Im working in fixing the vulnerability/misconfigurations that InsightVM detects as “Weak Lan Manager hashing permitted”. To test the fix I have created a Windows virtual machine and install Rapid7 agent.
Here you can see the details of the vulnerability:
The check that VM, as far as I understand, is to check if the registry key “LMCompatibilty” exist. If it doesnt then the vulnerability is not resolved.
Then I check the Local security policy → Network security: Do not store LAN Manager hash value on next password change. (the screenshot is in spanish, but thats the policy…) Its enabled.
Then I wait to the reporting of the agent. The vulnerabilty is not resolved.
Not sure if you ever got this remediated since it has been several months since you posted, but I just got done testing this same vulnerability in our environment and figured I would reply to you and have this available for anyone else who is working on this same vulnerability. You can resolve this by Group Policy or Intune, depending on what you use in your environment.
For local group policy, you’ll want to navigate to “Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options” and look for Network Security: LAN Manager Authentication Level. Once you find that policy, enable it and set it to “Send NTLMv2 Response Only. Refuse LM & NTLM”. This is the same as going into the registry and changing the LMCompatibilityLevel to 0x00000005. Once you have it enabled and applied in your environment, that should force NTLMv2 and remediate that vulnerability. I have not tested the on-prem Group Policy yet as we are pushing this out through Intune at the moment, but it should work as I set the policy on-prem first and then migrated it to Intune.
For Intune, create a configuration policy and select Settings Catalog for the profile type. When you get to the settings picker, search for “Network Security LAN Manager Authentication Level”, which should be the only result. Select that policy and set it for “Send LM and NTLMv2 responses only. Refuse LM and NTLM”. I believe this is a typo in Intune as you are forcing NTLMv2 responses only and blocking all LM and NTLMv1, not sending both LM and NTLMv2 responses; but this will remediate the Weak LAN Manager Hashing Permitted vulnerability in Rapid7. We have it pushed out to about 20 devices so far as a test and they all no longer have the vulnerability.
Hopefully this helps someone who is trying to remediate this vulnerability!
