Back
  • Misconfig Name
  • LAN Manager Authentication Level setting is not set to secure level (must be set to accept only NTLMv2 and refuse LM and NTLM)
  • Description
  • The LAN Manager Authentication Level setting determines which authentication protocol Windows should accept to authenticate users to a given network resource. LAN Manager authentication includes the LM, NTLM, and NTLMv2 protocols.The safest of them is the NTLMv2 protocol as it mitigates replay attacks. LAN Manager Authentication policy must be set to accept NTLMv2 authentication and refuse LM and NTLM authentication.
  • Severity
  • Critical
  • Category
  • OS Security Hardening
  • Resolution
  • Follow the below steps in GPO to resolve the misconfiguration. Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM".
  • Issues after applying the resolution
  • Altering the existing security setting may create the following impact in your network operations. Legacy systems that do not support NTLMv2 authentication cannot authenticate in the domain and access domain resources by using LM and NTLM.
  • Reboot Required
  • No