Dear Windows Server Team, In the light of the security improvement in vNext with SMB and announced NTLM security improvements (amazing job!), do you agree it is about time to disable LMhost and NetBIOS over TCP/IP for all virtual and physical network adapters, by default?
I am doing so for all our customers via GPO, PowerShell on Windows Server and Azure Stack HCI for about 3 years now and got zero complaints. Netbios over TCP/IP is additionally disabled by the Windows DHCP Windows 2000 Option 0x2 for Netbios (no idea if this is still required).
Sure in rare cases LMhosts files are needed but each of both are also security related and disabling these by default should reduce the attack surface and most of all IPv4 broadcast, doesn't it?
to make things more manageable for Remote, especially on WS core I have created a related request for WAC, hope this makes sense.
Thanks for all your points of views and possible requirements why these are still enabled by default.