NetBT NodeType Configuration and Security Risks
NetBT (NetBIOS over TCP/IP) is a legacy Windows networking feature used for name resolution in older environments. While still present in many systems by default, NetBT is largely unnecessary in modern Active Directory networks and can introduce avoidable security risks if misconfigured.
NetBT is essential for integrating legacy systems, enabling older applications and devices that rely on NetBIOS to communicate seamlessly with modern TCP/IP networks. It bridges the gap between old and new technologies, ensuring smooth integration and continued functionality.
What is NetBios node type
A NetBIOS node type defines how a computer resolves a NetBIOS name into an IP address. It provides administrators with the flexibility to configure the order and method for resolving NetBIOS names to IP addresses on a client.
Learn how to manage and mitigate legacy protocol risk.
What is node type in Windows IP configuration?
The table shows the name resolution method for each node type:
| Node type | Resolve name to IP address |
| Broadcast | Uses NetBIOS name queries. |
| Peer2Peer | Uses a NetBIOS name server (NBNS), for example, Windows Internet Name Service (WINS). |
| Mixed | Attempts to resolve by first using NetBIOS name queries and then using an NBNS. |
| Hybrid | Attempts to resolve by first using an NBNS and then using a NetBIOS name query. |
Fields
| Broadcast | 1 | Node type broadcast |
| Hybrid | 8 | Node type hybrid |
| Mixed | 4 | Node type mixed |
| Peer2Peer | 2 | Node type peer-to-peer |
| Unknown | 0 | Node type unknown |
NetBIOS Node Type values via Group Policy
0. B-node
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SYSTEMCurrentControlSetServicesNetBTParameters |
| Value Name | NodeType |
| Value Type | REG_DWORD |
| Value | 1 |
1. P-node
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SYSTEMCurrentControlSetServicesNetBTParameters |
| Value Name | NodeType |
| Value Type | REG_DWORD |
| Value | 2 |
2. M-node
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SYSTEMCurrentControlSetServicesNetBTParameters |
| Value Name | NodeType |
| Value Type | REG_DWORD |
| Value | 4 |
3. H-node
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SYSTEMCurrentControlSetServicesNetBTParameters |
| Value Name | NodeType |
| Value Type | REG_DWORD |
| Value | 8 |
In modern environments, DNS should handle name resolution, and NetBT should either be disabled entirely or restricted to H-node only if legacy compatibility is required.
NetBIOS over TCP/IP Security Vulnerabilities
NetBT is suitable for LANs under organizational control but not for less trusted networks like the Internet. For instance, the NetBIOS Name Service (NBNS) on UDP or TCP port 137 allows any computer to register its hostname, enabling attackers to impersonate services and potentially launch middleperson attacks, compromising network credentials. Additionally, exposing NetBT on the Internet reveals that the host is running Windows, making it a target for OS-specific attacks.
NetBT NodeType Configuration
In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node (point-to-point) will prevent the system from sending out NetBIOS broadcasts.
The recommended state for this setting is: Enabled: P-node (recommended) (point-to point)
Note: Resolution through LMHOSTS or DNS follows these methods. If the NodeType registry value is present, it overrides any DhcpNodeType registry value. If neither NodeType nor DhcpNodeType is present, the computer uses B-node (broadcast) if there are no WINS servers configured for the network, or H-node (hybrid) if there is at least one WINS server configured.
Remediate NetBT NodeType Configuration
To establish the recommended configuration via GP, set the following UI path to Enabled: P-node (recommended):
| Computer ConfigurationPoliciesAdministrative TemplatesMS Security GuideNetBT NodeType configuration |
Note: This change does not take effect until the computer has been restarted.
Note #2: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required – it is available from Microsoft at this link. Please note that this setting is only available in the Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903 (or newer) release of SecGuide.admx/adml
Read the comprehensive guide to planning and managing your server hardening project.
Automated Hardening for NetBT NodeType
The optimal node type configuration will vary depending on your specific network topology, device roles, and usage patterns. When carefully analyzing your network needs you will need to constantly configure nodes across multiple devices and experiment with different configurations to find the best balance between performance and security.
Automating the hardening process ensures the uniform application of policies and settings to all NetBIOS nodes, eliminating the reliance on administrators to manually configure each node securely. This not only enhances consistency but also mitigates the risk of configuration errors. An automated hardening approach aids in regulatory compliance and supports comprehensive risk analysis reporting, providing organizations with a robust security framework.
With an automated hardening platform like CalCom’s Hardening Suite (CHS), organizations can easily adjust policies and configurations to align with evolving best practices and changes in the threat landscape. Quick updates to templates across all nodes contribute to maintaining a dynamic and resilient security posture.
Getting this setting right puts you on the path to NIST compliance — which explicitly flags LM and NTLMv1 as unacceptable authentication methods. See how NIST’s secure configuration requirements translate into enforceable policies across your server environment.
