acquires Cloud Conformity
Open menu

Unrestricted NetBIOS Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base Best practice rules for Amazon Web Services AWS EC2 Best Practices Unrestricted NetBIOS Access
Last updated: 13 April 2018
Security
Risk level: Medium (should be achieved)
Rule ID: EC2-041

Check your EC2 security groups for inbound rules that allow unrestricted access (0.0.0.0/0 or ::/0) to TCP port 139 and UDP ports 137 and 138 and restrict access to only those IP addresses that require it in order to implement the principle of least privilege and reduce the possibility of a breach. These ports are used for NetBIOS name resolution (i.e. mapping a NetBIOS name to an IP address) by services such as File and Printer Sharing service running on Microsoft Windows Server OS.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Allowing unrestricted NetBIOS access can increase opportunities for malicious activity such as man-in-the-middle attacks (MITM), Denial of Service (DoS) attacks or BadTunnel exploits.

Audit

To determine if your EC2 security groups allow unrestricted NetBIOS access, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Click inside the attributes filter box located under the dashboard top menu and select the following options from the dropdown list:

  1. Choose Protocol and select TCP from the protocols list.
  2. Choose again Protocol and select UDP from the list.
  3. Choose Port Range, type 139 for the port number and press Enter.
  4. Repeat step c. using ports 137 and 138 as input value.

05 Select an EC2 security group returned as result.

06 Select the Inbound tab from the dashboard bottom panel.

07 Verify the value available in the Source column for any inbound/ingress rules with the Port Range set to 137 - 139. If one or more rules have the source set to 0.0.0.0/0 or ::/0 (Anywhere), the selected security group allows unrestricted traffic on ports 137, 138 and 139, therefore the NetBIOS access to the associated EC2 instance(s) is not secured.

08Repeat steps no. 5 – 7 to verify the rest of the EC2 security groups returned as result at step no. 4.

09Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using the necessary filters to expose the security groups that have ingress rules that allow NetBIOS traffic (TCP ports 139 and UDP ports 137 and 138) from all addresses (0.0.0.0/0 or ::/0): 

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=ip-permission.from-port,Values=137,138,139 Name=ip-permission.to-port,Values=137,138,139 Name=ip-permission.cidr,Values='0.0.0.0/0'
	--query 'SecurityGroups[*].{Name:GroupName}'

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=ip-permission.from-port,Values=137,138,139 Name=ip-permission.to-port,Values=137,138,139 Name=ip-permission.ipv6-cidr,Values='::/0'
	--query 'SecurityGroups[*].{Name:GroupName}'

02 The command output should return an array with the requested information. If the command does not return any output, there are no EC2 security groups that allow unrestricted NetBIOS access, otherwise it should return the name of the security group(s) that match filter criteria, as shown in the following example: 

[
    {
        "Name": "WindowsADSecurityGroup"
    }
]

03 Repeat step no. 1 and 2 to perform the audit process for other AWS regions.

Remediation / Resolution

To update your security groups inbound/ingress configuration in order to restrict NetBIOS access to specific entities (IP addresses, IP ranges, etc), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the appropriate security group (see Audit section to identify the right one(s)).

05 Select the Inbound tab from the dashboard bottom panel and click the Edit button.

06 In the Edit inbound rules dialog box, change the traffic Source for any inbound rules that allow unrestricted access through TCP ports 139 and UDP ports 137 and 138 by performing one of the following actions:

  1. Select My IP from the Source dropdown list to allow inbound traffic only from your machine (from your IP address).
  2. Select Custom from the Source dropdown list and enter one of the following options based on your access requirements:
    • The static IP/Elastic IP address of the permitted host with the suffix set to /32, e.g. 53.45.150.129/32.
    • The IP address range of the permitted hosts in CIDR notation, for example 53.45.150.129/24.
    • The name or ID of another security group available in the same AWS region.

07 Click Save to apply the changes.

08 Repeat steps no. 4 – 7 to update other EC2 security groups that allow unrestricted NetBIOS access.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove the inbound rule(s) that allow unrestricted access through TCP port 139 and UDP ports 137 and 138, from the selected EC2 security group (the command does not return an output):

  1. Remove the inbound rule that opens the TCP port 139: 
    aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-name WindowsADSecurityGroup
	--protocol tcp
	--port 139
	--cidr 0.0.0.0/0
  2. Remove the inbound rule that opens the UDP port 137: 
    aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-name WindowsADSecurityGroup
	--protocol udp
	--port 137
	--cidr 0.0.0.0/0
  3. Remove the inbound rule that opens the UDP port 138: 
    aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-name WindowsADSecurityGroup
	--protocol udp
	--port 138
	--cidr 0.0.0.0/0

02 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rules removed at the previous step with a different set of parameters in order to restrict NetBIOS access to specific entities. To add custom inbound/ingress rules to the selected security group, use one of the following options (the command does not produce an output):

  1. Add an inbound rule that allows NetBIOS access to the specific static IP/Elastic IP address of the permitted host via port 139: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-name WindowsADSecurityGroup
	--protocol tcp
	--port 139
	--cidr 54.164.53.250/32
  2. Add an inbound rule that allows NetBIOS access to the IP address range of the permitted hosts via port 139: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-name WindowsADSecurityGroup
	--protocol tcp
	--port 139
	--cidr 54.164.53.250/24
  3. Add an inbound rule that allows NetBIOS access to another EC2 security group in the same AWS region via port 139: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-name WindowsADSecurityGroup
	--protocol tcp
	--port 139
	--source-group MyMSAppSecurityGroup
  4. Change the --protocol parameter value to udp and --port value to 137 and 138 respectively then repeat steps a – c to add the required UDP inbound rule(s) removed at step no. 1.

03 Repeat step no. 1 and 2 to update other EC2 security groups that allow unrestricted NetBIOS access using AWS CLI.

04 Repeat steps no. 1 - 3 to implement the entire process for other AWS regions.

References

Publication date Jun 23, 2016

Related EC2 rules

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to