Disable NetBIOS in Windows networks (2024)

Brandon Lee&nbspWed, Oct 13 2021Wed, Oct 13 2021&nbspsecurity, windows, windows 10&nbsp3

NetBIOS was initially created to allow applications to communicate without understanding the details of the network, including error recovery. It operates at the session layer, layer 5 of the OSI model. As with other legacy technologies, the main reason for disabling NetBIOS is security. There are two ways to achieve this goal: via either DHCP or a registry key.

The original NetBIOS implementations used a frame provided by NetBEUI, since NetBIOS is not a network protocol itself. Most commonly, it is still in use in enterprise networks with NetBIOS over TCP/IP (NBT). TCP/IP networks overcame the limitation of NetBEUI not being routable. NetBIOS is only supported on IPv4 networks and is not compatible with IPv6.

NetBIOS offers three main capabilities:

• Name resolution—TCP or UDP over port 137 provides name resolution and registration services.
• Datagram services—UDP port 138 allows for broadcasts to all computers on the network and provides connectionless communication, such as error reporting.
• Session services—TCP port 139 provides the communication channel, allowing two computers to communicate.

Even though NetBIOS was developed in the 1980s, amazingly, you can still see that it is alive and well in Windows 10 today.

Reasons to disable NetBIOS

NetBIOS is a relic of legacy network technology and is often part of the technical debt and legacy infrastructure left behind after upgrading applications and other technologies. In addition, the network is generally one of the slowest areas of infrastructure that is changed. As a result, organizations may still have legacy network protocols and services enabled if these are needed for compatibility.

There are good reasons to disable NetBIOS. However, arguably, the main reason that many businesses may start looking at disabling NetBIOS is security. Attackers look for any weakness in the infrastructure, network, or other environmental components, providing a means for compromise.

As described earlier, NetBIOS uses the NBT protocol. NBT is vulnerable to poisoning attacks because it is not an authenticated protocol. A skilled hacker can impersonate or spoof the identity of NBT frames and misdirect traffic on the network, allowing sensitive information to be stolen. This may include the NTLM hash of end user credentials transmitted by the user's computer.

It is also recommended to disable NetBIOS over TCP/IP to improve network performance. Disabling NetBIOS over TCP/IP is especially recommended on Hyper-V and Windows Server cluster hosts with dedicated NICs used for traffic, such as iSCSI and Live Migration.

Considerations before disabling

As with any infrastructure or network change, IT admins need to discover whether NetBIOS is actively used in their environments before disabling it. Organizations need to ensure that there are no legacy applications or clients that depend on NetBIOS to function properly. In addition, the DNS infrastructure needs to be implemented correctly and validated for consistency and accuracy before turning off NetBIOS.

It is also a good idea to use a tool like Wireshark to make sure no NetBIOS traffic is observed on the network. This helps validate the actual traffic and find any unknown or hidden dependencies on NetBIOS.

You can also use nbtstat in Windows to view entries in cache and other options.

Disabling NetBIOS in your network

There are a couple of ways that we can effectively disable NetBIOS on a Windows machine. As many organizations use a Windows Server DHCP server, NetBIOS can be controlled using a scope option. Open the DHCP management console using the command dhcpmgmt.msc. Navigate to your DHCP scope and select Scope Options > Configure Options.

Select the Advanced tab. In the Vendor class drop-down box, select Microsoft Windows 2000 Options. Then select the checkbox next to the 001 Microsoft Disable Netbios Option. To disable NetBIOS, in the Data entry field, enter 0x2. All new leases will receive the new scope option.

From the client side, Windows 10 has the corresponding setting enabled by default to obtain NetBIOS settings from the DHCP server. Note that under the WINS tab of the Advanced TCP/IP Settings for a network connection in Windows 10, the option selected by default for NetBIOS setting is:

• Use NetBIOS setting from the DHCP server. If static IP address is used or the DHCP server does not provide NetBIOS setting, enable NetBIOS over TCP/IP.

So, if your DHCP server sends a configuration for NetBIOS, Windows 10 will use the setting provided by DHCP.

You can also disable NetBIOS using the Windows registry, as follows:

1. Start the registry editor (regedit.exe).
2. Open HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces.
3. Select the corresponding network adapter GUID. To find your corresponding network adapter GUID, start the Wired Autoconfig Windows service (if not running), and run the following command: netsh lan show interfaces.
4. GUIDs with the NetbiosOptions value can be set to 0 (uses NetBIOS setting from the DHCP server) or 1 (enables NetBIOS over TCP/IP). To disable, set the option to 2.
5. Close the registry editor.

Conclusion

NetBIOS is a network service that has been around for decades now. As many organizations may have migrated from legacy apps and have a proper DNS configuration for name resolution, NetBIOS may be disabled. However, proper auditing and discovery of all applications and dependencies need to be validated.

Subscribe to 4sysops newsletter!

As shown, the DHCP Server can be used to configure DHCP client NetBIOS settings. IT admins can also use the Windows registry to disable NetBIOS.