3.101 - The system must be configured to ignore NetBIOS name release requests except from WINS servers.

Information

Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the servers WINS resolution capability.

Solution

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' to 'Enabled'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2008_R2_DC_V1R34_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-21, CAT|III, CCI|CCI-002385, CSCv6|9, Rule-ID|SV-32358r2_rule, STIG-ID|3.101, Vuln-ID|V-4116

Plugin: Windows

Control ID: de8abbfd865887f0fce13b62f5fc99f3b9159cee408ac8e4bfdf757e7c96fabe