We’ve created a fixlet to disable NetBIOS on windows servers. We are using this for relevance:
exists ((values “netbiosoptions” of keys of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces” of registry) whose (it as integer != 2))
The Actions are:
// MPS-WINSRV Disable Protocol NetBIOS
waithidden wmic /interactive:off nicconfig where TcpipNetbiosOptions=0 call SetTcpipNetbios 2
waithidden wmic /interactive:off nicconfig where TcpipNetbiosOptions=1 call SetTcpipNetbios 2
This sets the active network connections to the desired value (2) and does indeed disable Netbios on the nics.
Here’s the rub. On physical, to a lesser degree virtual guests, there a a number of nics listed that are inactive or not bound and are not modified by the wmic commands.
Since the relevance is looking for instances where the key values is not 2 it continues to show relevance. Further complicating this - our security teams want validation that the changes have been applied and they aren’t satisfied with the returns.
We’ve been working on this relevance but this isn’t working just yet.
(concatenation of (string values of selects “ipenabled from win32_networkadapterconfiguration” of wmi) as lowercase = “true” as lowercase ) AND (concatenation of (string values of selects “tcpipnetbiosoptions from win32_networkadapterconfiguration” of wmi) as lowercase < “2” as lowercase )
Has anyone delved into the NetBIOS disablement and use a better relevance statement?
I’d follow up the wmic command with a brute-force registry edit. I’d still use both, since WMIC may make the setting take effect immediately on the enabled adapters, and a reg edit probably would not have an effect until the next reboot.
TEST THIS FIRST (I didn’t):
After the WMIC command, I’d continue on with
delete __appendfile
appendfile {concatenation "%0d%0a" of ("reg.exe add %22" & pathname of it & "%22 /v NetbiosOptions /t REG_DWORD /d 2 /F") of keys whose (exists values "NetbiosOptions" whose (it as integer != 2) of it) of keys "HKLM\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces" of registry
delete DisableNBT.cmd
move __appendfile DisableNBT.cmd
waithidden cmd.exe /c DisableNBT.cmd
Ya know, I think I misinterpreted your question. I took that to mean you were trying to force the registry value even on interfaces that were not IP enabled, but now I think you are looking for a better detection relevance.
q: string values of selects "ipenabled from win32_networkadapterconfiguration" of wmi
A: False
A: False
A: True
A: False
A: False
A: False
A: False
A: False
A: False
A: False
A: False
T: 17.989 ms
I: plural string
q: string values of selects "ipenabled from win32_networkadapterconfiguration where ipenabled='True'" of wmi
A: True
T: 17.517 ms
I: plural string
So retrieving the netbios options only where IPEnabled=True is
q: string values of selects "tcpipnetbiosoptions from win32_networkadapterconfiguration where ipenabled='True'" of wmi
A: 1
T: 17.181 ms
I: plural string
And making a fixlet/task relevant only where NetBIOS is not disabled would be
q: exists string values whose (it != "2") of selects "tcpipnetbiosoptions from win32_networkadapterconfiguration where ipenabled='True'" of wmi
A: True
T: 18.244 ms
I: singular boolean
Or you could also put both filters in the WMI query, helpful if you wanted to check multiple conditions -
q: exists selects "tcpipnetbiosoptions from win32_networkadapterconfiguration where ipenabled='True' and tcpipnetbiosoptions <> 2" of wmi
A: True
T: 18.164 ms
I: singular boolean
In an Analysis, if you wanted to get something useful, you could use something like
q: selects "* from win32_networkadapterconfiguration where ipenabled='True' and tcpipnetbiosoptions <> 2" of wmi
…to get a list of property names/values, and then keep a few useful values like
q: selects "Caption, Description from win32_networkadapterconfiguration where ipenabled='True' and tcpipnetbiosoptions <> 2" of wmi
A: Caption=[00000002] Broadcom NetXtreme Gigabit Ethernet
A: Description=Broadcom NetXtreme Gigabit Ethernet
Hi JonL. I’m trying to disable NetBios on my nics for PCI and wanted to know if you could give me some guidance on how to make the fixlet to accomplish this. Ive never made on before and group policy isnt being nice to me.
I don’t see a 9 up there, I think we’re interested in values 0, 1, or 2.
“0” - use netbios as configured by dhcp
"1" - enabled
"2" - disabled
Yes, I should probably only have the filter for ‘not 2’ on the Fixlet, and remove that filter on the Analysis property. As written above the Analysis would only retrieve the adapters where NetBIOS is not disabled.