KB3161949 Breaks SMB over NETBIOS Access Outside the Local Subnet

We have just learned what to do with MS16-072 update breaking the familiar GPO mechanism, and there appeared new problems with another security bulletin released in June — MS16-077 and KB3161949 update. After this update is installed on server systems, clients from other subnets are not able to connect to shares using Netbios over TCP/IP.

First of all, the problem appeared with network scanners, which scan documents and save the copies to the network share (SMB) on a server. Documents are no longer saved, and the scanner returns the error: Cannot connect to server. There also appeared some problems with connection of Samba clients to the domain controllers (errors Access Denied or No Logon Server Available). The most interesting thing is that the issues of access to Windows shares appeared only on clients located in subnets other than the server.

After the KB3165191 update has been deleted, there have been no access problems.

Let’s see what the KB3161949 update does. According to its description, the update restricts NETBIOS connections outside local subnet. Thus, network features depending on NETBIOS (like SMB over NETBIOS, ports 137-139) will not work for the clients of other subnets. Common SMB protocol (port 445) is available in both directions.

To change this behavior, you will have to do one of the following:

• Uninstall security update KB3161949 (not the best way out)
• Create a Dword parameter with the name AllowNBToInternet and value 1 (after installation of the update it is set to 0) in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters branch of the registry on your server Also you can perfom this action via cmdreg add "HKLM\System\CurrentControlSet\Services\NetBT\Parameters" /v "AllowNBToInternet" /t REG_DWORD /d 1 /f

  or PowerShell

  Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -Name AllowNBToInternet -Type DWord -Value 1

• After the parameter is created, restart the server.

As a result, the server will get available to NETBIOS clients from other subnets.