fbpx
Back Arrow Back to All Integrations

How to Disable LLMNR, Netbios, WPAD, & LM Hash

How to Disable LLMNR, Netbios, WPAD, & LM Hash

NOTE: All below settings should be completely tested in specific environments prior to changing. Many legacy products unfortunately rely on these outdated methods of name resolution, performing these actions can be damaging to your environment. If you have a healthy DNS infrastructure and you are sure that lookups go through your DNS and not through local lookup, you should be generally OK.

Disable LLMNR

  1. Open gpedit.msc
  2. Goto Computer Configuration -> Administrative Templates -> Network -> DNS Client
  3. Click on “Turn Off Multicast Name Resolution” and set it to “Enabled”

Disable NetBios

You can’t disable netbios directly within group policy, but there are a few different ways that you can..

  1. Via PowerShell
    1. Via registry settings
      set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2

Disable/Configure WPAD

  1. To disable WPAD you must turn off the automatic proxy configuration settings option in Internet Explorer
    1. In group policy, expend User Configuration>Administrative Templates>Windows Components>Internet Explorer>Disable changing Automatic Configuration settings
    2. Another option is to configure WPAD, as this will make poisoning the entry impossible.

Disable LM Hash

  1. If you are running an older forest functional level the LMhash is an older hash that is easily cracked that stores AD credentials which you can turn off using group policy.
    1. In Group Policy, expand Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options>Network security: Do not store LAN Manager hash value on next password change.

Note: After forest functional level 2008, this is set to enabled by default

Additional Information:

NetBios Name Service (NBT-NS) and Link-Local Multicast Name Resolution (LLMNR) spoofing is generally refers to the Hacker Tool Responder being utilized. This allows for attackers who are within the broadcast of the network to poison in-broadcast NetBIOS Name Service and Link-Local Multicast Name Resolution lookups.

Due to the nature of Windows authentication, these lookups can be poisoned to force machines to send their NetNTLMv2 password hashes for authentication purposes. Keep in mind a strong password policy, 12-14 characters and above, will make this effort much more difficult as NetNTLMv2 hashes are quite difficult to crack due to how slow it is.

Additionally, the same tool can be used to relay SMB connections if they are not being signed per GPO policy.

Guide to Microsoft Security

To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.

Download Your Copy Now