Windows - Security - Disable Netbios Over TCP/IP

What the NetBIOS Disabler does

This Automox Worklet™ disables NetBIOS over TCP/IP for all IPv4 network interfaces on Windows endpoints. NetBIOS is a legacy networking protocol that provides name resolution and session services, but it introduces security vulnerabilities in modern environments. The Worklet configures the NetbiosOptions registry value to completely disable NetBIOS functionality.

The Worklet modifies the registry at HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\ to set NetbiosOptions to 2 (disabled) for each network adapter. This differs from value 0 (use DHCP setting) or value 1 (enabled), which leave NetBIOS active and vulnerable to attacks.

The configuration applies to all network adapters simultaneously, including Ethernet, Wi-Fi, and virtual adapters. This comprehensive approach prevents gaps where some interfaces might remain vulnerable while others are protected.

Why disable NetBIOS over TCP/IP

NetBIOS Name Service (NBT-NS) is vulnerable to the same poisoning attacks as LLMNR. Attackers use tools like Responder to intercept NBT-NS broadcasts and capture NTLM authentication hashes. Disabling NetBIOS eliminates this attack vector and forces name resolution through DNS, which provides better security and auditing capabilities.

Modern Windows networks rarely require NetBIOS for legitimate operations. Active Directory environments use DNS for name resolution, and SMB file sharing works without NetBIOS when properly configured. Disabling NetBIOS also reduces broadcast traffic on the network and improves overall network efficiency.

CIS Benchmarks recommend disabling NetBIOS as a security hardening measure. The protocol lacks authentication mechanisms, making it trivially exploitable. Organizations pursuing compliance with security frameworks should disable both LLMNR and NetBIOS to fully protect against local name resolution attacks.

How NetBIOS disabling works

1. Evaluation phase: The Worklet iterates through all subkeys under HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\ and checks the NetbiosOptions value for each network adapter. If any adapter has a value other than 2 (disabled), or if the value is missing, the endpoint requires remediation.

2. Remediation phase: The Worklet opens each network interface subkey with write permissions and sets the NetbiosOptions DWORD value to 2. This operation repeats for every network adapter on the endpoint, applying the setting regardless of adapter type. The change takes effect immediately without requiring a reboot.

NetBIOS configuration requirements

• Windows 7 or later, Windows Server 2008 R2 or later

• Administrative privileges to modify HKLM registry

• No legacy applications that depend on NetBIOS name resolution

• Functioning DNS infrastructure for name resolution services

Expected network behavior after remediation

After remediation, the endpoint stops listening on UDP port 137 (NetBIOS Name Service) and UDP port 138 (NetBIOS Datagram Service). You can verify the change by checking the service status or configuration settings. Name resolution requests route exclusively through DNS. File sharing and other network services continue to function using DNS names or IP addresses.

You can verify the configuration by running nbtstat -n which should show no registered NetBIOS names. You can also check each adapter's properties in Network Connections, where NetBIOS over TCP/IP should show as Disabled. Consider disabling LLMNR alongside NetBIOS for complete protection against local name resolution poisoning attacks.

How to validate disable netbios over tcp/ip changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for disable netbios over tcp/ip.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Test-Registry, Write-Verbose, Write-Error.

4. Validate remediation effects from script operations such as Test-Registry, Write-Verbose, Write-Error, then rerun evaluation for compliance.