I recently started deploying servers based on Windows Server 2019 images. I’m setting up networks with Active Directory (AD). As I’m setting up and migrating to 2019-era AD, it reminds me of discussions I’ve seen online regarding Active Directory and attacks designed to go after it.
One recommended setting that will help mitigate the risk from those attacks is disabling Link-Local Multicast Name Resolution (LLMNR), a protocol used that allowed name resolution without a Domain Name System (DNS) server. LLMNR provides a hostname-to-IP based off a multicast packet and sends it across the entire network.
In the process it asks all listening interfaces to reply if they are authoritatively known as the hostname in the query. LLMNR uses port UDP 5355 to send the multicast network address. Windows uses LLMNR to identify the server of a file-share. Should it receive a reply, it sends the current user’s credentials directly to that server.