Background
If you’ve ever studied IT security you’ll know that one task you need to complete on your network is to disable NetBIOS. The NetBIOS API dates back to 1983 and is often left enabled for fear of breaking legacy applications and systems. From a security perspective NetBIOS can mostly be considered a reconnaissance risk and so should be disabled. For more information check out:
NetBIOS Over TCP/IP (Microsoft)
Securing Windows Workstations: Developing a Secure Baseline
With NetBIOS enabled one can remotely query devices, without authentication, to reveal information about the host.
The simplest way to disable NetBIOS on your Windows clients is via DHCP option 001. You will find information on how to do this elsewhere. But what if you have no control over the DHCP server or you want to ensure that it stays disabled if the device is connected to other networks?
A ConfigMgr configuration item can be created to discover the state of NetBIOS and the remediate if required.
Discovery
The code below will discover any network adapters, which are IP enabled and return the NetBIOS options. This can return one of three values:
- EnableNetbiosViaDhcp (0)
- EnableNetbios (1)
- DisableNetbios (2)
$adapters= $null
$adapters=(gwmi win32_networkadapterconfiguration -Filter 'ipenabled = "true"')
Foreach ($nic in $adapters) {
write-host $nic.TcpIPNetBiosOptions
}
For compliance, we are looking for a return code of 2 (DisableNetbios).
Remediation
If we discover any adapters which do not return a value of 2 we will run the following to remediate and disable NetBIOS.
$nics=$null
$nics = (gwmi Win32_NetworkAdapterConfiguration -Filter 'ipenabled = "true"')
foreach ($nic in $nics) {
If ($nic.TcpipNetbiosOptions -ne 2) {
$nic.SetTcpipNetbios(2)
}
}
Baseline
Simply create a configuration item with the above scripts. Then make a baseline which includes the configuration item and deploy. Sit back and watch your devices disable NetBIOS the next time they evaluate their compliance data.
Alex Pooley EUC Blog 