Disable NetBIOS and LMHOSTS look up via PowerShell and SCCM configuration baseline

This article shows how to disable NetBIOS and LMHOSTS look up via PowerShell and via a SCCM Configuration Baseline

There are lots of reasons why you should disable NetBIOS and LMHOSTS lookup. Both from performance and from security perspective. I don’t want to go into detail here, you can find tons of articles about that topic in the Internet. In this article, I want to quickly demonstrate how NetBIOS and LMHOSTS look up can be disabled by using PowerShell and via SCCM Configuration Baseline with automatic remediation.

Let’s start with PowerShell… Ok, it’s actually not only PowerShell, we also need a bit of WMI. Run the following script in an evelated PowerShell window on the host where you want to disable NetBIOS and LMHOSTS look up. It should basically work with every PowerShell version. (This script disables NetBIOS and LMHOSTS look up on all NICs)

$NICS = Get-WmiObject win32_NetworkAdapterConfiguration
foreach ($NIC in $NICS){
        $NIC.settcpipnetbios(2) # 2 = disable netbios on interface
        $NIC.enablewins($false,$false)
    }

Line 3 disables NetBIOS on the specified NIC. For reference, see 1

Line 4 disables LMHOSTS look up. For reference, see 2

To verify this on your server or workstation, go to Control Panel -> Network and Sharing Center -> Change Adapter Settings. Right click on the Ethernet adapter, Properties -> Internet Protocol Version 4 (TCP/IPv4) -> Properties -> Advanced… -> WINS. It should look like this now:

Ok, so this script disables NetBIOS and LMHOSTS look up on all currently available NICs in the server/workstation. But what, if you add an external USB NIC? Or if you replace the NIC? Or – in a VM – add a second NIC? In certain scenarios you need to run this script again, because of recent hardware changes. This is the point, where SCCM kicks in with its Configuration Baselines.

A Configuration Baseline in SCCM basically is a desired state configuration. It can not only monitor settings, it also can remediate settings. A few months ago I created a Configuration Baseline for SCCM, which can monitor and remediate NetBIOS and LMHOSTS look up settings on every Windows Server or Workstation which runs a recent version of PowerShell.

Configuration baselines in SCCM can be a bit hard to understand, if it’s the first time you want to create one. You can download my Configuration Baseline below, and import it to your SCCM.

DOWNLOAD CONFIGURATION BASELINE (4kb, zipped)

To import this baseline, open SCCM console and navigate to Assets and Compliance -> Compliance Settings -> Configuration Baselines. Then, go to Import Configuration Data.

Import Configuration Baseline in SCCM

On the import wizard, click Add… and point to the previously downloaded .cab file. You will receive a warning, that the publisher could not be verified. This is normal as I haven’t signed it. If you don’t trust me, you can find the necessary scripts on the end of the article 😉

Security Warning when importing SCCM configuration baseline

On the next page, you see what items will be imported:

Configuration baseline import wizard

You should have a new Configuration Item (CI – Disable NetBIOS) and a new Configuration Baseline (CB – Global – Disable NetBIOS) in SCCM now:

Configuration Item “CI – Disable-NetBIOS”
Configuration Baseline “CB – Global – Disable NetBIOS”

The magic happens inside the Configuration Item (CI – Disable NetBIOS). It consists of 2 settings. One checks a specific registry key to see if LMHOSTS look up is enabled or not. The other one is a short PowerShell script to check NetBIOS state.

The first one is named SE-LMHOSTS lookup and will be described below:

SE – LMHOSTS look up settings
This setting monitors the registry value EnableLMHOSTS under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters. If LMHOSTS look up is disabled, value should be 0.

LMHOSTS registry key
Compliance Rules for LMHOSTS lookup CI setting

The second one is SE-NetBIOS and consists of 2 scripts. (1) Discovery Script, (2) Remediation script. You can find both scripts below.

SE-NetBIOS discovery and remediation script settings

1. SE-NetBIOS discovery script
To verify if NetBIOS is enabled on a NIC, we need a few lines of PowerShell. Since servers or workstations can have multiple NICs, we need to query the registry for all existing adapters:

$interfaces = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\TCPIP*
$i = 0

foreach ($interface in $interfaces) {
    $i +=  $interface.NetbiosOptions
}

if ($interfaces.Count *2 -eq $i) {
    #netbios disabled
    return 0
}

else {
    # netbios enabled
    return 1
}

2. SE – NetBIOS remediation script
This script simply changes the registry value to 2. This means, that NetBIOS is disabled on that NIC.

Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\TCPIP* -Name NetBIOSoptions -Value 2

That’s it, basically. If you have imported my Configuration Baseline, you can deploy it to a test collection now. If you want to remediate the settings, don’t forget to enable Remediate noncompliant rules when supported setting:

On next Machine Policy refresh cycle you will find the new baseline in SCCM agent under Configurations:

SCCM agent Configurations tab

Based on the deployment, it may take a while that SCCM automatically evaluates the baseline. To speed up the process, you can also hit Evaluate and check the report.

Have fun!

References

  1. https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/settcpipnetbios-method-in-class-win32-networkadapterconfiguration
  2. https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/enablewins-method-in-class-win32-networkadapterconfiguration
  3. DOWNLOAD CONFIGURATION BASELINE (4kb, zipped)