[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-22639-9

Platform: cpe:/o:microsoft:windows_8Date: (C)2014-05-14   (M)2023-07-04



LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv 2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: - Join a domain - Authenticate between Active Directory forests - Authenticate to down-level domains - Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP) - Authenticate to computers that are not in the domain The possible values for the Network security: LAN Manager authentication level setting are: - Send LM & NTLM responses - Send LM & NTLM - use NTLMv2 session security if negotiated - Send NTLM responses only - Send NTLMv2 responses only - Send NTLMv2 responses only efuse LM - Send NTLMv2 responses only efuse LM & NTLM - Not Defined The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept as follows: - Send LM & NTLM responses. Clients use LM and NTLM authentication and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Send LM & NTLM - use NTLMv2 session security if negotiated. Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Send NTLM response only. Clients use NTLM authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Send NTLMv2 response only. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Send NTLMv2 response only efuse LM. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). - Send NTLMv2 response only efuse LM & NTLM. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). These settings correspond to the levels discussed in other Microsoft documents as follows: - Level 0 - Send LM and NTLM response; never use NTLMv2 session security. Clients use LM and NTLM authentication, and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Level 1 - Use NTLMv2 session security if negotiated. Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Level 2 - Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Level 3 - Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Level 4 - Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers refuse LM authentication, that is, they accept NTLM and NTLMv2. - Level 5 - Domain controllers refuse LM and NTLM responses (accept only NTLMv 2). Clients use NTLMv2 authentication, use and NTLMv2 session security if the server supports it. Domain controllers refuse NTLM and LM authentication (they accept only NTLMv 2). Countermeasure: Configure the Network security: LAN Manager Authentication Level setting to Send NTLMv2 responses only. We and a number of independent organizations strongly recommend this level of authentication when all clients support NTLMv2. Potential Impact: Clients that do not support NTLMv2 authentication will not be able to authenticate in the domain and access domain resources by using LM and NTLM.


Parameter:

[Send LM and NTLM responses/Send LM and NTLM - use NTLMv2 session security if negotiated/send NTLM response only/send NTLMv2 response only/send NTLMv2 response only. refuse LM/send NTLMv2 response only. refuse LM and NTLM]


Technical Mechanism:

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa!LmCompatibilityLevel

CCSS Severity:CCSS Metrics:
CCSS Score : 7.5Attack Vector: ADJACENT_NETWORK
Exploit Score: 1.6Attack Complexity: HIGH
Impact Score: 5.9Privileges Required: NONE
Severity: HIGHUser Interaction: NONE
Vector: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HScope: UNCHANGED
 Confidentiality: HIGH
 Integrity: HIGH
 Availability: HIGH
  

References:
Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:13953


OVAL    1
oval:org.secpod.oval:def:13953
XCCDF    4
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_8
xccdf_org.secpod_benchmark_general_Windows_8
xccdf_org.secpod_benchmark_PCI_Windows_8
xccdf_org.secpod_benchmark_ISO27001_Windows_8
...

© SecPod Technologies