Group Policy: Policies for LLMNR and NBT-NS

Recently there was a requirement to disable both LLMNR , WPAD and NBT-NS on our domain computers. As we already disable WPAD with the use of the zScaler proxy app, we could discount that one and move onto a solution for the remaining protocols.

Disabling LLMNR can be done using Group Policy, simply fire up your policy editor (domain or local) and navigate to the following policy: Computer Configuration > Administrative Templates > Network > DNS Client – Make sure “Turn Off Multicast Name Resolution” is set to Enabled.

Close the editor, run a GPupdate /Force on the client machine and the setting should take effect.

Disabling NetBios / NBT-NS is not controlled by a standard admin template and instead we have to set a startup script in Group Policy and store a powershell script to make the changes in an accessible area.

The PowerShell: save the following in DOMAIN\Policies\{GUID}\Machine\Scripts\Startup\disable-nbt.ps1

$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

The script will iterate through the Child Items of the “HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces” key and set the value for NetbiosOptions to “2” (Disabled) for all installed network adapters.

Now set a startup policy in: Computer Configuration > Policies > Windows Settings > Scripts > Startup > PowerShell Scripts referencing the powershell script saved from above.

We saw some failure issues with machines unable to access the starup scripts directory on the domain, adding Domain Computers for Read and Execute access resolved this issue and allowed all mahcines to pickup the scripts correctly.

Leave a Reply

Your email address will not be published. Required fields are marked *