How to Disable LLMNR, Netbios, WPAD, & LM Hash

NOTE: All below settings should be completely tested in specific environments prior to changing. Many legacy products unfortunately rely on these outdated methods of name resolution, performing these actions can be damaging to your environment. If you have a healthy DNS infrastructure and you are sure that lookups go through your DNS and not through local lookup, you should be generally OK.

Disable LLMNR

Open gpedit.msc
Goto Computer Configuration -> Administrative Templates -> Network -> DNS Client
Click on “Turn Off Multicast Name Resolution” and set it to “Enabled”

Disable NetBios

You can’t disable netbios directly within group policy, but there are a few different ways that you can..

Via PowerShell
1. Via registry settings set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2

Disable/Configure WPAD

To disable WPAD you must turn off the automatic proxy configuration settings option in Internet Explorer
1. In group policy, expend User Configuration>Administrative Templates>Windows Components>Internet Explorer>Disable changing Automatic Configuration settings
2. Another option is to configure WPAD, as this will make poisoning the entry impossible.

Disable LM Hash

If you are running an older forest functional level the LMhash is an older hash that is easily cracked that stores AD credentials which you can turn off using group policy.
1. In Group Policy, expand Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options>Network security: Do not store LAN Manager hash value on next password change.

Note: After forest functional level 2008, this is set to enabled by default Additional Information: NetBios Name Service (NBT-NS) and Link-Local Multicast Name Resolution (LLMNR) spoofing is generally refers to the Hacker Tool Responder being utilized. This allows for attackers who are within the broadcast of the network to poison in-broadcast NetBIOS Name Service and Link-Local Multicast Name Resolution lookups. Due to the nature of Windows authentication, these lookups can be poisoned to force machines to send their NetNTLMv2 password hashes for authentication purposes. Keep in mind a strong password policy, 12-14 characters and above, will make this effort much more difficult as NetNTLMv2 hashes are quite difficult to crack due to how slow it is. Additionally, the same tool can be used to relay SMB connections if they are not being signed per GPO policy.

Additional Security Resources

View All Posts

Critical Microsoft SharePoint Server vulnerability

Security Trends and Info

9 min read | July 24, 2025

Critical Microsoft SharePoint Server vulnerability allows unauthorized code execution

Customer Success Stories

6 min read | July 15, 2025

Customer Story: LEAP Managed IT Streamlines Ticketing and Boosts Visibility with Blumira’s API

SIEM XDR

7 min read | June 9, 2025

Customer Story: NetCenter Technologies

Get Started for Free

Experience the Blumira Free SIEM, with automated detection and response plus compliance reports for 3 cloud connectors.