Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Group Policies / How to Disable NetBIOS Over TCP/IP and LLMNR Using GPO

December 4, 2017 Group PoliciesSecurity

How to Disable NetBIOS Over TCP/IP and LLMNR Using GPO

Using obsolete protocols without explicit need may become a potential security flaw in any computer network. In this context, the recent buzz over WCry ransomware is showcase, and the easiest way to protect against it was to stop using the obsolete SMBv1 protocol by completely disabling it. Broadband protocols, like NetBIOS over TCP/IP and LLMNR are also obsolete and used in the majority of modern networks only for compatibility reasons. At the same time, hackers have different tools that use some vulnerabilities in NetBIOS and LLMNR to capture user credentials in a local network (including NTLMv2 hashes). So for security reasons, these protocols should be disabled in a domain network. Let’s see how to disable LLMNR and NetBIOS using Group Policies.

First of all, it’s worth to remind what are these protocols.

Contents:
  • LLMNR Protocol
  • NetBIOS Over TCP/IP Protocol
  • How to Disable LLMNR Using GPO
  • How to Disable NetBIOS over TCP/IP

LLMNR Protocol

LLMNR (UDP/5355, Link-Local Multicast Name Resolution) is used in all Windows versions starting from Vista and allows IPv6 and IPv4 clients to resolve the names of neighboring computers without using DNS server due to broadcast requests in the local segment of L2 network. This protocol is automatically used if DNS is unavailable. So if there are DNS servers in the domain, this protocol is not needed.

NetBIOS Over TCP/IP Protocol

NetBIOS over TCP/IP or NBT-NS (UDP/137,138;TCP/139) is a broadcast protocol being a predecessor of LLMNR and used in the local network to publish and search for resources. By default, NetBIOS over TCP/IP support is enabled for all interfaces in all Windows versions.

Thus, these protocols enable the computers in the local network to find each other if DNS server is unavailable. They may be necessary in a workgroup, but in the domain network both of them may be disabled.

Tip. Prior to massive implementation of these policies in the domain, we strongly recommend to test the computers and servers with disabled NetBIOS and LLMNR. If there are no problems with LLMNR, NetBIOS disabling can paralyze the operation of obsolete systems.

How to Disable LLMNR Using GPO

In the domain environment, LLMNR broadcast requests can be disabled using GPO. To do it:

  • In GPMC.msc, create a new policy or edit an existing one that is applied to all workstations and servers.
  • Go to Computer Configuration -> Administrative Templates -> Network -> DNS Client
  • Enable Turn Off Multicast Name Resolution policy by changing its value to Enabled

Disable LLMNR - Turn Off Multicast Name Resolution Policy

How to Disable NetBIOS over TCP/IP

Note. NetBIOS may be used by old Windows versions and some non-Windows systems, so the process of its disabling should be tested in each particular environment.

You can disable NetBIOS manually on the specific client.

  • Open network connection properties
  • Select TCP/IPv4 and open its properties
  • Click Advanced, then go to WINS tab and select Disable NetBIOS over TCP
  • Save the changes

Disable NetBIOS over TCP on connection properties

You can disable NetBIOS for the specific network adapter in the registry as well. Each network adapter has a separate branch in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces containing its TCPIP_GUID.

To diable NetBIOS for the specific adapter, open its branch and change the value of NetbiosOptions parameter to 2 (it is 0 by default).

NetbiosOptions - disabling netbios via registry

To completely disable NetBIOS, the operations shown above should be performed for all network adapters of a computer.

You can disable NetBIOS on the domain clients getting IP addresses from a DHCP server.

  • To do it, open dhcpmgmt.msc, connect to the DHCP server and select Scope Option zone settings (or server – Server Options)
  • Go to the Advanced tab and select Microsoft Windows 2000 Options in the Vendor class dropdown list
  • Enable 001 Microsoft Disable Netbios Option and change its value to 0x2

001 Microsoft Disable Netbios Option - dhcp

There is no separate option that allows to disable NETBIOS over TCP/IP for all network adapters of a computer using GPO. To disable NETBIOS for all network adapters of a computer, you can use Group Policy to deploy PowerShell startup script. Open GPO editor and place *.ps1 script in the Computer Configuration -> Policies -> Windows Settings ->Scripts ->Startup->PowerShell Scripts policy:

$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

disable netbios using powershell script on gpo

Note. For this change to take effect, you have to enable/disable network adapters or restart the computer.

4 comments
2
Facebook Twitter Google + Pinterest
previous post
Sending Email via Telnet Using SMTP Authentication
next post
Defending Windows Domain Against Mimikatz Attacks

Related Reading

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

Checking User Logon History in Active Directory Domain...

January 22, 2021

How to Disable/Remove Thumbs.db File on Network Folders...

January 21, 2021

Zerologon (CVE-2020-1472): Critical Active Directory Vulnerability

December 4, 2020

4 comments

Saying Goodbye to NetBIOS - 10-D Security April 13, 2018 - 6:49 pm

[…] Disabling NetBIOS: https://support.microsoft.com/en-nz/help/313314/how-to-disable-netbios-over-tcp-ip-by-using-dhcp-server-options http://woshub.com/how-to-disable-netbios-over-tcpip-and-llmnr-using-gpo/ […]

Reply
jp February 27, 2020 - 8:12 am

You can actually wildcard the Interfaces for the WINS registry value, turning this into a neat one liner without looping:
set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2

Reply
Robert May 7, 2020 - 9:42 am

thanks. this helped me.

Reply
My hometown was hit with Ransomware | Brad Proctor September 3, 2020 - 2:56 pm

[…] LLMNR (Link-Local Multicast Name Resolution) and NBNS […]

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Troubleshoot, Repair and Rebuild the WMI Repository?

    March 2, 2021
  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Backup/Restore and Export Local Group Policy Settings to Another Computer
  • How to Configure a Slideshow Screensaver Using GPO
  • Troubleshoot Slow GPO Processing and Login Speed Impact
  • Prevent Changing IE Proxy Settings Using GPO
  • Using GPResult Tool to Check What GPOs are Applied
  • How to Block Viruses and Ransomware Using Software Restriction Policies
  • Using WMI Filter to Apply Group Policy to IP Subnet
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top