MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
|ID: oval:gov.nist.usgcb.windowsseven:def:132||Date: (C)2012-04-13 (M)2018-05-14|
|Class: COMPLIANCE||Family: windows|
Network basic input/output system (NetBIOS) over TCP/IP is a networking protocol that, among other things, provides a means of easily resolving NetBIOS names registered on Windows- based systems to the IP addresses configured on those systems. This value determines whether the computer releases its NetBIOS name when it receives a name release request. The NoNameReleaseOnDemand setting configures the system to refuse name release requests to release its SMB name. This setting prevents an attacker from sending a name release request to a server, causing the server to be inaccessible to legitimate clients. If this setting is configured on a client, however, and that client is mis-configured with the same name as a critical server, the server will be unable to recover the name, and legitimate requests may be directed to the rogue server instead, causing a denial of service condition at best. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\ NoNameReleaseOnDemand registry key.
NetBIOS over TCP/IP (NetBT) is a networking protocol that, among other things, provides a way to easily resolve NetBIOS names that are registered on Windows-based computers to the IP addresses that are configured on those computers. This value determines whether the computer releases its NetBIOS name when it receives a name-release request.
The NetBIOS over TCP/IP (NetBT) protocol does not use authentication and, therefore, is vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries.
The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution.
Configure the NoNameReleaseOnDemand entry to a value of 1 (enabled).
Alternatively, you could disable the use of the Windows Internet Name Service (WINS) in your environment, and further ensure that all applications rely upon DNS for name resolution services. Although we recommend this approach as a long-term strategy, it is generally impractical for most organizations to attempt as a short-term solution. Organizations that still run WINS generally have application dependencies that cannot be quickly resolved without upgrades and software rollouts, which require careful plans and significant time commitments.
If you cannot deploy this countermeasure and you want to guarantee NetBIOS name resolution, you can take the additional step of pre-loading NetBIOS names in the LMHOSTS file on certain computers. Maintenance of LMHOSTS files in most environments requires a significant amount of effort. We recommend that you use WINS instead of LMHOSTS.
An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, we recommend that you test this change in a non-production environment before you change the production environment.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
(2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters!NoNameReleaseOnDemand
|Microsoft Windows 7|