When DNS fails to resolve a hostname, Windows doesn't stop there. It quietly falls back to LLMNR and NBT-NS, multicast protocols that broadcast the query across the entire local network segment. Any host can answer. An attacker runs Responder, responds to the query, intercepts the authentication attempt, and walks away with an NTLM hash. From there it's either offline cracking or an NTLM relay attack depending on what else is misconfigured on the network. No CVE needed. No elevated privileges. Just presence on the same subnet.

This is the first thing any decent pentester runs on day one of an internal engagement. It works in most environments because these protocols shipped enabled and nobody turned them off.

One thing worth knowing before you roll this out: disabling LLMNR and mDNS at the system level only stops Windows from using them at the OS layer. Applications can still use these protocols independently. Something like a Yealink conference room unit will usually keep working fine, but if anything breaks after rollout, that's your culprit. Test on a pilot group first and use GPO security filtering if you need to exclude specific machines rather than pulling the whole policy back.

Disable LLMNR via GPO

Disable NBT-NS (no native GPO, push via PowerShell startup script or Intune, or get the ADMX Security Templates)

Verify all three are actually off after rollout

No output means they're gone.