LAN Manager authentication level practices

By Keren Pollack, on October 31st, 2019

NTLM attacks are especially relevant to Active Directory environments. One of the most common attack scenarios is NTLM Relay, in which the attacker compromises one machine and then spreads laterally to other machines by using NTLM authentication directed at the compromised server.

The best way to cope with NTLM vulnerabilities is basically not to use NTLM, as there are better and safer authentication methods out there. But that’s easier said than done because most large and established infrastructures contain machines that can only use NTLM. In this case, it is important to make sure they are configured in the most secure fashion possible and we’ll dive into Lan Manager best practices.

Server hardening can be a painful procedure. If you’re reading this article, you probably already know it. Endless hours, labor, and money are invested in this process, which can often result in production breakdown despite the effort to prevent it. CHS by CalCom automates the entire server hardening process. CHS’s unique ability to ‘learn’ your network eliminates the need to perform lab testing while ensuring zero outages to your production environment. CHS will allow you to implement your policy directly on your production servers, hassle-free.

In this article you’ll learn:

The role of LAN Manager authentication level
The potential vulnerability in this rule
How to mitigate this vulnerability
The potential impact of mitigating it on your network’s function
The severity of the vulnerability
What we recommend to do
A practical guide on how to configure this setting in the most secure fashion

POLICY DESCRIPTION:

LAN Manager (LM) is a family of early Microsoft client/server software products that allows users to link personal computers together on a single network. Network capabilities include transparent file and printer sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2.

LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:

Join a domain
Authenticate between Active Directory forests
Authenticate to down-level domains
Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP
Authenticate to computers that are not in the domain

The possible values for the Network security: LAN Manager authentication-level setting are:

Send LM & NTLM responses –Clients use LM and NTLM authentication and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
Send LM & NTLM – use NTLMv2 session security if negotiated – Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
Send NTLM responses only –Clients use NTLM authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
Send NTLMv2 responses only –Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
Send NTLMv2 responses only\refuse LM –Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
Send NTLMv2 responses only\refuse LM & NTLM –Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
Not Defined

POTENTIAL VULNERABILITY:

Default configurations per operating system:

*Windows Vista – Not Defined

*Windows 95-based and Windows 98-based clients only send LM.

*Windows 2000, Windows Server 2003, and Windows XP- send LM and NTLM authentication responses.

*Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, computers authenticate by default using both the LM and NTLM protocols.

The default setting on these servers allows all clients to authenticate with servers and use their resources. However, this means that LM responses — the weakest form of authentication response — are sent over the network, making it possible for attackers to sniff that traffic and easily reproduce the user’s password.

You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for earlier clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 domain controllers.

Mitigating NTLM relay remote code execution

COUNTERMEASURES:

Configure the Network security: LAN Manager Authentication Level setting to Send NTLMv2 responses only. We recommend this level of authentication when all clients support NTLMv2.

For more information about how to enable NTLMv2 on older versions of Windows, see Microsoft Windows NT 4.0 requires Service Pack 4 (SP4) to support NTLMv2, and Windows 95 and Windows 98 platforms need the directory service client installed in order to support NTLMv2.

POTENTIAL IMPACT:

Clients that do not support NTLMv2 authentication will not be able to authenticate in the domain and access domain resources by using LM and NTLM. You can follow this guide to help determine where NTLM may be used within your environment.

SEVERITY:

Critical

CALCOM’S RECOMMENDED VALUE:

Send NTLMv2 response only. Refuse LM.

Note: If the server is set to send NTLMv2 responses only and refuse LM & NTLM, clients that use LM and NTLM will not be able to access IIS applications unless the client\workstation is also set with the same configuration. Other applications might not work properly as well.

HOW TO CONFIGURE:

To configure NTLM compatibility for Windows Vista and Windows 7:

Click Start > All Programs > Accessories > Run and type secpol.msc in the Open box, and then click OK.
Click Local Policies > Security Options > Network Security: LAN Manager authentication level.
Click Send LM & NTLM – use NTLMv2 session security if negotiated.
Click Apply.

Configuring GPO to Force NTLMv2

Go to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and find the policy Network Security: LAN Manager authentication level.

You can also disable NTLMv1 through the registry. To do it, create a DWORD parameter with the name LmCompatibilityLevel and the value 0-5 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lsa. Value 5 corresponds to the policy option “Send NTLMv2 response only. Refuse LM NTLM”.

http://woshub.com/disable-ntlm-authentication-windows/

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

LAN Manager authentication level best practices

In this article you’ll learn:

POLICY DESCRIPTION:

POTENTIAL VULNERABILITY:

COUNTERMEASURES:

POTENTIAL IMPACT:

SEVERITY:

CALCOM’S RECOMMENDED VALUE:

HOW TO CONFIGURE:

Configuring GPO to Force NTLMv2

HQ

US OFFICE

Learn how our tools can help you with hardening

LAN Manager authentication level best practices

In this article you’ll learn:

POLICY DESCRIPTION:

POTENTIAL VULNERABILITY:

COUNTERMEASURES:

POTENTIAL IMPACT:

SEVERITY:

CALCOM’S RECOMMENDED VALUE:

HOW TO CONFIGURE:

Configuring GPO to Force NTLMv2