What is LLMNR
LLMNR (Link-Local Multicast Name Resolution) is a protocol used by legacy operating systems for name resolution without a DNS server, compatible with both IPv4 and IPv6. It is included in Windows Vista, Windows Server 2008, Windows 7, 8, and 10, and some Linux distributions. Introduced by Microsoft to enhance network resource resolution, LLMNR allows devices to multicast name queries on a local network if the DNS server fails to resolve a name. This simplifies the user and administrator experience by reducing name resolution errors. However, due to security risks, Microsoft began phasing out LLMNR and NetBIOS in April 2022, favoring mDNS. This blog discusses the importance of disabling LLMNR and the steps to mitigate related security threats.
How to Disable LLMNR through a GPO
Here is a step-by-step video on LLMNR Disabling via GPO
Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Turn off multicast name resolution |
- Step by Step:
- Open gpedit.msc
- Goto Computer Configuration > Administrative Templates > Network > DNS Client > turn off multicast name resolution
- Click on “Turn Off Multicast Name Resolution” and set it to “Enabled”
Risks of LLMNR and NBT-NS
Two vulnerabilities, the Netbios Name Service (NBT-NS) and the Link-Local Multicast Name Resolution (LLMNR) protocols, serve as backup methods for host identification when DNS fails. If a computer can’t resolve a request through DNS, it broadcasts the query to the local subnets via LLMNR or NBT-NS.
These protocols are still enabled by default on some Microsoft systems, and if not properly managed, they can be exploited by attackers to gain network control. However, IT teams can implement several straightforward measures to prevent such attacks.
LLMNR Poisoning Explained
LLMNR Poisoning is a type of man-in-the-middle attack exploiting the LLMNR protocol in Windows systems, often using a tool called Responder. This open-source script listens for LLMNR queries on a network and sends poisoned responses to intercept credentials, typically displaying the target’s username and NTLMv1 password hash. Attackers can then crack these hashes using password-cracking tools to gain unauthorized access, install malware, or perform network reconnaissance and data exfiltration.
Hardening the LLMNR protocol involves implementing security measures to reduce vulnerabilities and enhance network protection in Windows environments. To completely mitigate local name resolution poisoning, in addition to this setting, the properties of each installed NIC should also be set to Disable NetBIOS over TCP/IP.
Disable NetBios Via PowerShell
To disable NBT-NS via GPO, a PowerShell script can be used:
- Via registry settings
- set-ItemProperty path HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2
To disable NetBIOS over TCP IP is often a security best practice, and it can impact NetBIOS NS broadcasting in the following ways:
- Reduced Dependency
- Security Improvement
- Compatibility Considerations
While NetBIOS NS broadcasting is a fundamental part of NetBIOS for name resolution within a local network, disabling NetBIOS over TCP is a strategic move to enhance network security.
To confirm LLMNR was remediated, run the following command in Powershell and a '0' should be received:
$(Get-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient” -name EnableMulticast).EnableMulticast |
Operational Risks
Disabling LLMNR can improve network security and mitigate certain risks, as discussed in previous articles. However, it's important to be aware of potential operational risks and drawbacks associated with disabling LLMNR:
Compatibility Issues: Disabling LLMNR might cause problems with older devices or software reliant on LLMNR for local network name resolution. Ensure all network devices and applications can operate smoothly without LLMNR before deactivating it.
User Experience: Disabling LLMNR could result in slower name resolution for local network resources, especially if alternative methods like DNS or NetBIOS aren’t optimized. This could impact user experience and productivity.
Network Resource Discovery: LLMNR aids devices in seamless discovery and connection to other devices on the local network. Disabling it might require users to manually input IP addresses or use other methods, potentially causing usability issues.
Delayed Network Troubleshooting: LLMNR is valuable for network troubleshooting and diagnostics. Disabling it might complicate the quick diagnosis and resolution of local network issues.
Increased Administrative Overhead: Without LLMNR, network administrators may need to rely more on DNS configurations and NetBIOS settings, increasing administrative complexity.
Limited Use Cases: Disabling LLMNR enhances security but might not be necessary in all network setups. Well-segmented, properly configured networks with robust security measures might face minimal LLMNR-related risks.
Hardening LLMNR
Hardening LLMNR protocol refers to a set of security measures and configurations aimed at strengthening its operation within Windows environments. This process involves several steps to minimize vulnerabilities and enhance network protection. To disable LLMNR is the primary step in hardening and often disabling it entirely.
Implementing Network Segmentation: Properly segmenting the network can limit the scope of LLMNR’s operation, reducing its exposure to potential threats and unauthorized access.
Using Secure Name Resolution Protocols: Encouraging the use of more secure name resolution protocols like DNS over DNSSEC can provide better protection against potential LLMNR-related vulnerabilities.
Enabling Security Features: Leveraging Windows security features and group policies to control LLMNR settings can help enhance network security and prevent unauthorized access.
Monitoring and Detection: Employing network monitoring and intrusion detection systems can help detect and respond to suspicious LLMNR activities, enhancing the network’s overall security posture.