NOTE: All below settings should be completely tested in specific environments prior to changing. Many legacy products unfortunately rely on these outdated methods of name resolution, performing these actions can be damaging to your environment. If you have a healthy DNS infrastructure and you are sure that lookups go through your DNS and not through local lookup, you should be generally OK.

Disable LLMNR

1. Open gpedit.msc
2. Goto Computer Configuration -> Administrative Templates -> Network -> DNS Client
3. Click on “Turn Off Multicast Name Resolution” and set it to “Enabled”

Disable NetBios

You can’t disable netbios directly within group policy, but there are a few different ways that you can..

1. Via PowerShell
   1. Via registry settings
      set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2

Disable/Configure WPAD

1. To disable WPAD you must turn off the automatic proxy configuration settings option in Internet Explorer
   1. In group policy, expend User Configuration>Administrative Templates>Windows Components>Internet Explorer>Disable changing Automatic Configuration settings
   2. Another option is to configure WPAD, as this will make poisoning the entry impossible.

Disable LM Hash

1. If you are running an older forest functional level the LMhash is an older hash that is easily cracked that stores AD credentials which you can turn off using group policy.
   1. In Group Policy, expand Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options>Network security: Do not store LAN Manager hash value on next password change.

Note: After forest functional level 2008, this is set to enabled by default

Additional Resources:

• MITRE: Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
• Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
• How To Disable LLMNR & Why You Want To

Contact Us

Have questions or want to learn more about Blumira? We’re happy to help.