Windows Hardening

Resolving “Windows NetBIOS / SMB Remote Host Information Disclosure” (2020)

our services

Resolving “Windows NetBIOS / SMB Remote Host Information Disclosure” (2019)

Vulnerability scans and penetration tests will often produce a substantial number of issues such as “Windows NetBIOS / SMB Remote Host Information Disclosure”. This is an inherent byproduct of having workstations with NetBIOS enabled. On most modern networks NetBIOS can be disabled in favor of SMB over TCP, however, older networks may wish to leave this enabled and accept the risk of hostname disclosure.

Disabling NetBIOS

NetBIOS can be disabled via DHCP or explicitly configured in the network adapter. When configuring via DHCP the client system must also be configured to inherit these settings from the DHCP server. When remediating this vulnerability it is recommended that both the DHCP server and local systems are configured to disable NetBIOS. In Windows environments using a domain and GPO this can be implemented via GPO as well.

Only after being completely sure that this protocol is no longer used we can proceed to disable from our environment.

Remediation Overview

Option 1 (part 1): Disable NetBIOS over TCP/IP on Windows DHCP Server

  1. Open DHCP Console: Windows - Start - DHCP

  2. Once on DHCP Console go to the name of the server, IPv4, Scope, right click on Scope Options then, left click on Configure Options: DHCP Console

  3. On Scope Options select the Advanced Tab, then, on Vendor class select Microsoft Windows 2000 Options, check the Microsoft Disable Netbios Option and on Long: Type 0x2, then click OK DHCP Scope Options

  4. DHCP clients will now be instructed to disable NetBIOS over TCP. We still must continue to part 2 to disable NetBIOS on individual systems.

Option 1 (part 2): Disabling NetBIOS over TCP/IP Manually on Windows 10, Windows 2016 Server, Windows 2019 Server

  1. Click on the Windows Button and then on Settings: Windows 10 settings Windows 2016 Server Windows 2019

  2. Click on Change adapter options: netbios smb remote host

  3. You should right click on the network adapter, and then left click on Properties Ethernet Properties

  4. On Ethernet Properties you should select Internet Protocol Version 4 (TCP/IPv4) and then click on Properties Ethernet Properties

  5. Click on Advanced Internet Protocol Version 4

  6. Click on WINS tab, check Disable NetBIOS over TCP/IP and then click on OK wins advanced tcp ip settings

NetBIOS is now disabled.

Disabling NetBIOS over TCP/IP Manually on Windows XP, Windows Vista, Windows 7, Windows 8, Windows 2000 Server, Windows 2003 Server, Windows 2008 Server and Windows 2012 Server

  1. Open Control Panel: control panel

Click ‘Network and Internet’: 2. network and internet

  1. Click ‘Network and Sharing Center’: network and sharing center

  2. Click ‘Change adapter settings’: change adapter settings

  3. Click on the network adapter, and then left click on ‘Properties’: network adapter properties

  4. On Ethernet Properties select ‘Internet Protocol Version 4 (TCP/IPv4)’ and then click on ‘Properties’: Ethernet Properties

  5. Click on ‘Advanced’: Internet Protocol Version 4

  6. Click on ‘WINS’ tab, check ‘Disable NetBIOS over TCP/IP’ and then click on ‘OK’: advanced tcp ip settings wins

Testing if NetBios over TCP/IP is disabled

We can locally review if NetBios is disabled typing ipconfig / all on a command prompt window.

ipconfig / all netbios over tcpip

We can also test if a remote system has or not netbios enabled with the following command nbtstat -a “ip address of the remote host to test”, in the example below the system with the ip address 10.161.65.24 has netbios enabled and then we can see the hostname of the remote system

nbtstat netbios enabled

After netbios is disabled on the remote host called QA-WIN7VM-IE9 with the ip address 10.161.65.24, if we run the same command from a system in the same network we should see results like this.

nbtstat netbios disabled

Checking open ports with Nmap tool

With nmap tool we can check for the open ports 137,139,445 with the following command:

nmap -p137,139,445 --script smb-security-mode ip-address

In the following example a port scan has been made for the ip address 10.161.64.149 with the results that ports 139 and 445 are open nmap

In the following example a port scan has been made for the same ip address after apply firewall rules and/or regedit modification. (Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed)

We
Are
Changing
The
Way
Pentesting
Is
Done
  • Application
  • Network
  • Mobile
  • AWS