What is the NetBIOS Name Service, and Why is it Vulnerable to Poisoning Attacks?
When reaching other systems on the network, we tend to think of DNS being the primary way that a Windows computer can translate a name to an IP address. However, there are several other methods available. One of the available name resolution services is the NetBIOS over TCP/IP Name Service (NBT-NS). NBT-NS resolves names using network broadcasts, by using a WINS server, or both. Sounds legacy, right? Well it is! WINS is a deprecated service in the latest versions of Windows Server. However, this name resolution mechanism is still alive and well on today’s Windows networks. And because it is vulnerable to spoofing, it is important to secure against the vulnerabilities that are inherent to the NBT-NS protocol.
As an unauthenticated protocol, NBT-NS is subject to spoofing attacks whereby an attacker can impersonate another system and misdirect the associated network traffic. This type of spoofing would concern administrators that are working to secure their network. In fact, I was securing my “home enterprise” test network by implementing the CIS Benchmark for Windows Server 2016 when I came across the 18.104.22.168 control that discusses this vulnerability.
How to Secure Against This Attack
Since it is far easier for an attacker to spoof a broadcast-based name request than it is to impersonate a WINS server, one of the easiest ways to secure against this vulnerability is to turn off NetBIOS broadcast-based name resolution. To do this, simply add a registry value in the following registry key:
In this registry key, create a DWORD value called: NodeType
Then, set the NodeType value to 2.
This secures the machine by telling Windows to treat itself as a NetBIOS P-node (point-to-point system). These systems will only resolve NBT-NS queries using WINS – no broadcasts will take place. Success!
For more information on the NodeType registry value, see: https://support.microsoft.com/kb/160177
Better Yet: How to Secure Against This Attack Using Group Policy
While it is simple enough to make this configuration change manually and secure one system, it is more convenient to use Group Policy and secure NBT-NS across the enterprise. However, I was surprised to find that there is no Group Policy template that includes this setting. And I could not find the Set-NetBIOS-node-type-KB160177.adm file referenced in the CIS Benchmark. So… I created an ADMX template instead! The Set-NetBIOS-node-type-KB160177.zip file includes an admx template and an English (US) adml file that collectively allow the configuration of the NodeType setting.
For more information on importing ADMX templates, see https://msdn.microsoft.com/en-us/library/bb530196.aspx – I recommend creating a Group Policy Central Store if you have not already done so.
Once imported, open Group Policy Object Editor and navigate to:
Computer Configuration\Policies\Administrative Templates\Network\DNS Client
In here you will see a new setting called NetBIOS Node Type. Once enabled, simply set the node type to P-node, and this will configure the associated NodeType registry value to 2, securing your systems the same as if you had configured it manually. I recommend testing, then deploying this setting to all member servers and workstations.
Finally, I am a big fan of self-documentation, so I spent time documenting the options in the ADMX/ADML. However, if you have questions, drop me a comment!