CCIE Study Notes

I'm kind of surprised to see this listed in the blueprint. This is really (old) Microsoft material and I can only think that they included it as traffic that goes across the network. I remember being seeped in these topics during my MCSE:Security studies (back when Win2K was new).

The NetLogon service verifies NTLM logon requests, and it registers, authenticates, and locates domain controllers. Also, to maintain compatibility with older operating systems, NetLogon manages replication of the user account database to back up domain controllers running Windows NT 4.0 and earlier.

NetBIOS is normally not used (it doesn't scale well). However, NetBT - NetBIOS over TCP/IP is actually something that might be relevant. I think they may be trying to point to the three services:
Name Service (NetBIOS Name Service = WINS)
Datagram Service
Session Service

Basically ports UDP 137 and 138 | TCP 137 and 139 - all dealing with Microsoft services > and all on the security "bad boy list" of services that you have to control and restrict.

Two such vulnerable network protocols that provide services are: the Server Message Block (SMB) protocol and NetBIOS over TCP/IP. Both services can reveal incredible amounts of detailed and vital security information about an exposed network. When not mitigated, NetBIOS over TCP/IP and SMB provide recurring vectors for malicious attacks upon a network. Specifically, NetBIOS provides attackers with a means to map the network and also freely navigate a compromised intranet.

SMB stands for Server Message Block. For this think CIFS traffic (what it's now called). This is your regular file traffic. The Wireshark Wiki has some really good pages on SMB and SMBv2 traffic. If you've done packet captures, you've probably seen a lot of this traffic.

I'm going to limit this topic to just the above. I can't see them wasting a question on this specifically - but it might show up inside a question on some other topic (perhaps an access-list scenario).