Network security: LAN Manager authentication level setting in Windows controls the level of authentication used by the LAN Manager (NTLM) protocol. LAN Manager (LM) and NTLM are the Microsoft Windows implementations of the challenge-response protocols used for authentication.

 

This setting has several options to choose from, they are:

 

  • Send LM & NTLM responses: This option allows the system to use both LM and NTLM authentication protocols. This is the least secure option as it allows the use of the less secure LM protocol in addition to NTLM.
  • Send NTLM response only/refuse LM: This option allows the system to use only the NTLM authentication protocol. This is more secure than the previous option, as it disables the use of the less secure LM protocol.
  • Send NTLMv2 response only/refuse LM & NTLM: This option allows the system to use the NTLMv2 authentication protocol. NTLMv2 is more secure than NTLM and is recommended for use when possible.
  • Send NTLMv2 response only/refuse LM & NTLM, and use NTLMv2 session security if negotiated: This option allows the system to use the NTLMv2 authentication protocol and adds an additional layer of security.

 

What type of attacks happened on Network security: LAN Manager authentication level

 

Network security: LAN Manager authentication level controls the level of authentication used by the LAN Manager (NTLM) protocol, and it can affect the coverage of attacks in the following ways:

 

  1. Pass-the-Hash (PtH): Pass-the-Hash is an attack technique that allows an attacker to authenticate to a network resource by using the NTLM hash of a user’s password, rather than the plaintext password. This attack can be successful if the system is configured to use the “Send LM & NTLM responses” option, as LM hashes are more susceptible to cracking than NTLM hashes.
  2. Pass-the-Ticket (PtT): Pass-the-Ticket is similar to Pass-the-Hash, but it involves stealing a Kerberos ticket-granting ticket (TGT) and using it to request service tickets (TGS) to access network resources. This attack is not related to the “Network security: LAN Manager authentication level” setting.
  3. Credential Dumping: Credential dumping is the process of extracting credentials, such as NTLM hashes, from the memory of a compromised system. This attack can be successful regardless of the “Network security: LAN Manager authentication level” setting, as long as the attacker can gain access to the system and extract the credentials.
  4. Relay Attack: NTLM relay attack is an attack that allows an attacker to authenticate to a network resource by relaying the authentication request to another system. This attack can be successful regardless of the “Network security: LAN Manager authentication level” setting.
  5. Brute-force: Brute-force attacks involve attempting to guess a user’s password by trying different combinations of characters. NTLM is particularly susceptible to brute-force attacks because it uses relatively weak encryption to protect passwords. This attack can be successful regardless of the “Network security: LAN Manager authentication level” setting, although using the NTLMv2 protocol makes it harder to brute force.
  6. Man-in-the-Middle: Man-in-the-middle attacks involve intercepting and modifying network traffic, which can allow an attacker to steal NTLM credentials or launch relay attacks. This attack can be successful regardless of the “Network security: LAN Manager authentication level” setting

 

What is the potential impact for MITRE ATT&CK on Network security: LAN Manager authentication level

 

MITRE ATT&CK framework is a comprehensive knowledge base of tactics, techniques, and procedures used by adversaries during cyber attacks. One of the techniques listed in the framework is the use of LAN Manager (LM) authentication, which is a legacy authentication protocol used in Windows operating systems.

 

An attacker could potentially exploit this technique by cracking the LM hash of a user’s password, which is stored on the network’s domain controllers. Once the hash is cracked, the attacker can use the password to gain unauthorized access to the network.

 

The impact of this technique on network security could be significant, as it could lead to the compromise of sensitive information, disruption of services, or even complete takeover of the network. Additionally, since LM is an old protocol, it may not be enabled on all systems, but still can be enabled by attacker.

 

What are the major vulnerabilities of Network security: LAN Manager authentication level

 

MITRE ATT&CK framework includes techniques that specifically target the NTLM (NT LAN Manager) authentication protocol. NTLM is an older authentication protocol that is still used in some Windows environments and is considered less secure than more modern protocols such as Kerberos.
Several techniques that can be used to exploit vulnerabilities in NTLM are present in the MITRE ATT&CK framework, including:

 

? T1208 – Kerberoasting
? T1558 – Pass the Hash
? T1552 – Pass the Ticket
? T1110 – Brute Force
? T1003 – Credential Dumping
? T1559 – Replication Through Removable Media
? T1204 – User Execution

 

Such techniques can be used to gain NTLM credentials and use them to obtain unauthorized access to a system or network. Organizations should consider using more secure authentication protocols such as Kerberos and implement best practices for securing NTLM, such as using NTLMv2 and implementing network-level controls to prevent NTLM relay attacks.

 

Why is it important to harden Network security: LAN Manager authentication level?

 

LAN Manager (LM) authentication, configuration hardening can help to mitigate the risks associated with this legacy protocol.

 

One important aspect of configuration hardening is disabling LM authentication. This can be done by modifying the registry settings on Windows systems or using Group Policy Objects (GPOs) to enforce the change across the entire network. By disabling LM authentication, an attacker would not be able to crack the LM hash of a user’s password and gain unauthorized access to the network.

 

Another important aspect of configuration hardening is implementing multi-factor authentication (MFA). MFA requires users to provide multiple forms of authentication, such as a password and a fingerprint or a password and a one-time code sent to a mobile device. This makes it much more difficult for an attacker to gain unauthorized access to the network, even if they were able to crack the LM hash of a user’s password.

 

Additionally, implementing strong password policies, regular password rotation, and regular monitoring of logs and network activities can be a good practices to harden the security of your network.

 

Overall, configuration hardening is important for network security because it helps to reduce the attack surface and prevent unauthorized access. When choosing an automated method, it will require you to use a 'Hardening Automation Tool' that will save you the need in performing lab testing, save you time and money.

 

What are the best practices for Network security: LAN Manager authentication level?

 

Organizations can implement several best practices to secure their networks and mitigate the risks associated with LAN Manager (LM) authentication:

 

  1. Disable LM authentication: This can be done by modifying the registry settings on Windows systems or using Group Policy Objects (GPOs) to enforce the change across the entire network.
  2. Implement multi-factor authentication (MFA): MFA requires users to provide multiple forms of authentication, such as a password and a fingerprint or a password and a one-time code sent to a mobile device.
  3. Implement strong password policies: This includes enforcing the use of complex passwords, regular password rotation, and not allowing the use of easily guessable passwords such as “password1”
  4. Regularly monitor logs and network activity: This includes monitoring for suspicious activity such as failed login attempts, unusual traffic, and system events that may indicate a potential attack.
  5. Keep software and system updated: Regularly update software and operating systems to ensure that known vulnerabilities are patched and to protect against new threats.
  6. Conduct regular security assessments: Such as penetration testing and vulnerability scanning, to identify and address potential vulnerabilities in the network. CHS by CalCom is a server hardening automation tool that learns the production environment and analyzes the impact of every configuration change. Learn more about CHS benefits.
  1. Implement a security incident response plan: Develop and implement an incident response plan that outlines the steps to be taken in the event of a security incident.
  2. Train employees on security best practices: Ensure that employees are aware of security best practices and are trained to recognize and respond to potential security threats.

 

Following these best practices, organizations can better protect their networks against cyber threats and minimize the risks associated with legacy authentication protocols such as LAN Manager (LM).

You might be interested