Detections
Analytics
1.1.1.2.1.22 'MSS(NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' to 'Enabled'
Information
1.1.1.2.1.22 Set 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' to 'Enabled'The registry value entry NoNameReleaseOnDemand was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\ Parameters\ registry key. The entry appears as MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers in the SCE. NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windowsbased systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution. For more information, see the Microsoft Knowledge Base article 'MS00-047: NetBIOS Vulnerability May Cause Duplicate Name on the Network Conflicts' at http://support.microsoft.com/default.aspx?kbid=269239.
Solution
To implement the recommended configuration state, set the following Group Policy setting to 1.Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS- (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Impact- An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment.
See Also
Item Details
Audit Name: CIS Windows 2003 DC v3.1.0
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-21, CCE|CCE-2817-5
Plugin: Windows
Control ID: 8bf8213d94b930ec5c459ed2daa0be996ab07a7206fc14f40a6d07b62d7188ab