How to disable LLMNR in Windows Server

Link-Local Multicast Name Resolution is usually not needed in modern networks and leaves the door open to man-in-the-middle attacks. Here's how to shut it off.

ON-OFF  >  Pressing a power switch.
Thomas Soellner / Getty Images

I recently started deploying servers based on Windows Server 2019 images. I’m setting up networks with Active Directory (AD). As I’m setting up and migrating to 2019-era AD, it reminds me of discussions I’ve seen online regarding Active Directory and attacks designed to go after it.

One recommended setting that will help mitigate the risk from those attacks is disabling Link-Local Multicast Name Resolution (LLMNR), a protocol used that allowed name resolution without a Domain Name System (DNS) server. LLMNR provides a hostname-to-IP based off a multicast packet and sends it across the entire network.

In the process it asks all listening interfaces to reply if they are authoritatively known as the hostname in the query. LLMNR uses port UDP 5355 to send the multicast network address. Windows uses LLMNR to identify the server of a file-share. Should it receive a reply, it sends the current user’s credentials directly to that server.

Why disable LLMNR?

What if a man-in-the-middle (MitM) attacker or impersonator got between that client and the file server? If the attacker receives the LLMNR response, then the Windows service disclosed the user’s credential hash to an untrusted third party. A smart attacker can relay that hash to the intended file server. The network never thinks anything is wrong.

In most cases, you no longer need LLMNR because the use of DNS has taken over. If you disable LLMNR and things break, you’ll need to undo this setting (obviously). The bigger question you should then ponder is what is still relying on such a legacy protocol.

How to disable LLMNR

To disable LLMNR in Group Policy do the following:

Create a new group policy or update an existing group policy and edit accordingly: “Computer Configuration” -> “Administrative Templates” -> “Network” -> “DNS Client”. Enable “Turn Off Multicast Name Resolution” policy by changing its value to “Enabled”.

In Local Group Policy, follow these steps:

“Computer Configuration” -> “Administrative Templates” -> “Network” -> “DNS Client”. Enable “Turn Off Multicast Name Resolution” policy by changing its value to Enabled.

bradley llmnr Susan Bradley

Turn off multicast name resolution

To disable LLMNR at the command line, enter the following:

REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient”

REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” /v ” EnableMulticast” /t REG_DWORD /d “0” /f

How to disable NetBIOS Name Service on older systems

Most often you’ll see LLMNR in networks with decommissioned file shares and older server operating systems. If a client can’t resolve a hostname using DNS, it then uses Link-Local Multicast Name Resolution. LLMNR is used in both IPv4 and IPv6 networks. If LLMNR fails, then NetBIOS Name Service (NBNS) is used. NBNS works with IPv4 only. For this reason, you need to disable both LLMNR and NetBIOS Name Service.

You cannot disable NBNS via Group Policy, so you need to use a script. You can also disable it manually on each machine if necessary by doing the following:

On your computer open “Control Panel” and go to “Network and sharing center” ->  “Change adapter settings” -> “Local area connection” -> double click on “Internet Protocol Version 4” -> “Advanced” -> “WINS (Windows Internet Name Service)” -> “Disable NetBios over TCP/IP”.

To disable NBNS via DHCP server properties, across a domain with DHCP clients:

  • Open the DHCP Snap-In.
  • Open “Scope options” for the network you are protecting.
  • Right-click on “Configure options”.
  • Click on the “Advanced" tab and change “Vendor class” to “Microsoft Windows 2000 options”.
  • In the “Available options” section, click the box for “001 Microsoft Disable NetbIOS Option”.
  • In the “Data entry” frame, change the data entry to 0x2.
  • Click “OK.”
  • When the clients renew addresses, the settings will be refreshed and NBNS will no longer be enabled in the network.

As you migrate to new Windows Server versions, take the time to ensure you aren’t dragging along old vulnerable settings that can be retired.

Don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.

Copyright © 2019 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline