Topics Map > Services > Security > Protect Yourself and Others

Protect Yourself and Others - Securing Services

Many different things can be done with computers, many things can be enabled and running without the knowledge of the user or even the owner of those computers. There are also service that by default are not running in the most secure fashion. This site will give you directions on enabling, disabling, or securing those services.

The following directions include editing Security Policies and the Windows Registry, editing these systems incorrectly can render your computer inoperable or insecure. If you are not comfortable using the Policy Editor or the Registry Editor please contact someone that is.

LLMNR:


Link Local Multicast Name Resolution (LLMNR) is a system that is used for alternate host identification if the default host identification system is not working, however, this system can allow an impersonator to say that they are a shared folder that you are trying to connect to, and if active your computer could give up the username and password that you would use to connect to that shared folder. 


To check if this enabled:
  1. Click Start
  2. Type gpedit.msc
  3. Hit Enter
  4. Click 
    1. Computer Configuration
    2. Administrative Templates
    3. Network
    4. DNS Client
  5. Look for Turn off multicast name resolution
  6. If this is set to Not Configured LLMNR is enabled and running on your computer and you could be vulnerable

To Disable LLMNR:
  1. Double-click on the Turn off multicast name resolution
  2. Select Enabled
  3. Click OK
  4. Reboot computer

NBT-NS


NetBIOS Name Service (NBT-NS) is also a backup host identification system, and like LLMNR, could also be used by an impersonator to grab your windows credentials.

To check if this is enabled:

  1. Click Start
  2. Click Settings
  3. Click Network and Internet
  4. Click Ethernet
  5. Click Change Adapter Options
  6. Double-click Ethernet in the Pop-up window
  7. Click Properties
  8. Double-click on Internet Protocol Version 4 (TCP/IPv4)
  9. Click Advanced
  10. Click on the WINS tab
  11. If Disable NetBIOS over TCP/IP is not checked, this service is running and you could be vulnerable
To Disable NBT-NS:
  1. Check Disable NetBIOS over TCP/IP
  2. Click OK
  3. Click OK to exit Internet Protocol Version 4 (TCP/IPv4) properties
  4. Click OK to exit Ethernet Properties
  5. Reboot Computer

Run LSASS as a Protected Service:


Local Security Authority Subsystem Service (LSASS) is the process that is responsible for running and enforcing the security policies on a Windows computer. Running this subsystem as a protected service prevents other applications from inserting commands or hijacking the LSASS application to gain access to tokens or passwords that are in use on the system. 

To check if this is enabled:
  1.  Click Start
  2. Type regedit
  3. Hit Enter
  4. Click: 
    1. HKEY_LOCAL_MACHINE
    2. SYSTEM
    3. CurrentControlSet
    4. Control
    5. Lsa
  5. Look for RunAsPPL
  6. If RunAsPPL is NOT found then LSASS is not protected and this process can be hijacked

To run LSASS as a protected service:

  1. Right-click on Lsa from above
    1. Select New
    2. Select DWORD (32-bit) Value
    3. Type RunAsPPL
    4. Hit Enter
    5. Double-click on RunAsPPL
    6. Enter 1 in the Value Data
    7. Click OK
  2. Reboot Computer




Keywords:LLMNR, NBTNS, LSASS, Link Local Multicast Name Resolution Local Security Authority Subsystem Service NetBIOS Name Service, NBT-NS   Doc ID:106754
Owner:Jeff G.Group:IT Knowledge Base
Created:2020-10-21 07:46 CSTUpdated:2020-10-23 12:54 CST
Sites:IT Knowledge Base
Feedback:  0   0