How to and why you should disable LLMNR with Windows Server

Hello, this is Susan Bradley for CSO Online.
Recently, I started deploying servers based on server 2019 and with each new version of
the operating system many things stay the same and many things change. And while I was
setting up server 2019 and getting ready to migrate from the older versions of server
to this one, it started me think about ways and things I’ve been doing that I probably
should change or at least investigate and see if I can do things a little bit better.
I’ve seen online several talks and discussions about on that active directory attacks and
it made me start thinking about it. Sometimes we have legacy settings left behind and we
don’t even realize they’re there. For example, there’s something you may not even know about
called LLMNR and back in June of 2018, the Black Hills Information Security Blog indicated
that you probably want to disable it and why you want to. LLMNR stands for link local multicast
name resolution, pretty big mouthful, and there’s also another protocol you may want
to disable while you’re there is the net bios name service. I’m sure you’ve heard about
net bios name service and used it for years. But in this era of server 2019 and Windows
10, chances are you don’t need net bios anymore and you can block these protocols without
any effect on your existing systems. In an attack sequence, the attacker gets in a man
in the middle situation and he listens to the connections between the servers and the
can in the client’s. Especially on older systems, what happens first is a multicast packet goes
out to ask for names of other locations in the network. Port UDP 5355 is used to send
these multicast network address, Windows will use this protocol to identify the server of
a file share. Should it receive a reply, it will send the current user’s credentials in
form of a hash back to that server. This especially happens when you’ve had retired file servers
or old systems and you haven’t gone through and pulled them out of Active Directory. If
you ever do sniffing or wire shark or look at packets between work stations and your
network, you’ll probably see requests for old servers that you haven’t had in your network
for quite a while. If an attacker is able to get in the middle of those transmissions,
they can grab that hash value and if they’re really smart, they’ll pass along that hash
value to the file server so that no one in the connection between the client and the
file server will be the wiser between the two. The attacker will have the hash value
of the credentials. Everyone in the network will be happy. However, there’s a ticking
time bomb, obviously, since that attacker has the credentials that go into the network.
If you disable these protocols and something stops working inside your network, obviously
you’ll need to go back and undo these settings and then ask yourself and what exactly broke?
Is it a line of business application? Go back to that vendor and say, why are you relying
on a legacy protocol that should be turned off? In most modern networks, you can turn
off these settings and nothing will happen. Everything will go on just as it was before.
So let’s see what these two settings are. To disable link, local multicast name resolution
or LLMNR, you can go into group policy. Here’s an example in the local group policy. Go into
computer for complete computer configuration administrative templates network DNS client. So here we are. Go down to the bottom where
it says turn off multicast name resolution and you want to make it enabled. Click, apply
and click, OK. You can also do with registry keys. And here’s
the sample registry keys you can add that will disable LLMNR. LLMNR is used in both
IPv4 and 6 networks. If LLMNR fails, then the net bias name service kicks. Net bios
name service differs from the local multicast in that it works with IP V 4 only. To disable
that net bios, you’ll need to use your DHCP snap in up on your domain controllers. You
want to open your scope options for the network you’re protecting. Right mouse click and click
on configure options. Now click on the advanced tab and go into the vendor class and choose
Microsoft Windows 2000 options and the available options sections. You want to click on that
Microsoft disable that BIOS option. And then in the data entry frames section, change the
data entry to 0 6. To change that value to a two click. OK. Apply. OK. When the clients
renew their addresses, the settings will be refreshed and net bios will no longer be in
the network. If you are in a network that no longer uses the DHCP options, you can also
do it per TGP IP settings and also using a script. So there you have it. As you migrate
to these new versions of server, think about legacy settings, legacy protocols and other
changes you can move and take along the way. Make sure you’re not building in and bringing
over in security from the older versions. Take the time to review options. Make changes
for the better until next time. This is Susan Bradley for CSO Online. And don’t forget to
sign up for tech talk from IDG, the new YouTube channel for the tech news of the day. Until
next time.

, , , , , , , , , , , , ,

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *