Disable LLMNR and NetBIOS using GPO

From Michael's Information Zone
Revision as of 12:35, 12 March 2018 by Michael.mast (talk | contribs) (Created page with "==Purpose== We already know that anything legacy and unsupported should be removed. But recently I learned about LLMNR from an article titled "Gain domain admin from outside a...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Purpose

We already know that anything legacy and unsupported should be removed. But recently I learned about LLMNR from an article titled "Gain domain admin from outside active directory".[1] Yet another dangerous service enabled by default. Though my ignorance is showing since I have seen LLMNR in action when looking through packet captures. I thought it was a little odd systems would ask each other for domain names, but I had to troublehsoot a SIP issue damnit!

Regardless, it seemed to be a good idea to disable these features in an environment with strong DNS.

LLMNR

This one is simple using either LGPO or a domain controller. [2] Computer Configuration -> Administrative Templates -> Network -> DNS Client
Enable "Turn Off Multicast Name Resolution"

NetBIOS

Of course Microsoft would be a pain and not have an explicit policy for NetBIOS. Yet they leave it enabled bu default on their operating systems....

A startup script with the following appears to do the trick[3] 

wmic nicconfig where (TcpipNetbiosOptions!=Null and TcpipNetbiosOptions!=2) call SetTcpipNetbios 2
  1. https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html?lipi=urn%3Ali%3Apage%3Ad_flagship3_profile_view_base_recent_activity_details_all%3B512zHgY%2FSL6oMdonsOyiHQ%3D%3D
  2. http://woshub.com/how-to-disable-netbios-over-tcpip-and-llmnr-using-gpo/
  3. https://www.youtube.com/watch?v=1Dm87ivLXr0
Retrieved from "https://wiki.1701technology.com/index.php?title=Disable_LLMNR_and_NetBIOS_using_GPO&oldid=654"