Disabling NBT via DHCP Option 43

Summary

This will be a quick summary of how to disable NetBios over TCP/IP (AKA NBT) in an environment where your Cisco router provides DHCP services. First, a little bit of very brief background. NetBIOS is an ancient session layer protocol that was used in early versions of Windows for sharing resources between computers on a LAN.  In the old days, NetBIOS utilized another protocol called NetBEUI to provide the transport and network layer functions.  As networks evolved, one problem was that NetBEUI was not a routable protocol, but people wanted to use it across different IP networks.  Thus, NetBIOS over TCP/IP was born (NBT).  NBT is effectively encapsulating your NetBIOS traffic inside IP packets, so you can route them across different networks.  This is generally the way Windows networking worked in the old days.

NetBIOS is a terrible protocol by moderns standards, as it is insecure and relies heavily on broadcasts to function.  Microsoft finally realized this, and as of Windows 2000 it allows you to run windows networking directly on top of TCP.  In other words, they moved in the direction of cutting NetBIOS out of the picture.  Newer versions of windows can run SMB directly on TCP port 445 without the need for NetBIOS.

Unfortunately, this is not really the default.  The default setting in windows is to “Use NetBIOS setting from the DHCP server.  If static IP address is used or the DHCP server does not provide NetBIOS setting, enable NetBIOS over TCP/IP.”  In other words, if you don’t specifically tell your windows machines to disable NBT, it will remain on.  This is likely for backwards compatibility with older systems like NT.

 

Implementation

 

So, that brings us to the point of the article — what does it mean “NetBIOS setting from the DHCP server” ?  As it turns out, Microsoft implemented a vendor specific DHCP option to instruct clients to either enable or disable NBT.  DHCP option 43 is for vendor specific options.  Basically, the DHCP server can return option 43 and inside option 43 you can have vendor specific sub-options.  You can read about exactly how the vendor specific sub-options for NBT are structured at the following URL: http://msdn.microsoft.com/en-us/library/cc227276%28v=prot.10%29.aspx

I will give you the basic idea:  The DHCP server is configured to return option 43 with the following subcode structure:

Vendor specific option code: 0x01

Vendor specific option length: 0x04

Vendor specific option data: This can vary based on what you want to do. The data 0x00000002 instructs the client to disable NBT

With this knowledge, we can setup our Cisco router DHCP server to hand out this option 43 with the correct sub-options to disable NBT.  Here is an example of one I have setup

ip dhcp pool LAN
   import all
   network 10.1.10.0 255.255.255.0
   default-router 10.1.10.1
   domain-name astorinonetworks.com
   option 43 hex 0104.0000.0002

So, for some reason, IOS formats the suboption data kind of like a mac address but it matches up — the two bytes are set and MUST BE 0x0104. The next 3 bytes MUST be 0x000000. Finally the last byte is 0x02 because we want to disable NBT. When the client gets the DHCP lease, you can run “ipconfig /all” and see if it worked…If it did you will see NetBIOS over TCP/IP: Disabled

Now, quick word of wisdom. If you fire up a packet capture after you make this change you will STILL SEE the NetBIOS header! There is basically no data, essentially just a header and some options that say “don’t use this”. Apparently this is needed for some reason I don’t fully understand, but essentially at that point you have SMB running directly on TCP 445

Enjoy!

Categories: Technology, Tutorials

4 Comments

  • […] Disabling NBT via DHCP Option 43 – Astorino Networks – I hadn’t thought about NetBIOS defaults when using Cisco IOS DHCP but Joe Astorino has: This will be a quick summary of how to disable NetBios over TCP/IP (AKA NBT) in an environment where your Cisco router provides DHCP services. First, a little bit of very brief background. NetBIOS is an ancient session layer protocol that was used in early versions of Windows for sharing resources between computers on a LAN.  In the old days, NetBIOS utilized another protocol called NetBEUI to provide the transport and network layer functions.  As networks evolved, one problem was that NetBEUI was not a routable protocol, but people wanted to use it across different IP networks.  Thus, NetBIOS over TCP/IP was born (NBT).  NBT is effectively encapsulating your NetBIOS traffic inside IP packets, so you can route them across different networks. […]

  • Great web site you have got here.. It’s hard to find high quality writing like yours these days.
    I seriously appreciate individuals like you! Take care!!

  • Eric says:

    Thanks for this. Great overview and easy fix!

  • Paul says:

    Thanks dude. Really helpful as I needed this fu, even in 2018!

Leave a Reply