Apr 17
"Disable" Local Multicast Name Resolution (LLMNR) and NetBios
By default Microsoft Windows clients can use local multicast name resolution (LLMNR).  Windows clients typically broadcast to resources such as file servers or to SharePoint sites as you are at this moment.  If that client is on that same subnet as the broadcast it will respond to the connection without using DNS.  Scary, but local, right?  Let's hope no client on that network isn't compromised, however I would suggest if you haven't heard of this feature, don't use it, especially in the enterprise networks.  There are many methods to carry out this attack and a simple Google will be enlightening.

Description of Setting​​

LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.

​If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
 
You can disable this using Group Policy or by disabling NetBios.  Note*  there is no setting to Disbale NetBios in Group Policy, you can however use scripts to run startup settings to disbale them.
  1. Open gpedit.msc
  2. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client
    1. Choose Turn Off Multicast Name Resolution and set it to Enabled.

​NetBios registry syntax to use

​​Create script file and push script through logon script.

  1. ​The following reg location will have one or several GUIDS.
    1. HKLM\SYSTEM\CCS\Services\Netbt\Parameters\interface\Tcpip_{........}
      1. The DWORD value for NetbiosOptions shoud be set to 2 to disable.
    2. Use the following syntax to adress the varied Pcpip Guids.
      1. set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2
  2. You need to restart computer or disable and re-enable NIC for registry to come info effect.

​Resources​

https://blogs.technet.microsoft.com/networking/2008/04/01/how-to-benefit-from-link-local-multicast-name-resolution
http://www.fixitscripts.com/problems/script-to-disable-netbios-over-tcp-ip​​ 

 
 

Comments

There are no comments for this post.

 ‭(Hidden)‬ Blog Tools