How to and why you should disable LLMNR with Windows Server

Hello, this is Susan Brother for CSO Online. Recently, I started deploying servers based on server 2019 and with each new version of the operating system many things stay the same and many things change. And while I was setting up server 2019 and getting ready to migrate from the older versions of server to this one, it started me think about ways and things I’ve been doing that I probably should change or at least investigate and see if I can do things a little bit better. I’ve seen online several talks and discussions about on that active directory attacks and it made me start thinking about it. Sometimes we have legacy settings left behind and we don’t even realize they’re there. For example, there’s something you may not even know about called LLMNR and back in June of 2018, the Black Hills Information Security Blog indicated that you probably want to disable it and why you want to. LLMNR stands for link local multicast name resolution, pretty big mouthful, and there’s also another protocol you may want to disable while you’re there is the net bios name service. I’m sure you’ve heard about net bios name service and used it for years. But in this era of server 2019 and Windows 10, chances are you don’t need net bios anymore and you can block these protocols without any effect on your existing systems. In an attack sequence, the attacker gets in a man in the middle situation and he listens to the connections between the servers and the can in the client’s. Especially on older systems, what happens first is a multicast packet goes out to ask for names of other locations in the network. Port UDP 5355 is used to send these multicast network address, Windows will use this protocol to identify the server of a file share. Should it receive a reply, it will send the current user’s credentials in form of a hash back to that server. This especially happens when you’ve had retired file servers or old systems and you haven’t gone through and pulled them out of Active Directory. If you ever do sniffing or wire shark or look at packets between work stations and your network, you’ll probably see requests for old servers that you haven’t had in your network for quite a while. If an attacker is able to get in the middle of those transmissions, they can grab that hash value and if they’re really smart, they’ll pass along that hash value to the file server so that no one in the connection between the client and the file server will be the wiser between the two. The attacker will have the hash value of the credentials. Everyone in the network will be happy. However, there’s a ticking time bomb, obviously, since that attacker has the credentials that go into the network. If you disable these protocols and something stops working inside your network, obviously you’ll need to go back and undo these settings and then ask yourself and what exactly broke? Is it a line of business application? Go back to that vendor and say, why are you relying on a legacy protocol that should be turned off? In most modern networks, you can turn off these settings and nothing will happen. Everything will go on just as it was before. So let’s see what these two settings are. To disable link, local multicast name resolution or LLMNR, you can go into group policy. Here’s an example in the local group policy. Go into computer for complete computer configuration administrative templates network DNS client.

So here we are. Go down to the bottom where it says turn off multicast name resolution and you want to make it enabled. Click, apply and click, OK.

You can also do with registry keys. And here’s the sample registry keys you can add that will disable LLMNR. LLMNR is used in both IPv4 and 6 networks. If LLMNR fails, then the net bias name service kicks. Net bios name service differs from the local multicast in that it works with IP V 4 only. To disable that net bios, you’ll need to use your DHCP snap in up on your domain controllers. You want to open your scope options for the network you’re protecting. Right mouse click and click on configure options. Now click on the advanced tab and go into the vendor class and choose Microsoft Windows 2000 options and the available options sections. You want to click on that Microsoft disable that BIOS option. And then in the data entry frames section, change the data entry to 0 6. To change that value to a two click. OK. Apply. OK. When the clients renew their addresses, the settings will be refreshed and net bios will no longer be in the network. If you are in a network that no longer uses the DHCP options, you can also do it per TGP IP settings and also using a script. So there you have it. As you migrate to these new versions of server, think about legacy settings, legacy protocols and other changes you can move and take along the way. Make sure you’re not building in and bringing over in security from the older versions. Take the time to review options. Make changes for the better until next time. This is Susan Bradley for CSO Online. And don’t forget to sign up for tech talk from IDG, the new YouTube channel for the tech news of the day. Until next time.