Disabling NetBIOS via ConfigMgr DSC

Standard

 

Background

If you’ve ever studied IT security you’ll know that one task you need to complete on your network is to disable NetBIOS.  The NetBIOS API dates back to 1983 and is often left enabled for fear of breaking legacy applications and systems.  From a security perspective NetBIOS can mostly be considered a reconnaissance risk and so should be disabled.  For more information check out:

NetBIOS Over TCP/IP (Microsoft)

Securing Windows Workstations: Developing a Secure Baseline

With NetBIOS enabled one can remotely query devices, without authentication, to reveal information about the host.

The simplest way to disable NetBIOS on your Windows clients is via DHCP option 001.  You will find information on how to do this elsewhere.  But what if you have no control over the DHCP server or you want to ensure that it stays disabled if the device is connected to other networks?

A ConfigMgr configuration item can be created to discover the state of NetBIOS and the remediate if required.

Discovery

The code below will discover any network adapters, which are IP enabled and return the NetBIOS options.  This can return one of three values:

  • EnableNetbiosViaDhcp (0)
  • EnableNetbios (1)
  • DisableNetbios (2)

 

 

$adapters= $null
$adapters=(gwmi win32_networkadapterconfiguration -Filter 'ipenabled = "true"')
Foreach ($nic in $adapters) {
write-host $nic.TcpIPNetBiosOptions
}

 

 

For compliance, we are looking for a return code of 2 (DisableNetbios).

netbios

Remediation

If we discover any adapters which do not return a value of 2 we will run the following to remediate and disable NetBIOS.

 

$nics=$null
$nics = (gwmi Win32_NetworkAdapterConfiguration -Filter 'ipenabled = "true"')
foreach ($nic in $nics) {
If ($nic.TcpipNetbiosOptions -ne 2) {
$nic.SetTcpipNetbios(2)
}
}

Baseline

Simply create a configuration item with the above scripts.  Then make a baseline which includes the configuration item and deploy.  Sit back and watch your devices disable NetBIOS the next time they evaluate their compliance data.

netbios-stats

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s