---
title: Inbound TCP NetBIOS access should be restricted
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Inbound TCP NetBIOS access should be
  restricted
---

# Inbound TCP NetBIOS access should be restricted
 
## Description{% #description %}

Reduce the probability of a breach by checking [EC2 security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.

## Rationale{% #rationale %}

Malicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.

## Remediation{% #remediation %}

### From the console{% #from-the-console %}

Follow the [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules) docs to learn how to add a security group rule that will restrict access to a specific port.

### From the command line{% #from-the-command-line %}

1. Run `revoke-security-group-ingress` to [remove inbound rules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html) that allow unrestricted access to TCP port 139.

In the `revoke-security-group-ingress.sh` file:

   ```bash
       aws ec2 revoke-security-group-ingress
           --group-name group-name
           --protocol tcp
           --port 139
           --cidr 192.0.2.0/24
       
```