How to disable LLMNR in Windows Server

Link-Local Multicast Name Resolution is usually not needed in modern networks and leaves the door open to man-in-the-middle attacks. Here's how to shut it off.

ON-OFF  >  Pressing a power switch.
Thomas Soellner / Getty Images

I recently started deploying servers based on Windows Server 2019 images. I’m setting up networks with Active Directory (AD). As I’m setting up and migrating to 2019-era AD, it reminds me of discussions I’ve seen online regarding Active Directory and attacks designed to go after it.

One recommended setting that will help mitigate the risk from those attacks is disabling Link-Local Multicast Name Resolution (LLMNR), a protocol used that allowed name resolution without a Domain Name System (DNS) server. LLMNR provides a hostname-to-IP based off a multicast packet and sends it across the entire network.

In the process it asks all listening interfaces to reply if they are authoritatively known as the hostname in the query. LLMNR uses port UDP 5355 to send the multicast network address. Windows uses LLMNR to identify the server of a file-share. Should it receive a reply, it sends the current user’s credentials directly to that server.

Why disable LLMNR?

What if a man-in-the-middle (MitM) attacker or impersonator got between that client and the file server? If the attacker receives the LLMNR response, then the Windows service disclosed the user’s credential hash to an untrusted third party. A smart attacker can relay that hash to the intended file server. The network never thinks anything is wrong.

To continue reading this article register now

The 10 most powerful cybersecurity companies