Network security: Allow Local System to use computer identity for NTLMID: oval:org.secpod.oval:def:40301 | Date: (C)2017-04-25 (M)2023-07-04 |
Class: COMPLIANCE | Family: windows |
When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation.
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Vulnerability:
When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008, services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection.
Counter Measure:
Configure Network security: Allow Local System to use computer identity for NTLM to Enabled.
Potential Impact:
If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.
If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This was the behavior in previous versions of Windows.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM
(2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa!UseMachineId
Platform: |
Microsoft Windows Server 2016 |