18.6.4.1 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'

Information

This policy setting specifies if the Domain Name System (DNS) client will perform name resolution over Network Basic Input/Output System (NetBIOS). NetBIOS is a legacy name resolution method for internal Microsoft networking that predates the use of DNS for that purpose (pre-Active Directory). Some legacy applications still require the use of NetBIOS for full functionality.

The recommended state for this setting is: Enabled: Disable NetBIOS name resolution on public networks Configuring this setting to Enabled: Disable NetBIOS name resolution also conforms to the benchmark.

NetBIOS does not perform authentication and can allow remote attackers to cause a denial of service by sending spoofed Name Conflicts or Name Release datagrams. This is also known as 'NetBIOS Name Server Protocol Spoofing'. Preventing the use of NetBIOS on public networks reduces the attack surface.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Disable NetBIOS name resolution on public networks :

Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Configure NetBIOS settings

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates v1.0 (or newer).

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/17689

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7

Plugin: Windows

Control ID: 341a2f6603cec2c15607b317e7eb7563de860e77c0dc9794cc72b6396c88964e