Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, August 27, 2019 3:20 PM
I'm testing turning on Windows Firewall and I have logging enabled to log drops. I'm seeing a lot of broadcast UDP traffic on ports 137 and 138 being dropped that is coming from other workstations on the same network segment. I've already configured DHCP to set the NETBIOS setting to disable NETBIOS over TCP/IP, and I've verified that the setting has been disabled on the workstation NIC. Any ideas why these workstations would still be sending out NETBIOS broadcasts, or where else I can look to turn the broadcasts off?
All replies (6)
Wednesday, August 28, 2019 2:14 AM
Hi,
Thanks for your posting in this forum.
NetBIOS uses these ports:
UDP 137: NetBIOS name service
UDP 138: NetBIOS datagram service
TCP 139: NetBIOS session service
The method Disable NetBIOS over TCP/IP does not disable NetBIOS completely. It disables NetBIOS Session Service(which listens on TCP port 139).
If you want to disable NetBIOS completely, please refer to the following links:
http://woshub.com/how-to-disable-netbios-over-tcpip-and-llmnr-using-gpo/
Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.
Hope it helps.
Best regards,
Abby
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, August 28, 2019 2:49 PM
Thank you for the response. I have already implemented the steps mentioned in the provided link. Implementing the GPO to turn off LLMNR did remove the multicasting traffic on UDP port 5355 we were seeing. I've turned on the DHCP option on our DHCP server to disable NeTBIOS. I also have a SCCM configuration baseline to set the NIC properties on our workstations to disable NeTBIOS. But, I'm still see UDP traffic on port 137 and 138 being broadcast out from our workstations.
Thursday, August 29, 2019 1:31 AM
Hi,
Thanks for your update.
Did you try to disable NetBIOS for specific network adapter in the registry mentioned in this article? And to completely disbale NetBIOS, please do this for all network adapters.
Best regards,
Abby
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, August 29, 2019 2:47 PM
Yes. That's what the SCCM configuration baseline I mentioned in my previous post is doing. It goes through each interface on the device and sets the NetBIOSOption to 2 in the registry.
Thursday, August 29, 2019 4:50 PM
I'm wondering could this traffic be because File and Printer sharing is enabled on the NIC properties of the device?
Monday, September 2, 2019 8:11 AM
Hi,
This is a quick note to let you know that i am currently performing research on this issue and will get back to you as soon as possible.
Appreciate your patience.
Best regards,
Abby
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].