How and Why to Disable LLMNR for Network Security
LLMNR is a legacy name-resolution protocol that’s still enabled in many Windows environments by default. It can help systems find each other when DNS fails, but it also opens the door to credential-theft attacks.
Disabling LLMNR is typically one step in a broader configuration-hardening strategy aligned with CIS Benchmarks.
This guide explains
- Why security teams disable LLMNR
- How to do it safely
- What to check before making the change in production.
More About LLMNR
LLMNR (Link-Local Multicast Name Resolution) is the old Windows protocol that helps systems resolve hostnames when DNS fails by broadcasting queries on the local network. It supports IPv4 and IPv6 and was designed to reduce name-resolution errors in unmanaged environments. Today, LLMNR is considered a security risk, and Microsoft has been phasing it out in favor of safer alternatives like mDNS since 2022.
LLMNR is supported by Windows Vista, 7, 8, 10, Server 2008, and some Linux distributions.
LLMNR is one of several legacy protocols that remain enabled by default and actively exploited. See which other legacy protocols are putting your environment at risk.
How Security Teams Disable LLMNR
- Open gpedit.msc
- Go to Computer Configuration > Administrative Templates > Network > DNS Client > turn off multicast name resolution.
- Click on “Turn Off Multicast Name Resolution.”
- Set it to “Enabled.”
Risks of LLMNR and NBT-NS
Two vulnerabilities, the NetBIOS Name Service (NBT-NS) and the Link-Local Multicast Name Resolution (LLMNR) protocols, serve as backup methods for host identification when DNS fails. If a computer can’t resolve a request through DNS, it broadcasts the query to the local subnets via LLMNR or NBT-NS.
These protocols are still enabled by default on some Microsoft systems, and if not properly managed, they can be exploited by attackers to gain control of the network. However, IT teams can implement several straightforward measures to prevent such attacks.
LLMNR Poisoning Explained
LLMNR Poisoning is a type of man-in-the-middle attack exploiting the LLMNR protocol in Windows systems, often using a tool called Responder. This open-source script listens for LLMNR queries on a network and sends poisoned responses to intercept credentials, typically displaying the target’s username and NTLMv1 password hash. Attackers can then crack these hashes using password-cracking tools to gain unauthorized access, install malware, or perform network reconnaissance and data exfiltration.
Hardening the LLMNR protocol involves implementing security measures to reduce vulnerabilities and enhance network protection in Windows environments. To completely mitigate local name resolution poisoning, in addition to this setting, the properties of each installed NIC should also be set to Disable NetBIOS over TCP/IP.
Disable NetBios Via PowerShell
To disable NBT-NS via GPO, a PowerShell script can be used:
- Via registry settings
- set-ItemProperty path HKLM:SYSTEMCurrentControlSetservicesNetBTParametersInterfacestcpip* -Name NetbiosOptions -Value 2
To disable NetBIOS over TCP IP is often a security best practice, and it can impact NetBIOS NS broadcasting in the following ways:
- Reduced Dependency
- Security Improvement
- Compatibility Considerations
While NetBIOS NS broadcasting is a fundamental part of NetBIOS for name resolution within a local network, disabling NetBIOS over TCP is a strategic move to enhance network security.
To confirm LLMNR was remediated, run the following command in PowerShell and a ‘0’ should be received:
| $(Get-ItemProperty -Path “HKLM:SoftwarePoliciesMicrosoftWindows NTDNSClient” -name EnableMulticast).EnableMulticast |
Operational Risks
Disabling LLMNR can improve network security and mitigate specific risks, as discussed in previous articles. However, it’s essential to be aware of potential operational risks and drawbacks associated with disabling LLMNR:
- Compatibility Issues: Disabling LLMNR causes problems with older devices or software that rely on LLMNR for local network name resolution. Ensure all network devices and applications can operate smoothly without LLMNR before deactivating it.
- User Experience: Disabling LLMNR results in slower name resolution for local network resources, especially if alternative methods, such as DNS or NetBIOS, aren’t optimized. This could impact user experience and productivity.
- Network Resource Discovery: LLMNR facilitates seamless discovery and connection between devices on the local network. Disabling it may require users to manually enter IP addresses or use alternative methods, potentially causing usability issues.
- Delayed Network Troubleshooting: LLMNR is valuable for network troubleshooting and diagnostics. Disabling it might complicate the quick diagnosis and resolution of local network issues.
- Increased Administrative Overhead: Without LLMNR, network administrators may need to rely more on DNS configurations and NetBIOS settings, increasing administrative complexity.
- Limited Use Cases: Disabling LLMNR enhances security, but it may not be necessary in all network setups. Well-segmented, properly configured networks with robust security measures might face minimal LLMNR-related risks.
Hardening LLMNR
Hardening the LLMNR involves several steps to minimize vulnerabilities and enhance network protection. Disabling LLMNR is the primary step in hardening, and it is often recommended to disable it entirely.
- Implementing Network Segmentation: Properly segmenting the network limits the scope of LLMNR’s operation and reduces exposure to potential threats.
- Using Secure Name Resolution Protocols: Use secure name resolution protocols, such as DNS over DNSSEC, to protect you against potential LLMNR-related vulnerabilities.
- Enabling Security Features: Leverage Windows security features and group policies to enhance network security and prevent unauthorized access.
- Monitoring and Detection: Utilize network monitoring and intrusion detection systems to identify and respond to suspicious LLMNR activities, and enhance the network’s overall security posture.
Key Takeaways
- LLMNR is a legacy name DNS resolution protocol.
- Attackers can exploit LLMNR to capture user credentials.
- Disabling LLMNR strengthens network defenses against credential theft.
- Security frameworks and CIS Benchmarks recommend disabling LLMNR.
- CalCom Hardening Suite (CHS) automates LLMNR secure configuration.
