How to disable LLMNR on Windows

LLMNR was a protocol used that allowed name resolution without the requirement of a DNS server. It was able to provide a hostname-to-IP based off a multicast packet sent across the network asking all listening Network-Interfaces to reply if they are authoritatively known as the hostname in the query. It does this by sending a network packet to port UDP 5355 to the multicast network address (all layer 2).

Security Risk: Windows will use LLMNR in certain circumstances to identify certain machines on the network, such as file-servers. If Windows attempts to use LLMNR to identify the server of a file-share and it receives a reply, it will send the current user’s credentials directly to that server assuming it wouldn’t have replied if it wasn’t the authoritative file-server. If that LLMNR received response was actually an impersonator, Windows just disclosed that user’s credential hash to a third-party. What’s worse? The impersonator may forward that packet to the actual file-server, so the user never realizes anything is amiss.

This video explains how you can manually disable LLMNR on your Windows devices.

Fix it easily with GYTPOL

GYTPOL allows you to fix this issue and hundreds of other security gaps for all PCs & Servers in your network through a centralized dashboard using our Security Configuration Management platform.

It’s fast, you can automate it and we can also predict the impact before applying.

For more information and a free trial, please complete your details below.

Free Trial Request