NetBIOS was initially created to allow applications to communicate without understanding the details of the network, including error recovery. It operates at the session layer, layer 5 of the OSI model. As with other legacy technologies, the main reason for disabling NetBIOS is security. There are two ways to achieve this goal: via either DHCP or a registry key.

The original NetBIOS implementations used a frame provided by NetBEUI, since NetBIOS is not a network protocol itself. Most commonly, it is still in use in enterprise networks with NetBIOS over TCP/IP (NBT). TCP/IP networks overcame the limitation of NetBEUI not being routable. NetBIOS is only supported on IPv4 networks and is not compatible with IPv6.

NetBIOS offers three main capabilities:

  • Name resolution—TCP or UDP over port 137 provides name resolution and registration services.
  • Datagram services—UDP port 138 allows for broadcasts to all computers on the network and provides connectionless communication, such as error reporting.
  • Session services—TCP port 139 provides the communication channel, allowing two computers to communicate.

Even though NetBIOS was developed in the 1980s, amazingly, you can still see that it is alive and well in Windows 10 today.

NetBIOS settings in Windows 10

NetBIOS settings in Windows 10

Reasons to disable NetBIOS ^

NetBIOS is a relic of legacy network technology and is often part of the technical debt and legacy infrastructure left behind after upgrading applications and other technologies. In addition, the network is generally one of the slowest areas of infrastructure that is changed. As a result, organizations may still have legacy network protocols and services enabled if these are needed for compatibility.

There are good reasons to disable NetBIOS. However, arguably, the main reason that many businesses may start looking at disabling NetBIOS is security. Attackers look for any weakness in the infrastructure, network, or other environmental components, providing a means for compromise.

As described earlier, NetBIOS uses the NBT protocol. NBT is vulnerable to poisoning attacks because it is not an authenticated protocol. A skilled hacker can impersonate or spoof the identity of NBT frames and misdirect traffic on the network, allowing sensitive information to be stolen. This may include the NTLM hash of end user credentials transmitted by the user's computer.

It is also recommended to disable NetBIOS over TCP/IP to improve network performance. Disabling NetBIOS over TCP/IP is especially recommended on Hyper-V and Windows Server cluster hosts with dedicated NICs used for traffic, such as iSCSI and Live Migration.

Considerations before disabling ^

As with any infrastructure or network change, IT admins need to discover whether NetBIOS is actively used in their environments before disabling it. Organizations need to ensure that there are no legacy applications or clients that depend on NetBIOS to function properly. In addition, the DNS infrastructure needs to be implemented correctly and validated for consistency and accuracy before turning off NetBIOS.

It is also a good idea to use a tool like Wireshark to make sure no NetBIOS traffic is observed on the network. This helps validate the actual traffic and find any unknown or hidden dependencies on NetBIOS.

Use Wireshark to make sure there is no NetBIOS traffic

Use Wireshark to make sure there is no NetBIOS traffic

You can also use nbtstat in Windows to view entries in cache and other options.

Using nbtstat to find cached NetBIOS name resolution

Using nbtstat to find cached NetBIOS name resolution

Disabling NetBIOS in your network ^

There are a couple of ways that we can effectively disable NetBIOS on a Windows machine. As many organizations use a Windows Server DHCP server, NetBIOS can be controlled using a scope option. Open the DHCP management console using the command dhcpmgmt.msc. Navigate to your DHCP scope and select Scope Options > Configure Options.

Configuring DHCP server scope options

Configuring DHCP server scope options

Select the Advanced tab. In the Vendor class drop-down box, select Microsoft Windows 2000 Options. Then select the checkbox next to the 001 Microsoft Disable Netbios Option. To disable NetBIOS, in the Data entry field, enter 0x2. All new leases will receive the new scope option.

Disabling NetBIOS using a DHCP scope option in Windows Server DHCP

Disabling NetBIOS using a DHCP scope option in Windows Server DHCP

From the client side, Windows 10 has the corresponding setting enabled by default to obtain NetBIOS settings from the DHCP server. Note that under the WINS tab of the Advanced TCP/IP Settings for a network connection in Windows 10, the option selected by default for NetBIOS setting is:

  • Use NetBIOS setting from the DHCP server. If static IP address is used or the DHCP server does not provide NetBIOS setting, enable NetBIOS over TCP/IP.

So, if your DHCP server sends a configuration for NetBIOS, Windows 10 will use the setting provided by DHCP.

Windows 10 NetBIOS settings from the DHCP server

Windows 10 NetBIOS settings from the DHCP server

You can also disable NetBIOS using the Windows registry, as follows:

  1. Start the registry editor (regedit.exe).
  2. Open HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces.
  3. Select the corresponding network adapter GUID. To find your corresponding network adapter GUID, start the Wired Autoconfig Windows service (if not running), and run the following command: netsh lan show interfaces.
  4. GUIDs with the NetbiosOptions value can be set to 0 (uses NetBIOS setting from the DHCP server) or 1 (enables NetBIOS over TCP/IP). To disable, set the option to 2.
  5. Close the registry editor.
Disable NetBIOS using the Windows registry

Disable NetBIOS using the Windows registry

Conclusion ^

NetBIOS is a network service that has been around for decades now. As many organizations may have migrated from legacy apps and have a proper DNS configuration for name resolution, NetBIOS may be disabled. However, proper auditing and discovery of all applications and dependencies need to be validated.

Subscribe to 4sysops newsletter!

As shown, the DHCP Server can be used to configure DHCP client NetBIOS settings. IT admins can also use the Windows registry to disable NetBIOS.

+8
avataravatar
3 Comments
  1. Samir 2 weeks ago

    Was so much easier to remove it when it was a separate protocol stack and not part of the tcp/ip configuration. I wonder if there are any drawbacks to still running IPX today?

    0

  2. Peter 2 weeks ago

    Thanks for the interesting article.
    Maybe a useful follow-up article would be tools to do a network audit on what is using NetBIOS.

    Thanks

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account