07-17-2007 06:30 AM - edited 03-10-2019 03:42 AM
What is the best way to create an exception rule for NetBIOS on the CSAMC? NetBIOS needs to be enabled because of resolving IP's within rules on the CSAMC.
The process 'System' (as user NT AUTHORITY\SYSTEM) attempted to initiate a connection as a client on TCP port 139 to X.X.X.X using interface Wired\Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client). The operation was denied
Any help would be appreciated. i really dont want to create this rule not to see just incase something running over TCP 139.
Thanks,
07-17-2007 09:12 AM
Hi Kerraj,
I don't think the deny rule for a host acting as a client for the NetBIOS session service is normal.
What rule module/policy is triggering it?
Is the system state normal?
Tom
07-17-2007 09:37 AM
Hey Tom,
Its Rule 290 Network Access Control rule for the CSAMC Security Module.
Its happening on my CSAMC5.2
Thanks,
Adam
07-17-2007 11:09 AM
Hi Adam,
If you are accessing shared resources on other Windows boxes from the MC, a connection on 139 to that address makes sense.
If it is connecting to random addresses with no action on your part, that is problematic.
Is your MC using DHCP?
I have NetBIOS over TCP/IP enabled with a static IP and the only ports my MC has tried to connect to are 80 for WSUS, 139 and 445 for a drive mapping (one time only) and 123 for time.
Tom
07-17-2007 12:04 PM
Hey Tom,
Yes my MC does have a static address and its trying to get to my domain controller on 139.
My CSAMC has NetBIOS over TCP/IP enabled but these server both my CSAMC and my remote CSADB is chatty.
Do you have a remote DB and if so did you allow WSUS access to scan this server along with 445?
Thanks for you helpful response
07-17-2007 01:28 PM
Hey Adam, I have a local db (I'm setting up a remote one on a VM this week to test).
I allow connections on port 80 to a WSUS server to recieve updates, 139 and 445 to the one Windows server for accessing a file share, and 123 to our time server, but nothing else.
I don't see this as unacceptable risk. I think you could safely allow the traffic to your domain controller or deny and not log it if it doesn't affect function.
Are your MC and DB being chaty to the domain controller or to other hosts as well?
07-18-2007 06:07 AM
Hey Tom,
I appreciate your efforts!
My MC is trying to contact another server on TCP 139 which has nothing to do with CSA and runs a different Application.
No the MC and DB are pretty much just being chatty with a domain controller on TCP139 and TCP 389.
Thanks!
07-18-2007 07:18 AM
Is the other server on the same subnet?
07-18-2007 07:33 AM
No, its on the same subnet as my MC.
07-18-2007 09:34 AM
Then this sounds like Master Browser election or some other local traffic.
If everything is working OK I'd just filter the events out however you see fit.
A specific block and no log rule should do it.
That way you'll see if something is running on 139 to any other hosts.
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide