WN12-SO-000043 - The system must be configured to ignore NetBIOS name release requests except from WINS servers.

Information

Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the servers WINS resolution capability.

Solution

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' to 'Enabled'.

(See 'Updating the Windows Security Options File' in the STIG Overview document if MSS settings are not visible in the system's policy tools.)

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_and_2012_R2_DC_V3R7_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-226307r852144_rule, STIG-ID|WN12-SO-000043, STIG-Legacy|SV-52928, STIG-Legacy|V-4116, Vuln-ID|V-226307

Plugin: Windows

Control ID: 7d6121c3e87e7f50b2c2fe9f377e901f29984c2b57bd5930afc8663e4cd1735a