
>>communications adversely?
>>We are a child domain in a single forest, we are NOT Enterprise
>>Administrators. Our DCs and Exchange are currently configured to refuse
>>and
>>not send LM.
>>All clients are Windows XP with NetBIOS already disabled and only talk
>>NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in our
>>child
>>domain.
>>We are not sure if this will affect AD replication, especially between
>>other
>>child domains in the forest not controlled by us - OR if Exchange 2003
>>relies on NetBIOS and/or less than NTLMv2 to function correctly.
>>
>>Thanks for any input or help.
>>
>>
>

Dns name resolution is used for that and port 445 will be used as 139
becomes unavailable. Shares can still be accessed but only by IP address or
fully qualified domain name. I have not tried disabling NBT in a domain
myself and of course I would not recommend anyone make such a change without
testing before rolling out. --- Steve


"Andrei Ungureanu" <(E-Mail Removed)> wrote in
message news:1526F60C-06B4-40CF-87A4-(E-Mail Removed)...
> What about SYSVOL folder? Do you need NETBIOS/SMB for this?
>
> Andrei Ungureanu
> www.eventid.net
> Free Windows event logs reports
> http://www.altairtech.ca/evlog/
>
> "Steven L Umbach" wrote:
>
>> Domain controllers do not need NBT to replicate amongst themselves but I
>> believe there will be a problem with exchange. If you disable NBT keep in
>> mind that there may be problems with the use of my Network Places if
>> used.
>> Domain controllers are usually domain master and master browsers, though
>> elections would happen if other computers on the network still use it.
>>
>> Keep in mind that Remote Access Servers will not authenticate users if
>> configured to not allow lm and ntlm. It will work if you disable just lm
>> which is by far the biggest vulnerability. Also unless you configure
>> security options on Windows 2003 Servers and modify the registry on W2K
>> servers, lm hashes of passwords will still be stored and if you disable
>> that. the lm hash for a users password will still exist until they change
>> their password. --- Steve
>>
>>
>> "Research Services" <(E-Mail Removed)0-(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Thanks for your response.
>> >
>> > You indicate that Domain Controllers (may?) need NetBIOS for Active
>> > Directory replication - do you know if there are any Microsoft
>> > documents
>> > that address this "requirement" directly?
>> >
>> >
>> >
>> >
>> > "Andrei Ungureanu" <(E-Mail Removed)> wrote in
>> > message news:64B7F953-413E-4332-8B53-(E-Mail Removed)...
>> >> hmmm .. about NTLMv1/LM ... I don't think it's a problem disabling
>> >> them
>> >> (maybe only if you have some very old OS on your network). Regarding
>> >> NETBIOS
>> >> ... I think the domain controller need this functionality for the
>> >> replication. Anyway, for fully disable NETBIOS and SMB check
>> >> http://www.microsoft.com/technet/Sec...n2k/a0604.mspx
>> >> (as you can see it's not enough to check Disable Netbios over TCP/IP
>> >> from
>> >> Advanced TCP/IP settings).
>> >>
>> >> Andrei Ungureanu
>> >> www.eventid.net
>> >> Free Windows event logs reports
>> >> http://www.altairtech.ca/evlog/
>> >>
>> >>
>> >>
>> >> "Research Services" wrote:
>> >>
>> >>> Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all
>> >>> Windows
>> >>> 2000 and Windows 2003 Domain Controllers and/or Exchange 2003 servers
>> >>> (within our own child domain) without affecting Windows networking
>> >>> communications adversely?
>> >>> We are a child domain in a single forest, we are NOT Enterprise
>> >>> Administrators. Our DCs and Exchange are currently configured to
>> >>> refuse
>> >>> and
>> >>> not send LM.
>> >>> All clients are Windows XP with NetBIOS already disabled and only
>> >>> talk
>> >>> NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in
>> >>> our
>> >>> child
>> >>> domain.
>> >>> We are not sure if this will affect AD replication, especially
>> >>> between
>> >>> other
>> >>> child domains in the forest not controlled by us - OR if Exchange
>> >>> 2003
>> >>> relies on NetBIOS and/or less than NTLMv2 to function correctly.
>> >>>
>> >>> Thanks for any input or help.
>> >>>
>> >>>
>> >>>
>> >>>
>> >
>> >
>>
>>
>>

I would certainly second that. Even if all workstations and servers are
happy without Netbt, there may still be legacy apps which rely on Netbios
names (and even browsing). Apart from locally written apps, backup software
and printer drivers are two that come to mind.

"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Dns name resolution is used for that and port 445 will be used as 139
> becomes unavailable. Shares can still be accessed but only by IP address
> or fully qualified domain name. I have not tried disabling NBT in a
> domain myself and of course I would not recommend anyone make such a
> change without testing before rolling out. --- Steve
>
>
> "Andrei Ungureanu" <(E-Mail Removed)> wrote in
> message news:1526F60C-06B4-40CF-87A4-(E-Mail Removed)...
>> What about SYSVOL folder? Do you need NETBIOS/SMB for this?
>>
>> Andrei Ungureanu
>> www.eventid.net
>> Free Windows event logs reports
>> http://www.altairtech.ca/evlog/
>>
>> "Steven L Umbach" wrote:
>>
>>> Domain controllers do not need NBT to replicate amongst themselves but I
>>> believe there will be a problem with exchange. If you disable NBT keep
>>> in
>>> mind that there may be problems with the use of my Network Places if
>>> used.
>>> Domain controllers are usually domain master and master browsers, though
>>> elections would happen if other computers on the network still use it.
>>>
>>> Keep in mind that Remote Access Servers will not authenticate users if
>>> configured to not allow lm and ntlm. It will work if you disable just lm
>>> which is by far the biggest vulnerability. Also unless you configure
>>> security options on Windows 2003 Servers and modify the registry on W2K
>>> servers, lm hashes of passwords will still be stored and if you disable
>>> that. the lm hash for a users password will still exist until they
>>> change
>>> their password. --- Steve
>>>
>>>
>>> "Research Services" <(E-Mail Removed)0-(E-Mail Removed)> wrote in
>>> message
>>> news:(E-Mail Removed)...
>>> > Thanks for your response.
>>> >
>>> > You indicate that Domain Controllers (may?) need NetBIOS for Active
>>> > Directory replication - do you know if there are any Microsoft
>>> > documents
>>> > that address this "requirement" directly?
>>> >
>>> >
>>> >
>>> >
>>> > "Andrei Ungureanu" <(E-Mail Removed)> wrote
>>> > in
>>> > message news:64B7F953-413E-4332-8B53-(E-Mail Removed)...
>>> >> hmmm .. about NTLMv1/LM ... I don't think it's a problem disabling
>>> >> them
>>> >> (maybe only if you have some very old OS on your network). Regarding
>>> >> NETBIOS
>>> >> ... I think the domain controller need this functionality for the
>>> >> replication. Anyway, for fully disable NETBIOS and SMB check
>>> >> http://www.microsoft.com/technet/Sec...n2k/a0604.mspx
>>> >> (as you can see it's not enough to check Disable Netbios over TCP/IP
>>> >> from
>>> >> Advanced TCP/IP settings).
>>> >>
>>> >> Andrei Ungureanu
>>> >> www.eventid.net
>>> >> Free Windows event logs reports
>>> >> http://www.altairtech.ca/evlog/
>>> >>
>>> >>
>>> >>
>>> >> "Research Services" wrote:
>>> >>
>>> >>> Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all
>>> >>> Windows
>>> >>> 2000 and Windows 2003 Domain Controllers and/or Exchange 2003
>>> >>> servers
>>> >>> (within our own child domain) without affecting Windows networking
>>> >>> communications adversely?
>>> >>> We are a child domain in a single forest, we are NOT Enterprise
>>> >>> Administrators. Our DCs and Exchange are currently configured to
>>> >>> refuse
>>> >>> and
>>> >>> not send LM.
>>> >>> All clients are Windows XP with NetBIOS already disabled and only
>>> >>> talk
>>> >>> NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in
>>> >>> our
>>> >>> child
>>> >>> domain.
>>> >>> We are not sure if this will affect AD replication, especially
>>> >>> between
>>> >>> other
>>> >>> child domains in the forest not controlled by us - OR if Exchange
>>> >>> 2003
>>> >>> relies on NetBIOS and/or less than NTLMv2 to function correctly.
>>> >>>
>>> >>> Thanks for any input or help.
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >
>>> >
>>>
>>>
>>>
>
>