How to Disable NetBIOS Over TCP/IP and LLMNR Using GPO

Using obsolete protocols without explicit need may become a potential security flaw in any computer network. In this context, the recent buzz over WCry ransomware is showcase, and the easiest way to protect against it was to stop using the obsolete SMBv1 protocol by completely disabling it. Broadband protocols, like NetBIOS over TCP/IP and LLMNR are also obsolete and used in the majority of modern networks only for compatibility reasons. At the same time, hackers have different tools that use some vulnerabilities in NetBIOS and LLMNR to capture user credentials in a local network (including NTLMv2 hashes). So for security reasons, these protocols should be disabled in a domain network. Let’s see how to disable LLMNR and NetBIOS using Group Policies.

First of all, it’s worth to remind what are these protocols.

LLMNR Protocol

LLMNR (UDP/5355, Link-Local Multicast Name Resolution) is used in all Windows versions starting from Vista and allows IPv6 and IPv4 clients to resolve the names of neighboring computers without using DNS server due to broadcast requests in the local segment of L2 network. This protocol is automatically used if DNS is unavailable. So if there are DNS servers in the domain, this protocol is not needed.

NetBIOS Over TCP/IP Protocol

NetBIOS over TCP/IP or NBT-NS (UDP/137,138;TCP/139) is a broadcast protocol being a predecessor of LLMNR and used in the local network to publish and search for resources. By default, NetBIOS over TCP/IP support is enabled for all interfaces in all Windows versions.

Thus, these protocols enable the computers in the local network to find each other if DNS server is unavailable. They may be necessary in a workgroup, but in the domain network both of them may be disabled.

How to Disable LLMNR Using GPO

In the domain environment, LLMNR broadcast requests can be disabled using GPO. To do it:

• In GPMC.msc, create a new policy or edit an existing one that is applied to all workstations and servers.
• Go to Computer Configuration -> Administrative Templates -> Network -> DNS Client
• Enable Turn Off Multicast Name Resolution policy by changing its value to Enabled

How to Disable NetBIOS over TCP/IP

You can disable NetBIOS manually on the specific client.

• Open network connection properties
• Select TCP/IPv4 and open its properties
• Click Advanced, then go to WINS tab and select Disable NetBIOS over TCP
• Save the changes

You can disable NetBIOS for the specific network adapter in the registry as well. Each network adapter has a separate branch in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces containing its TCPIP_GUID.

To diable NetBIOS for the specific adapter, open its branch and change the value of NetbiosOptions parameter to 2 (it is 0 by default).

To completely disable NetBIOS, the operations shown above should be performed for all network adapters of a computer.

You can disable NetBIOS on the domain clients getting IP addresses from a DHCP server.

• To do it, open dhcpmgmt.msc, connect to the DHCP server and select Scope Option zone settings (or server – Server Options)
• Go to the Advanced tab and select Microsoft Windows 2000 Options in the Vendor class dropdown list
• Enable 001 Microsoft Disable Netbios Option and change its value to 0x2

There is no separate option that allows to disable NETBIOS over TCP/IP for all network adapters of a computer using GPO. To disable NETBIOS for all network adapters of a computer, you can use Group Policy to deploy PowerShell startup script. Open GPO editor and place *.ps1 script in the Computer Configuration -> Policies -> Windows Settings ->Scripts ->Startup->PowerShell Scripts policy:

$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}