18.4.6 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'

Information

This setting determines which method NetBIOS over TCP/IP (NetBT) uses to register and resolve names. The available methods are:

- The B-node (broadcast) method only uses broadcasts.
- The P-node (point-to-point) method only uses name queries to a name server (WINS).
- The M-node (mixed) method broadcasts first, then queries a name server (WINS) if broadcast failed.
- The H-node (hybrid) method queries a name server (WINS) first, then broadcasts if the query failed.

The recommended state for this setting is: Enabled: P-node (recommended) (point-to-point).

Note: Resolution through LMHOSTS or DNS follows these methods. If the NodeType registry value is present, it overrides any DhcpNodeType registry value. If neither NodeType nor DhcpNodeType is present, the computer uses B-node (broadcast) if there are no WINS servers configured for the network, or H-node (hybrid) if there is at least one WINS server configured.

In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node (point-to-point) will prevent the system from sending out NetBIOS broadcasts.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: P-node (recommended) :

Computer Configuration\Policies\Administrative Templates\MS Security Guide\NetBT NodeType configuration

Note: This change does not take effect until the computer has been restarted.

Note #2: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required - it is available from Microsoft at

this link

. Please note that this setting is only available in the

Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903

(or newer) release of SecGuide.admx/adml so if you previously downloaded this template, you may need to update it from a newer Microsoft baseline to get this new

NetBT NodeType configuration

setting.

Impact:

NetBIOS name resolution queries will require a defined and available WINS server for external NetBIOS name resolution. If a WINS server is not defined or not reachable, and the desired hostname is not defined in the local cache, local LMHOSTS or HOSTS files, NetBIOS name resolution will fail.

See Also

https://workbench.cisecurity.org/benchmarks/15301