Fixing Weak Lan Manager

Hi everybody!

Im working in fixing the vulnerability/misconfigurations that InsightVM detects as “Weak Lan Manager hashing permitted”. To test the fix I have created a Windows virtual machine and install Rapid7 agent.

Here you can see the details of the vulnerability:

weakLanManagerDescription

The check that VM, as far as I understand, is to check if the registry key “LMCompatibilty” exist. If it doesnt then the vulnerability is not resolved.

image

VM suggests the same as Microsoft https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
Create the key and set it to 5.

image

Then I check the Local security policy → Network security: Do not store LAN Manager hash value on next password change. (the screenshot is in spanish, but thats the policy…) Its enabled.

image

Then I wait to the reporting of the agent. The vulnerabilty is not resolved.

Any ideas why?

Anybody has fixed this in their infraestructure?

Thanks!