Need help securing connection to admin share at satellite office for remote backup

Hi all

I've established a connection to an administrative windows share at a
satellite office to push a compressed ntbackup file for remote storage &
disaster recovery.

Remote LAN <> Site to Site Hardware VPN <> ISA Server <> Local LAN

Using a batch file, ntbackup.exe creates a local backup file. Backup
file is first renamed in yyyymmdd format, then compressed & pushed
across VPN to remote administrative share.

Connection to remote site is established in format:

net use r: \\fqdn\r$ password /u:user

Currently for testing (principal is identical), have Microsoft Windows
XP Professional SP2 client with the following enabled at remote site.

NetBIOS over TCP/IP
Client for Microsoft Networks
File & Printer Sharing
SP2 Firewall with exceptions
R: (recovery) NTFS partition with R$ Administrative share

At central site, have Microsoft Windows SBS 2003 Premium still using ISA
Server 2000 until SBS 2003 SP1 is released.

Have created a packet filter on ISA Server to allow Windows Networking
out.

Site to Site VPN allows Windows Networking traffic through IPSec tunnel
only.

Internal NIC on SBS 2003 serves Local LAN. Usual suspects enabled.
External NIC on SBS 2003 was locked down. To enable connection to remote
share have had to enable NetBIOS over TCP/IP & Client for Microsoft
Networks.

Surely I should not have to enable NetBIOS over TCP/IP for this to work?

Am really not very happy with this present solution at all.

Advice & comments appreciated.

--
Kind Regards

Charles Mitchell
datalocate.net

Client for Microsoft Networks or some other provider is a prerequisite for
connection by UNC name. See:

http://www.microsoft.com/resources/d...d_arc_hnny.asp

You should not need NetBIOS, but you might have to connect by IP address -
net use r: \\IPofServer\r$

Doug Sherman
MCSE, MCSA, MCP+I, MVP

"Charles Mitchell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hi all
>
> I've established a connection to an administrative windows share at a
> satellite office to push a compressed ntbackup file for remote storage &
> disaster recovery.
>
> Remote LAN <> Site to Site Hardware VPN <> ISA Server <> Local LAN
>
> Using a batch file, ntbackup.exe creates a local backup file. Backup
> file is first renamed in yyyymmdd format, then compressed & pushed
> across VPN to remote administrative share.
>
> Connection to remote site is established in format:
>
> net use r: \\fqdn\r$ password /u:user
>
> Currently for testing (principal is identical), have Microsoft Windows
> XP Professional SP2 client with the following enabled at remote site.
>
> NetBIOS over TCP/IP
> Client for Microsoft Networks
> File & Printer Sharing
> SP2 Firewall with exceptions
> R: (recovery) NTFS partition with R$ Administrative share
>
> At central site, have Microsoft Windows SBS 2003 Premium still using ISA
> Server 2000 until SBS 2003 SP1 is released.
>
> Have created a packet filter on ISA Server to allow Windows Networking
> out.
>
> Site to Site VPN allows Windows Networking traffic through IPSec tunnel
> only.
>
> Internal NIC on SBS 2003 serves Local LAN. Usual suspects enabled.
> External NIC on SBS 2003 was locked down. To enable connection to remote
> share have had to enable NetBIOS over TCP/IP & Client for Microsoft
> Networks.
>
> Surely I should not have to enable NetBIOS over TCP/IP for this to work?
>
> Am really not very happy with this present solution at all.
>
> Advice & comments appreciated.
>
> --
> Kind Regards
>
> Charles Mitchell
> datalocate.net

> Client for Microsoft Networks or some other provider is a prerequisite for
> connection by UNC name. See:
>
> http://www.microsoft.com/resources/d...d_arc_hnny.asp
>
> You should not need NetBIOS, but you might have to connect by IP address -
> net use r: \\IPofServer\r$
>
> Doug Sherman
> MCSE, MCSA, MCP+I, MVP
>

Hi Doug

Thanks for you reply.

Earlier today I refreshed myself of the current Microsoft implementation
of TCP/IP networking & have solved most of the main issues I was
concerned about.

Direct Hosting of SMB over TCP/IP
http://support.microsoft.com/default...;en-us;Q204279

Microsoft Windows Server 2003 TCP/IP Implementation Details
http://www.microsoft.com/technet/pro...2003/technolog
ies/networking/tcpip03.mspx

My earlier attempts at connecting to the remote share using Direct
Hosting (TCP 445) instead of NetBIOS resolution (TCP 139) were failing
as I had not added a forward/reverse lookup entry in DNS for the remote
host.

My attempts to net use r: \\xxx.xxx.xxx.xxx\r$ failed because there was
no reverse lookup entry for that ip address.

Have now been able to disable NetBIOS over TCP/IP throughout.

I've also created a new packet filter on ISA Server to explicitly allow
Direct Hosting (TCP 445) outbound only to the remote host/site.

My security preference would be to also be able to disable Client for
Microsoft Networks on the external NIC of the ISA Server.

Can anybody following this thread think of a way this could be achieved?

What is the real security threat of leaving Client for Microsoft
Networks enabled on the external NIC?

--
Kind Regards

Charles Mitchell
datalocate.net