3.101 - The system must be configured to ignore NetBIOS name release requests except from WINS servers.

Information

Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the servers WINS resolution capability.

Solution

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' to 'Enabled'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2008_MS_V6R46_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-21, CAT|III, CCI|CCI-002385, CSCv6|9, Rule-ID|SV-29370r2_rule, STIG-ID|3.101, Vuln-ID|V-4116

Plugin: Windows

Control ID: f946990c683b0d359e59e8d2d4c47522c36b53690d30599a6739e84acfbb7320