Im working in fixing the vulnerability/misconfigurations that InsightVM detects as “Weak Lan Manager hashing permitted”. To test the fix I have created a Windows virtual machine and install Rapid7 agent.
Here you can see the details of the vulnerability:
The check that VM, as far as I understand, is to check if the registry key “LMCompatibilty” exist. If it doesnt then the vulnerability is not resolved.
Then I check the Local security policy → Network security: Do not store LAN Manager hash value on next password change. (the screenshot is in spanish, but thats the policy…) Its enabled.
Then I wait to the reporting of the agent. The vulnerabilty is not resolved.
Not sure if you ever got this remediated since it has been several months since you posted, but I just got done testing this same vulnerability in our environment and figured I would reply to you and have this available for anyone else who is working on this same vulnerability. You can resolve this by Group Policy or Intune, depending on what you use in your environment.
For local group policy, you’ll want to navigate to “Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options” and look for Network Security: LAN Manager Authentication Level. Once you find that policy, enable it and set it to “Send NTLMv2 Response Only. Refuse LM & NTLM”. This is the same as going into the registry and changing the LMCompatibilityLevel to 0x00000005. Once you have it enabled and applied in your environment, that should force NTLMv2 and remediate that vulnerability. I have not tested the on-prem Group Policy yet as we are pushing this out through Intune at the moment, but it should work as I set the policy on-prem first and then migrated it to Intune.
For Intune, create a configuration policy and select Settings Catalog for the profile type. When you get to the settings picker, search for “Network Security LAN Manager Authentication Level”, which should be the only result. Select that policy and set it for “Send LM and NTLMv2 responses only. Refuse LM and NTLM”. I believe this is a typo in Intune as you are forcing NTLMv2 responses only and blocking all LM and NTLMv1, not sending both LM and NTLMv2 responses; but this will remediate the Weak LAN Manager Hashing Permitted vulnerability in Rapid7. We have it pushed out to about 20 devices so far as a test and they all no longer have the vulnerability.
Hopefully this helps someone who is trying to remediate this vulnerability!
Hi,
First time posting but here is what worked for us… Upgrade the CIFS authentication method
Configuration remediation steps
Upgrade the authentication method using the registry. Note that upgrading the authentication method to NTMLv2 will break compatibility with Windows 95/98/ME systems and older pre-NT4 SP4 systems. This behavior is by design. If the system itself is NT4 SP3 or earlier, it must be upgraded to at least NT4 SP4 before making these changes. Note that the settings described below can also be set via Group Policy, under “Security Options”, “LAN Manager Authentication Level”.
Run the registry editor (regedit.exe or regedt32.exe) and browse to the following key:
Value Name: NtlmMinClientSec Data Type: REG_DWORD Data: See Security guidance for ntlmv1 ( https://support.microsoft.com/en-us/help/2793313/security-guidance-for-ntlmv1-and-lm-network-authentication ) for details.
Value Name: NtlmMinServerSec Data Type: REG_DWORD Data: See Security guidance for ntlmv1 (https://support.microsoft.com/en-us/help/2793313/security-guidance-for-ntlmv1-and-lm-network-authentication ) for details.
You must then shut down and restart for the changes to take effect.
