Secure Against NetBIOS Name Service (NBT-NS) Poisoning Attacks with Group Policy

What is the NetBIOS Name Service, and Why is it Vulnerable to Poisoning Attacks?

When reaching other systems on the network, we tend to think of DNS being the primary way that a Windows computer can translate a name to an IP address. However, there are several other methods available. One of the available name resolution services is the NetBIOS over TCP/IP Name Service (NBT-NS). NBT-NS resolves names using network broadcasts, by using a WINS server, or both. Sounds legacy, right? Well it is! WINS is a deprecated service in the latest versions of Windows Server. However, this name resolution mechanism is still alive and well on today’s Windows networks. And because it is vulnerable to spoofing, it is important to secure against the vulnerabilities that are inherent to the NBT-NS protocol.

As an unauthenticated protocol, NBT-NS is subject to spoofing attacks whereby an attacker can impersonate another system and misdirect the associated network traffic. This type of spoofing would concern administrators that are working to secure their network. In fact, I was securing my “home enterprise” test network by implementing the CIS Benchmark for Windows Server 2016 when I came across the control that discusses this vulnerability.

Example of a NBT-NS Poisoning Attack Showing Why It's Important to Secure Against This Type of Attack

Example of a NBT-NS Poisoning Attack

How to Secure Against This Attack

Since it is far easier for an attacker to spoof a broadcast-based name request than it is to impersonate a WINS server, one of the easiest ways to secure against this vulnerability is to turn off NetBIOS broadcast-based name resolution. To do this, simply add a registry value in the following registry key:

In this registry key, create a DWORD value called: NodeType
Then, set the NodeType value to 2.

This secures the machine by telling Windows to treat itself as a NetBIOS P-node (point-to-point system). These systems will only resolve NBT-NS queries using WINS – no broadcasts will take place. Success!

For more information on the NodeType registry value, see:

Better Yet: How to Secure Against This Attack Using Group Policy

While it is simple enough to make this configuration change manually and secure one system, it is more convenient to use Group Policy and secure NBT-NS across the enterprise. However, I was surprised to find that there is no Group Policy template that includes this setting. And I could not find the Set-NetBIOS-node-type-KB160177.adm file referenced in the CIS Benchmark. So… I created an ADMX template instead! The file includes an admx template and an English (US) adml file that collectively allow the configuration of the NodeType setting.

For more information on importing ADMX templates, see – I recommend creating a Group Policy Central Store if you have not already done so.

Once imported, open Group Policy Object Editor and navigate to:
Computer Configuration\Policies\Administrative Templates\Network\DNS Client
In here you will see a new setting called NetBIOS Node Type. Once enabled, simply set the node type to P-node, and this will configure the associated NodeType registry value to 2, securing your systems the same as if you had configured it manually. I recommend testing, then deploying this setting to all member servers and workstations.

Finally, I am a big fan of self-documentation, so I spent time documenting the options in the ADMX/ADML. However, if you have questions, drop me a comment!



  • Stephane December 6, 2017 4:13 am

    Hello Frank,

    Instead of configuring registry or Group Policy, what about simply setting the DHCP option “046 WINS/NBT Node Type” to “0x2” (P-node).
    As I understand it must disable clients of this DHCP broadcast.

    • Frank Lesniak December 14, 2017 10:46 am

      Stephane, you are correct that DHCP option 46 is another approach that mitigates this concern. However, keep in mind that if you have mobile workstations (i.e., laptops that travel offsite), adjusting DHCP options in your four walls will not protect them while they are off the corporate network.

Phone: 312-602-4000
222 W. Adams
Chicago, IL 60606
Show Buttons
Share On Facebook
Share On Twitter
Share on LinkedIn
Hide Buttons