Public/Disable-Llmnr.ps1
|
function Disable-Llmnr { <# .SYNOPSIS Disables Link-Local Multicast Name Resolution (LLMNR). .DESCRIPTION Sets the EnableMulticast DWORD value to 0 under the Windows DNS Client policy registry key, disabling LLMNR. LLMNR is a broadcast-based name resolution protocol that is frequently abused by network-based poisoning attacks such as those performed by Responder. The registry key is created if it does not exist. Changes take effect for new name resolution requests without requiring a restart. .INPUTS None. Parameters must be supplied directly. .OUTPUTS None. .PARAMETER ComputerName The target computer. Defaults to the local machine. .EXAMPLE Disable-Llmnr Disables LLMNR on the local machine. .EXAMPLE Disable-Llmnr -ComputerName 'Workstation01' Disables LLMNR on Workstation01. .NOTES Requires Administrator privileges. Disabling LLMNR may affect name resolution in environments that rely on it for local network discovery. DNS should be the primary name resolution method. Remote operations require WinRM to be configured on the target machine. #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] [OutputType([void])] param ( [Parameter(Mandatory = $false)] [string]$ComputerName = $env:COMPUTERNAME ) $isLocal = ($ComputerName -ieq $env:COMPUTERNAME) -or ($ComputerName -ieq 'localhost') -or ($ComputerName -eq '127.0.0.1') $registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' $valueName = 'EnableMulticast' if ($PSCmdlet.ShouldProcess($ComputerName, "Set $valueName = 0 in DNSClient policy")) { $work = { param($registryPath, $valueName) if (-not (Test-Path $registryPath)) { New-Item -Path $registryPath -Force | Out-Null } Set-ItemProperty -Path $registryPath -Name $valueName -Value 0 -Type DWord -ErrorAction Stop } if ($isLocal) { & $work $registryPath $valueName } else { Invoke-Command -ComputerName $ComputerName -ScriptBlock $work -ArgumentList $registryPath, $valueName } Write-Verbose "LLMNR disabled on '$ComputerName'." } } |