Key Points
- Map actual UDP 137 usage before disabling to avoid breaking legacy services.
- Block UDP 137 at the perimeter and on untrusted segments, allowing it only where documented.
- Disable NetBIOS over TCP/IP on Windows via adapter settings, GPO, or MDM, and verify DNS works.
IT professionals and system administrators often contend with legacy NetBIOS traffic on UDP 137, which widens the attack surface and can disrupt services if mishandled. This guide shows how to safely disable or scope TCP port 137 in Windows while preserving any required legacy functionality.
7 tips for handling NetBIOS dependencies and network security
First, ensure you have the necessary access and tools before jumping into this workflow.
- Change‑window schedule and pilot ring for staged rollout
- Current network and host inventory with subnet and adapter details
- Access to a scanner (e.g., nmap) for validation and centralized logging
- Permissions to apply Windows Defender Firewall rules and adapter settings via GPO or MDM
Having these prerequisites in place allows you to safely discover, block, or disable UDP port 137 without causing unintended disruption.
1. Discover where UDP 137 is used
Identifying existing UDP port 137 listeners prevents accidental service disruptions.
To get started, run network discovery or targeted scans to list hosts that respond on UDP 137. Then, match scan results with your inventory to identify legacy services.
The “listeners” are Windows PCs on the local network that rely on NetBIOS for name resolution and file‑printer sharing. In contrast, modern environments typically use DNS and SMB over TCP 445.
Once you have this inventory, you can proceed to safely scope or disable the port.
2. Block UDP 137 at the perimeter and on untrusted segments
To reduce exposure, block UDP 137 at the network perimeter and on untrusted segments. Apply inbound and outbound deny rules for UDP 137 on firewalls at the internet edge, and explicitly deny the port on guest, IoT, and unmanaged VLANs.
After implementing these rules, verify that external scanners cannot access UDP port 137 from public networks. This perimeter block limits the attack surface while you assess and manage any remaining internal dependencies.
3. Disable NetBIOS over TCP/IP on Windows
Before disabling, verify that DNS resolution and any required modern name-resolution services (LLMNR or mDNS, if enabled) are functioning correctly. Then, turn off NetBIOS on the hosts that no longer need it. NinjaOne users can configure NetBIOS with this script.
Configure each network adapter to disable NetBIOS in the IPv4 properties, then enforce the setting centrally via a Group Policy Object or MDM profile for consistent application. As with any network adjustment, deploy in a pilot group to test.
4. Scope internal allow rules for documented legacy needs
If certain systems still require NetBIOS, create narrow firewall rules that permit UDP 137 only between the specific client subnets and the identified legacy servers. For example, target the rules by security group or organizational unit and deny all other UDP traffic on port 137.
5. Validate and monitor the remediation
After applying the blocks and scoped allows, verify that UDP 137 is no longer listening on hosts by running netstat -an | find “137” locally and scan from a representative client with nmap -sU -p 137. Monitor firewall and security logs for at least one full lockout cycle to catch any unexpected traffic or failed name‑resolution attempts.
6. Remediate legacy dependencies
Before disabling NetBIOS completely, remove any remaining dependencies on it.
| Action | Details |
| Replace NetBIOS names with DNS/FQDNs | Add DNS records and update search suffixes to eliminate NetBIOS lookups. |
| Update scripts, shortcuts, and configs | Change hard‑coded NetBIOS references to fully qualified domain names. |
| Modernize print and file‑share paths | Use SMB over TCP 445 with DNS names instead of NetBIOS names. |
| Refresh golden images and provisioning templates | Ensure new deployments have NetBIOS disabled by default. |
| Verify after changes | Test file sharing, printing, and application connectivity to confirm no regression. |
Once these updates are applied, the environment no longer relies on NetBIOS, so UDP port 137 can be securely blocked.
7. Govern exceptions and lifecycle
Maintain control over any allowed UDP 137 paths by treating them as temporary exceptions. Then, limit these outliers to specific groups, subnets, or OU scopes only.
For maintenance and monitoring, conduct regular UDP 137 checks as part of your security hardening and quarterly audit baselines.
Handling NetBIOS security risks with NinjaOne
Because open NetBIOS services can be exploited for enumeration, spoofing, and denial‑of‑service attacks, you need tighter controls. Review your network policies to minimize exposure of NetBIOS services.
Then, consider implementing modern DNS‑based name‑resolution methods such as DNS, LLMNR, or mDNS. Finally, use NinjaOne’s scripting capability to uniformly disable NetBIOS across devices while enabling continuous network monitoring and reporting.
Related topics:
- What Is a DNS Resolver & How to Set It Up
- How to Configure a DNS Server: A Step-by-Step Guide
- What is a Firewall Configuration? How to Set Up Your Firewall
- How to Configure Firewall Exceptions with PowerShell [NinjaOne Script Hub]
- How to Monitor TCP and UDP Connections on Windows Using PowerShell [NinjaOne Script Hub]
