Skip to main content

Browse the archive

Raw File
SV-88157.md 
---
scapolite:
    class: rule
    version: '0.51'
id: SV-88157
id_namespace: mil.disa.Windows-Server-2016-STIG
title: Windows Server 2016 must be configured to ignore NetBIOS name release requests
    except from WINS servers.
rule: <see below>
description: <see below>
applicability:
  - system: org.scapolite.xccdf.applicability
    weight: 10.0
    selected: false
    role: ''
    severity: low
implementations:
  - relative_id: F-79947r1
    description: <see below>
    automations:
      - system: org.scapolite.implementation.win_gpo
        ui_path: 'Computer Configuration\Administrative Templates\MSS (Legacy)\MSS:
            (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release
            requests except from WINS servers'
        value: Enabled
        verification_status: Checked.
      - system: org.scapolite.implementation.windows_registry
        config: Computer
        registry_key: System\CurrentControlSet\Services\Netbt\Parameters
        value_name: NoNameReleaseOnDemand
        action: DWORD:1
checks:
  - relative_id: C-73579r1
    description: <see below>
  - relative_id: '01'
    title: OVAL-based check
    description: <see below>
    automations:
      - system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        idref: oval:mil.disa.stig.windows:def:1087
        href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
        exports:
          - value_id_namespace: mil.disa.Windows-Server-2016-STIG
            value_idref: no_name_release_on_demand_var
            variable_idref: oval:mil.disa.stig.windows:var:108700
crossrefs:
  - system: http://iase.disa.mil/cci
    idref: CCI-002385
    relation: ''
  - system: http://cce.mitre.org
    idref: CCE-45283-9
    relation: ''
history:
  - version: r1
    action: created
    description: WN16-CC-000070
    internal_comment: ''
---


## /rule

Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.

## /description

[**VulnDiscussion**]{.separator type='STIG'}

Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.

[**Documentable**]{.separator type='STIG'}

false

## /implementations/0/description

Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to "Enabled".

This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

## /checks/0/description

If the following registry value does not exist or is not configured as specified, this is a finding.

Registry Hive:  HKEY_LOCAL_MACHINE
Registry Path:  \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\

Value Name:  NoNameReleaseOnDemand

Value Type:  REG_DWORD
Value:  0x00000001 (1)

## /checks/1/description

IASE supplies an OVAL check.
back to top