Configuring your perimeter firewall to block ports 137 (for NetBIOS name resolution), 138 (for NetBIOS browsing and logon), and 139 (for NetBIOS file and print sharing using SMB) protects your network from external attackers trying to exploit NetBIOS to find out information about your network. But this doesn’t prevent an insider attack that uses nbtstat to enumerate your network by listing NetBIOS name tables and sessions as a prelude to further penetration. As a result, some administrators are tempted to disable NETBIOS over TCP/IP entirely on Windows 2000 or later machines.
Before you do this however, you should know the possible side effects. One of the unexpected consequences of disabling NetBIOS completely on your network is how this affects trusts between forests. Windows 2000 let you create an external (non-transitive) trust between a domain in one forest and a domain in a different forest so users in one forest could access resources in the trusting domain of the other forest. Windows Server 2003 takes this a step further by allowing you to create a new type of two-way transitive trusts called forest trusts that allow users in any domain of one forest access resources in any domain of the other forest. Amazingly, NetBIOS is actually still used in the trust creation process, even though Microsoft has officially “deprecated” NetBIOS in versions of Windows from 2000 on. So if you disable NETBIOS on your domain controllers, you won’t be able to establish a forest trust between two Windows Server 2003 forests.
There are probably other subtle ways disabling NetBIOS might adversely affect your network even if it is running only Windows 2000 or above. The bottom line is, before you go around disabling NetBIOS on all your machines, thoroughly test how this step will affect resource access and legacy applications running on your servers. One type of machine you really need to disable NetBIOS on, however, is bastion hosts such as public-facing web servers, as you don’t want people trying to enumerate the NetBIOS table on these machines from over the Internet.