Link-Local Multicast Name Resolution (LLMNR) is a legacy protocol designed to simplify name resolution in local networks, but it also opens the door to serious security risks. In this article, we outline the protocol, discuss its security risks, and provide guidance on how to mitigate them.
What You Will Learn
- What LLMNR is and how it functions in local name resolution.
- Why LLMNR is considered insecure and frequently exploited by attackers.
- How spoofing and poisoning attacks leverage LLMNR to steal credentials.
- Why is disabling LLMNR recommended
- How CalCom CHS automates the LLMNR disabling
What is LLMNR
Link-Local Multicast Name Resolution (LLMNR) is a legacy protocol for DNS name resolution that does not require a DNS server. It is IPv4 and IPv6 compatible. Introduced by Microsoft to enhance network resource resolution, LLMNR allows devices to multicast name queries on a local network if the DNS server fails to resolve a name. This simplifies the user and administrator experience by reducing name resolution errors. However, due to security risks, Microsoft began phasing out LLMNR and NetBIOS in April 2022, favoring Multicast DNS (mDNS) instead.
LLMNR is supported by Windows Vista, 7, 8, 10, Server 2008, and some Linux distributions.
How to Disable LLMNR through a GPO
Here is a step-by-step video on LLMNR Disabling via GPO
| Computer ConfigurationPoliciesAdministrative TemplatesNetworkDNS ClientTurn off multicast name resolution |
- Open gpedit.msc
- Go to Computer Configuration > Administrative Templates > Network > DNS Client > turn off multicast name resolution.
- Click on “Turn Off Multicast Name Resolution.”
- Set it to “Enabled.”
Outdated Protocols? Don't Get Left Behind
Risks of LLMNR and NBT-NS
Two vulnerabilities, the NetBIOS Name Service (NBT-NS) and the Link-Local Multicast Name Resolution (LLMNR) protocols, serve as backup methods for host identification when DNS fails. If a computer can’t resolve a request through DNS, it broadcasts the query to the local subnets via LLMNR or NBT-NS.
These protocols are still enabled by default on some Microsoft systems, and if not properly managed, they can be exploited by attackers to gain control of the network. However, IT teams can implement several straightforward measures to prevent such attacks.
LLMNR Poisoning Explained
LLMNR Poisoning is a type of man-in-the-middle attack exploiting the LLMNR protocol in Windows systems, often using a tool called Responder. This open-source script listens for LLMNR queries on a network and sends poisoned responses to intercept credentials, typically displaying the target’s username and NTLMv1 password hash. Attackers can then crack these hashes using password-cracking tools to gain unauthorized access, install malware, or perform network reconnaissance and data exfiltration.
Hardening the LLMNR protocol involves implementing security measures to reduce vulnerabilities and enhance network protection in Windows environments. To completely mitigate local name resolution poisoning, in addition to this setting, the properties of each installed NIC should also be set to Disable NetBIOS over TCP/IP.
Disable NetBios Via PowerShell
To disable NBT-NS via GPO, a PowerShell script can be used:
- Via registry settings
- set-ItemProperty path HKLM:SYSTEMCurrentControlSetservicesNetBTParametersInterfacestcpip* -Name NetbiosOptions -Value 2
To disable NetBIOS over TCP IP is often a security best practice, and it can impact NetBIOS NS broadcasting in the following ways:
- Reduced Dependency
- Security Improvement
- Compatibility Considerations
While NetBIOS NS broadcasting is a fundamental part of NetBIOS for name resolution within a local network, disabling NetBIOS over TCP is a strategic move to enhance network security.
To confirm LLMNR was remediated, run the following command in PowerShell and a ‘0’ should be received:
| $(Get-ItemProperty -Path “HKLM:SoftwarePoliciesMicrosoftWindows NTDNSClient” -name EnableMulticast).EnableMulticast |
Operational Risks
Disabling LLMNR can improve network security and mitigate specific risks, as discussed in previous articles. However, it’s essential to be aware of potential operational risks and drawbacks associated with disabling LLMNR:
- Compatibility Issues: Disabling LLMNR causes problems with older devices or software that rely on LLMNR for local network name resolution. Ensure all network devices and applications can operate smoothly without LLMNR before deactivating it.
- User Experience: Disabling LLMNR results in slower name resolution for local network resources, especially if alternative methods, such as DNS or NetBIOS, aren’t optimized. This could impact user experience and productivity.
- Network Resource Discovery: LLMNR facilitates seamless discovery and connection between devices on the local network. Disabling it may require users to manually enter IP addresses or use alternative methods, potentially causing usability issues.
- Delayed Network Troubleshooting: LLMNR is valuable for network troubleshooting and diagnostics. Disabling it might complicate the quick diagnosis and resolution of local network issues.
- Increased Administrative Overhead: Without LLMNR, network administrators may need to rely more on DNS configurations and NetBIOS settings, increasing administrative complexity.
- Limited Use Cases: Disabling LLMNR enhances security, but it may not be necessary in all network setups. Well-segmented, properly configured networks with robust security measures might face minimal LLMNR-related risks.
Simplify CIS Benchmark Compliance with Automated Solutions
Hardening LLMNR
Hardening the LLMNR involves several steps to minimize vulnerabilities and enhance network protection. Disabling LLMNR is the primary step in hardening, and it is often recommended to disable it entirely.
- Implementing Network Segmentation: Properly segmenting the network limits the scope of LLMNR’s operation and reduces exposure to potential threats.
- Using Secure Name Resolution Protocols: Use secure name resolution protocols, such as DNS over DNSSEC, to protect you against potential LLMNR-related vulnerabilities.
- Enabling Security Features: Leverage Windows security features and group policies to enhance network security and prevent unauthorized access.
- Monitoring and Detection: Utilize network monitoring and intrusion detection systems to identify and respond to suspicious LLMNR activities, and enhance the network’s overall security posture.
Key Takeaways
- LLMNR is a legacy name DNS resolution protocol.
- Attackers can exploit LLMNR to capture user credentials.
- Disabling LLMNR strengthens network defenses against credential theft.
- Security frameworks and CIS Benchmarks recommend disabling LLMNR.
- CalCom Hardening Suite (CHS) automates LLMNR secure configuration.
How CalCom Automates LLMNR Hardening
CalCom Hardening Suite (CHS) automates secure configuration and ensures compliance with CIS Benchmarks, reducing risk without disrupting production systems. Protect your network from credential theft and spoofing attacks by eliminating insecure protocols, such as LLMNR.
