18.3.5 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'

Information

This setting determines which method NetBIOS over TCP/IP (NetBT) uses to register and resolve names. The available methods are:

The B-node (broadcast) method only uses broadcasts.

The P-node (point-to-point) method only uses name queries to a name server (WINS).

The M-node (mixed) method broadcasts first, then queries a name server (WINS) if broadcast failed.

The H-node (hybrid) method queries a name server (WINS) first, then broadcasts if the query failed.

The recommended state for this setting is: Enabled: P-node (recommended) (point-to-point).

Note: Resolution through LMHOSTS or DNS follows these methods. If the NodeType registry value is present, it overrides any DhcpNodeType registry value. If neither NodeType nor DhcpNodeType is present, the computer uses B-node (broadcast) if there are no WINS servers configured for the network, or H-node (hybrid) if there is at least one WINS server configured.

Rationale:

In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node (point-to-point) will prevent the system from sending out NetBIOS broadcasts.

Impact:

NetBIOS name resolution queries will require a defined and available WINS server for external NetBIOS name resolution. If a WINS server is not defined or not reachable, and the desired hostname is not defined in the local cache, local LMHOSTS or HOSTS files, NetBIOS name resolution will fail.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: P-node (recommended):

Computer Configuration\Policies\Administrative Templates\MS Security Guide\NetBT NodeType configuration

Note: This change does not take effect until the computer has been restarted.

Note #2: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link. Please note that this setting is only available in the Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903 (or newer) release of SecGuide.admx/adml, so if you previously downloaded this template, you may need to update it from a newer Microsoft baseline to get this new NetBT NodeType configuration setting.

Default Value:

B-node (broadcast only) if a WINS server is not configured in NIC properties.

H-node (hybrid - point-to-point first, then broadcast) if a WINS server is configured in NIC properties.

See Also

https://workbench.cisecurity.org/files/3458

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|IA-5, CSCv6|9, CSCv7|9.2, CSCv7|9.3

Plugin: Windows

Control ID: 3f581e6274dc32592b3e62334fade73fa0ee0d2a50205011545536a1f33f2dd5