Responding To Responder: A Guide for Securing LLMNR, NetBIOS, mDNS and WPAD with additional security measures
This repository provides practical guidance and scripts for defending Windows environments against Responder tool attacks. Blocking, defending and securing common discovery protocols: LLMNR, NetBIOS, mDNS and WPAD via Intune.
1️⃣ Read the PDF guide: Responding To Responder - PDF Guide
2️⃣ Access the exported JSON Intune Configuration Policies:
-
📄 Disable LLMNR Intune - Intune JSON File
- Brief Explanation: This will disable Local-Link Multicast Name Resolution (LLMNR) in the environment, by enabling: Turn off multicast name resolution and Turn off smart multi homed name resolution.
See more details in PDF guide (Step 1).
- Brief Explanation: This will disable Local-Link Multicast Name Resolution (LLMNR) in the environment, by enabling: Turn off multicast name resolution and Turn off smart multi homed name resolution.
-
📄 LLMNR, NetBIOS, mDNS, WPAD, LM, NTLM Security - Intune JSON File
-
📄 Password and Credential Hash Security - Intune JSON File
- Brief Explanation: These three are respecting additional measures to lock down further what each protocol can do, as well as NTLM and LM credential network travel and hash storage security. See more details in PDF guide from page 13 (Step 1).
3️⃣ Access the exported PowerShell Platform scripts:
-
🪄 Disable mDNS - Platform Script
- Brief Explanation: This script will look to see if existing DWORD "EnableMDNS" is present and set to "0", if not create and/or update.
-
🪄 Disable NetBIOS - Platform Script
- Brief Explanation: This script will iterate over the listed NIC (Ensuring it applies change to all) checking if DWORD "NetbiosOptions" is present and set to "2", if not create and/or update. This will ensure each NIC has the NetBIOS setting: "Disable NetBIOS over TCP/IP" set.
- Special credit to How to Disable NetBIOS, LLMNR, mDNS Protocols in Windows for method of DWORD.
- Brief Explanation: This script will iterate over the listed NIC (Ensuring it applies change to all) checking if DWORD "NetbiosOptions" is present and set to "2", if not create and/or update. This will ensure each NIC has the NetBIOS setting: "Disable NetBIOS over TCP/IP" set.
-
🪄 Disable WPAD - Platform Script
- Brief Explanation: This script will look to see if existing DWORD "DisableWPAD" is present and set to "1", if not create and/or update.
Remember that any changes made in your and/or client environment is YOUR express responsibility, YOUR due diligance is required in assessing the environment for custom configurations, risk acceptance and requirements. Any actions, configurations, or deployments undertaken based on the information provided in this document are solely the responsibility of the recipient. Jordan Albaladejo and any affiliated entity disclaim all liability for any outcomes resulting from the use or implementation of these solutions.
This guide and accompanying PowerShell scripts were researched and developed with assistance from AI tools, including Microsoft Copilot and OpenAI ChatGPT, to enhance accuracy, efficiency and completeness.
Special credit to How to Disable NetBIOS, LLMNR, mDNS Protocols in Windows for method of DWORD configuration of NetBIOS.