How to disable LLMNR on Windows

LLMNR was a protocol used that allowed name resolution without the requirement of a DNS server. It was able to provide a hostname-to-IP based off a multicast packet sent across the network asking all listening Network-Interfaces to reply if they are authoritatively known as the hostname in the query. It does this by sending a network packet to port UDP 5355 to the multicast network address (all layer 2).

Security Risk: Windows will use LLMNR in certain circumstances to identify certain machines on the network, such as file-servers. If Windows attempts to use LLMNR to identify the server of a file-share and it receives a reply, it will send the current user’s credentials directly to that server assuming it wouldn’t have replied if it wasn’t the authoritative file-server. If that LLMNR received response was actually an impersonator, Windows just disclosed that user’s credential hash to a third-party. What’s worse? The impersonator may forward that packet to the actual file-server, so the user never realizes anything is amiss.

This video explains how you can manually disable LLMNR on your Windows devices.

View more videos >>

Fix it easily with GYTPOL

GYTPOL allows you to fix this issue and hundreds of other security gaps for all PCs & Servers in your network through a centralized dashboard using our Security Configuration Management platform.

It’s fast, you can automate it and we can also predict the impact before applying.

For more information and a free trial, please complete your details below.

Free Trial

Free Trial Request