Topics Map > Services > Security > Protect Yourself and Others
Protect Yourself and Others - Securing Services
Many different things can be done with computers, many things can be enabled and running without the knowledge of the user or even the owner of those computers. There are also service that by default are not running in the most secure fashion. This site will give you directions on enabling, disabling, or securing those services.
The following directions include editing Security Policies and the Windows Registry, editing these systems incorrectly can render your computer inoperable or insecure. If you are not comfortable using the Policy Editor or the Registry Editor please contact someone that is.
LLMNR:
Link Local Multicast Name Resolution (LLMNR) is a system that is used for alternate host identification if the default host identification system is not working, however, this system can allow an impersonator to say that they are a shared folder that you are trying to connect to, and if active your computer could give up the username and password that you would use to connect to that shared folder.
To check if this enabled:
- Click Start
- Type gpedit.msc
- Hit Enter
- Click
- Computer Configuration
- Administrative Templates
- Network
- DNS Client
- Look for Turn off multicast name resolution
- If this is set to Not Configured LLMNR is enabled and running on your computer and you could be vulnerable
To Disable LLMNR:
- Double-click on the Turn off multicast name resolution
- Select Enabled
- Click OK
- Reboot computer
NBT-NS
NetBIOS Name Service (NBT-NS) is also a backup host identification system, and like LLMNR, could also be used by an impersonator to grab your windows credentials.
To check if this is enabled:
- Click Start
- For Windows 10: Click Settings - For Windows 11: Type Control Panel and Open the Control Panel
- Click Network and Internet
- Click Ethernet
- Click Change Adapter Options
- Double-click Ethernet in the Pop-up window
- Click Properties
- Double-click on Internet Protocol Version 4 (TCP/IPv4)
- Click Advanced
- Click on the WINS tab
- If Disable NetBIOS over TCP/IP is not checked, this service is running and you could be vulnerable
To Disable NBT-NS:
- Check Disable NetBIOS over TCP/IP
- Click OK
- Click OK to exit Internet Protocol Version 4 (TCP/IPv4) properties
- Click OK to exit Ethernet Properties
- Reboot Computer
If you need to have NDSU Shared Folders you will need to add the NDSU AD Domain
- Click Start
- Click Settings
- Click Network and Internet
- Click Ethernet
- Click Change Adapter Options
- Right Click on Ethernet
- Select Properties
- Select internet Protocol Version 4 (TCP/IPv4)
- Click Properties
- Click Advanced
- Select the DNS tab
- Select Append these DNS suffixs (in order)
- Click Add
- Enter ad.ndsu.edu
- Click Add
- Click OK
- Click OK
- Click Close
- Exit the Network Connections Control panel
- Exit Settings
Run LSASS as a Protected Service:
Local Security Authority Subsystem Service (LSASS) is the process that is responsible for running and enforcing the security policies on a Windows computer. Running this subsystem as a protected service prevents other applications from inserting commands or hijacking the LSASS application to gain access to tokens or passwords that are in use on the system.
To check if this is enabled:
- Click Start
- Type powershell
- Right click on Windows Powershell and select “Run as administrator”
- Select Yes to the User Access Control prompt (if prompted)
- Log in to your administrator account (if prompted)
- Type the following command and hit enter:
- Get-ItemProperty "HKLM:\SYSTEM\ControlSet001\Control\Lsa" -Name RunAsPPL
If RunAsPPL is set to 1, then LSASS is protected and is secure
If RunAsPPL is set to 0 or does not exist then LSASS is not protected and this process can be hijacked
- Get-ItemProperty "HKLM:\SYSTEM\ControlSet001\Control\Lsa" -Name RunAsPPL
To run LSASS as a protected service:
- Click Start
- Type powershell
- Right click on Windows Powershell and select “Run as administrator”
- Select Yes to the User Access Control prompt (if prompted)
- Log in to your administrator account (if prompted)
- Type the following command and hit enter:
- Set-ItemProperty "HKLM:\SYSTEM\ControlSet001\Control\Lsa" -Name RunAsPPL -Value "1" -Type DWord
- Set-ItemProperty "HKLM:\SYSTEM\ControlSet001\Control\Lsa" -Name RunAsPPL -Value "1" -Type DWord
- Confirm the setting by running the following command and hitting enter
- Get-ItemProperty "HKLM:\SYSTEM\ControlSet001\Control\Lsa" -Name RunAsPPL
If RunAsPPL is set to 1, then LSASS is protected and is secure
If RunAsPPL is set to 0 then LSASS is not protected and this process can be hijacked
- Get-ItemProperty "HKLM:\SYSTEM\ControlSet001\Control\Lsa" -Name RunAsPPL