Disabling NBT via DHCP Option 43
- By Joe Astorino
- September 9, 2011
- 4 Comments
Summary
This will be a quick summary of how to disable NetBios over TCP/IP (AKA NBT) in an environment where your Cisco router provides DHCP services. First, a little bit of very brief background. NetBIOS is an ancient session layer protocol that was used in early versions of Windows for sharing resources between computers on a LAN. In the old days, NetBIOS utilized another protocol called NetBEUI to provide the transport and network layer functions. As networks evolved, one problem was that NetBEUI was not a routable protocol, but people wanted to use it across different IP networks. Thus, NetBIOS over TCP/IP was born (NBT). NBT is effectively encapsulating your NetBIOS traffic inside IP packets, so you can route them across different networks. This is generally the way Windows networking worked in the old days.
NetBIOS is a terrible protocol by moderns standards, as it is insecure and relies heavily on broadcasts to function. Microsoft finally realized this, and as of Windows 2000 it allows you to run windows networking directly on top of TCP. In other words, they moved in the direction of cutting NetBIOS out of the picture. Newer versions of windows can run SMB directly on TCP port 445 without the need for NetBIOS.
Unfortunately, this is not really the default. The default setting in windows is to “Use NetBIOS setting from the DHCP server. If static IP address is used or the DHCP server does not provide NetBIOS setting, enable NetBIOS over TCP/IP.” In other words, if you don’t specifically tell your windows machines to disable NBT, it will remain on. This is likely for backwards compatibility with older systems like NT.
Implementation
So, that brings us to the point of the article — what does it mean “NetBIOS setting from the DHCP server” ? As it turns out, Microsoft implemented a vendor specific DHCP option to instruct clients to either enable or disable NBT. DHCP option 43 is for vendor specific options. Basically, the DHCP server can return option 43 and inside option 43 you can have vendor specific sub-options. You can read about exactly how the vendor specific sub-options for NBT are structured at the following URL: http://msdn.microsoft.com/en-us/library/cc227276%28v=prot.10%29.aspx
I will give you the basic idea: The DHCP server is configured to return option 43 with the following subcode structure:
Vendor specific option code: 0x01
Vendor specific option length: 0x04
Vendor specific option data: This can vary based on what you want to do. The data 0x00000002 instructs the client to disable NBT
With this knowledge, we can setup our Cisco router DHCP server to hand out this option 43 with the correct sub-options to disable NBT. Here is an example of one I have setup
ip dhcp pool LAN import all network 10.1.10.0 255.255.255.0 default-router 10.1.10.1 domain-name astorinonetworks.com option 43 hex 0104.0000.0002
So, for some reason, IOS formats the suboption data kind of like a mac address but it matches up — the two bytes are set and MUST BE 0x0104. The next 3 bytes MUST be 0x000000. Finally the last byte is 0x02 because we want to disable NBT. When the client gets the DHCP lease, you can run “ipconfig /all” and see if it worked…If it did you will see NetBIOS over TCP/IP: Disabled
Now, quick word of wisdom. If you fire up a packet capture after you make this change you will STILL SEE the NetBIOS header! There is basically no data, essentially just a header and some options that say “don’t use this”. Apparently this is needed for some reason I don’t fully understand, but essentially at that point you have SMB running directly on TCP 445
Enjoy!
[…] Disabling NBT via DHCP Option 43 – Astorino Networks – I hadn’t thought about NetBIOS defaults when using Cisco IOS DHCP but Joe Astorino has: This will be a quick summary of how to disable NetBios over TCP/IP (AKA NBT) in an environment where your Cisco router provides DHCP services. First, a little bit of very brief background. NetBIOS is an ancient session layer protocol that was used in early versions of Windows for sharing resources between computers on a LAN. In the old days, NetBIOS utilized another protocol called NetBEUI to provide the transport and network layer functions. As networks evolved, one problem was that NetBEUI was not a routable protocol, but people wanted to use it across different IP networks. Thus, NetBIOS over TCP/IP was born (NBT). NBT is effectively encapsulating your NetBIOS traffic inside IP packets, so you can route them across different networks. […]
Great web site you have got here.. It’s hard to find high quality writing like yours these days.
I seriously appreciate individuals like you! Take care!!
Thanks for this. Great overview and easy fix!
Thanks dude. Really helpful as I needed this fu, even in 2018!