如何和为什么你应该禁用LLMNR与Windows服务器

你好，我是苏珊·布拉德利CSO在线。最近，我开始基于服务器2019和与操作系统的每个新版本的许多事情保持不变，很多事情改变部署服务器。而当我设置服务器2019年准备从旧版本服务器这一块的迁移，这让我开始想办法，事情我一直在做，我可能应该改变或至少调查，看看我能做事情更好一点。我已经看到了这种做法对活动目录攻击线上的几个演讲和讨论，这让我开始思考它。有时候，我们有传统的设置留下的，我们甚至不知道他们的存在。例如，有些事情你可能甚至不知道叫LLMNR和早在2018年六月，布莱克山信息安全博客表示，你可能要禁用它，为什么你要。LLMNR代表链路本地多播名称解析，漂亮的大口，也有而你没有的净BIOS名称服务，你可能要禁用其他协议。我敢肯定，你听说过网络BIOS名称服务，并用它多年。但在这个时代，服务器2019和Windows 10的，机会是你不需要净BIOS了，你可以阻止这些协议不会对现有系统产生任何影响。 In an attack sequence, the attacker gets in a man in the middle situation and he listens to the connections between the servers and the can in the client's. Especially on older systems, what happens first is a multicast packet goes out to ask for names of other locations in the network. Port UDP 5355 is used to send these multicast network address, Windows will use this protocol to identify the server of a file share. Should it receive a reply, it will send the current user's credentials in form of a hash back to that server. This especially happens when you've had retired file servers or old systems and you haven't gone through and pulled them out of Active Directory. If you ever do sniffing or wire shark or look at packets between work stations and your network, you'll probably see requests for old servers that you haven't had in your network for quite a while. If an attacker is able to get in the middle of those transmissions, they can grab that hash value and if they're really smart, they'll pass along that hash value to the file server so that no one in the connection between the client and the file server will be the wiser between the two. The attacker will have the hash value of the credentials. Everyone in the network will be happy. However, there's a ticking time bomb, obviously, since that attacker has the credentials that go into the network. If you disable these protocols and something stops working inside your network, obviously you'll need to go back and undo these settings and then ask yourself and what exactly broke? Is it a line of business application? Go back to that vendor and say, why are you relying on a legacy protocol that should be turned off? In most modern networks, you can turn off these settings and nothing will happen. Everything will go on just as it was before. So let's see what these two settings are. To disable link, local multicast name resolution or LLMNR, you can go into group policy. Here's an example in the local group policy. Go into computer for complete computer configuration administrative templates network DNS client.

我们到了。到最下面，它说关闭多播名称解析，你想让它启用。点击，应用，点击，确定。

您还可以使用注册表项。这里是您可以添加的示例注册表项，它们将禁用LLMNR。LLMNR在IPv4和6网络中都使用。如果LLMNR失败，则net偏差名称服务将启动。Net bios名称服务与本地多播的不同之处在于它只与IP v4一起工作。要禁用那个net bios，您需要在域控制器上使用DHCP单元。您希望打开您要保护的网络的范围选项。右键单击并单击配置选项。现在单击advanced选项卡，进入vendor类，选择microsoftwindows 2000选项和可用选项部分。你想要点击那个微软禁用那个BIOS选项。 And then in the data entry frames section, change the data entry to 0 6. To change that value to a two click. OK. Apply. OK. When the clients renew their addresses, the settings will be refreshed and net bios will no longer be in the network. If you are in a network that no longer uses the DHCP options, you can also do it per TGP IP settings and also using a script. So there you have it. As you migrate to these new versions of server, think about legacy settings, legacy protocols and other changes you can move and take along the way. Make sure you're not building in and bringing over in security from the older versions. Take the time to review options. Make changes for the better until next time. This is Susan Bradley for CSO Online. And don't forget to sign up for tech talk from IDG, the new YouTube channel for the tech news of the day. Until next time.