Protect Yourself and Others - Securing Services

Many different things can be done with computers, many things can be enabled and running without the knowledge of the user or even the owner of those computers. There are also service that by default are not running in the most secure fashion. This site will give you directions on enabling, disabling, or securing those services.

The following directions include editing Security Policies and the Windows Registry, editing these systems incorrectly can render your computer inoperable or insecure. If you are not comfortable using the Policy Editor or the Registry Editor please contact someone that is.

LLMNR:

Link Local Multicast Name Resolution (LLMNR) is a system that is used for alternate host identification if the default host identification system is not working, however, this system can allow an impersonator to say that they are a shared folder that you are trying to connect to, and if active your computer could give up the username and password that you would use to connect to that shared folder. 

To check if this enabled:
  1. Click Start
  2. Type gpedit.msc
  3. Hit Enter
  4. Click 
    1. Computer Configuration
    2. Administrative Templates
    3. Network
    4. DNS Client
  5. Look for Turn off multicast name resolution
  6. If this is set to Not Configured LLMNR is enabled and running on your computer and you could be vulnerable
To Disable LLMNR:
  1. Double-click on the Turn off multicast name resolution
  2. Select Enabled
  3. Click OK
  4. Reboot computer

NBT-NS

NetBIOS Name Service (NBT-NS) is also a backup host identification system, and like LLMNR, could also be used by an impersonator to grab your windows credentials.
To check if this is enabled:
  1. Click Start
  2. For Windows 10: Click Settings - For Windows 11: Type Control Panel and Open the Control Panel
  3. Click Network and Internet
  4. Click Ethernet
  5. Click Change Adapter Options
  6. Double-click Ethernet in the Pop-up window
  7. Click Properties
  8. Double-click on Internet Protocol Version 4 (TCP/IPv4)
  9. Click Advanced
  10. Click on the WINS tab
  11. If Disable NetBIOS over TCP/IP is not checked, this service is running and you could be vulnerable
To Disable NBT-NS:
  1. Check Disable NetBIOS over TCP/IP
  2. Click OK
  3. Click OK to exit Internet Protocol Version 4 (TCP/IPv4) properties
  4. Click OK to exit Ethernet Properties
  5. Reboot Computer
If you need to have NDSU Shared Folders you will need to add the NDSU AD Domain
  1. Click Start
  2. Click Settings
  3. Click Network and Internet
  4. Click Ethernet
  5. Click Change Adapter Options
  6. Right Click on Ethernet
  7. Select Properties
  8. Select internet Protocol Version 4 (TCP/IPv4)
  9. Click Properties
  10. Click Advanced
  11. Select the DNS tab
  12. Select Append these DNS suffixs (in order)
  13. Click Add
  14. Enter ad.ndsu.edu
  15. Click Add
  16. Click OK
  17. Click OK
  18. Click Close
  19. Exit the Network Connections Control panel
  20. Exit Settings 

Run LSASS as a Protected Service:

Local Security Authority Subsystem Service (LSASS) is the process that is responsible for running and enforcing the security policies on a Windows computer. Running this subsystem as a protected service prevents other applications from inserting commands or hijacking the LSASS application to gain access to tokens or passwords that are in use on the system. 
To check if this is enabled:
  1.  Click Start
  2. Type powershell
  3. Right click on Windows Powershell and select “Run as administrator”
  4. Select Yes to the User Access Control prompt (if prompted)
  5. Log in to your administrator account (if prompted) 
  6. Type the following command and hit enter:
     
    1. Get-ItemProperty "HKLM:\SYSTEM\ControlSet001\Control\Lsa" -Name RunAsPPL

             If RunAsPPL is set to 1, then LSASS is protected and is secure

             If RunAsPPL is set to 0 or does not exist then LSASS is not protected and this process can be hijacked   

To run LSASS as a protected service:

  1. Click Start 
  2. Type powershell
  3. Right click on Windows Powershell and select “Run as administrator”
  4. Select Yes to the User Access Control prompt (if prompted)
  5. Log in to your administrator account (if prompted) 
  6. Type the following command and hit enter: 

    1. Set-ItemProperty "HKLM:\SYSTEM\ControlSet001\Control\Lsa" -Name RunAsPPL -Value "1" -Type DWord

  7. Confirm the setting by running the following command and hitting enter

    1. Get-ItemProperty "HKLM:\SYSTEM\ControlSet001\Control\Lsa" -Name RunAsPPL

             If RunAsPPL is set to 1, then LSASS is protected and is secure

             If RunAsPPL is set to 0 then LSASS is not protected and this process can be hijacked


Keywords:
LLMNR, NBTNS, LSASS, Link Local Multicast Name Resolution Local Security Authority Subsystem Service NetBIOS Name Service, NBT-NS 
Doc ID:
106754
Owned by:
Jeff G. in NDSU IT Knowledge Base
Created:
2020-10-21
Updated:
2023-12-26
Sites:
NDSU IT Knowledge Base