3.101 - The system must be configured to ignore NetBIOS name release requests except from WINS servers.

Information

Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the servers WINS resolution capability.

Solution

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' to 'Enabled'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2008_DC_V6R47_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-21, CAT|III, CCI|CCI-002385, CSCv6|9, Rule-ID|SV-29370r2_rule, STIG-ID|3.101, Vuln-ID|V-4116

Plugin: Windows

Control ID: 7c953326a3c15dc8ff3edbdc550a00047ffddc15fdd8b79e2d0ff9fec9edc1cc