Securing LAN Manager Authentication Level to Prevent Active Directory Attacks

By /

Listen to this Post

If your LAN Manager Authentication level is set to less than 3, your environment is at significant risk. Attackers can exploit this vulnerability through the following steps:

  1. Coerce a Domain Controller (DC): Attackers can force a DC to authenticate to a malicious server.
  2. Capture the NetNTLMv1 Hash: During the authentication process, the attacker captures the NetNTLMv1 hash.
  3. Crack the NetNTLMv1 Response: Using rainbow tables and modern GPU resources, the attacker cracks the NetNTLMv1 response back into an NTLM hash.
  4. Create a Kerberos Silver Ticket: With the NTLM hash, the attacker can create a Kerberos Silver Ticket, granting them unauthorized access to resources.

You Should Know:

To mitigate this risk, ensure your LAN Manager Authentication level is set to 3. Here are the steps to configure this on a Windows system:

1. Open Group Policy Management Console (GPMC):

gpmc.msc

2. Navigate to the appropriate Group Policy Object (GPO):
– Go to `Computer Configuration` > `Policies` > `Windows Settings` > `Security Settings` > `Local Policies` > Security Options.

3. Set the LAN Manager Authentication Level:

  • Find the policy Network security: LAN Manager authentication level.
  • Set it to Send NTLMv2 response only. Refuse LM & NTLM.

4. Apply the GPO:

  • Link the GPO to the appropriate Organizational Unit (OU) and enforce it.

Additional Commands and Steps:

  • Check Current LAN Manager Authentication Level: 
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel
  • Set LAN Manager Authentication Level via Registry (if GPO is not an option): 
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 3 /f
  • Verify the Change: 
    gpupdate /force
  • Monitor for Unauthorized Access: 
    wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text /c:10

What Undercode Say:

Securing your LAN Manager Authentication level is crucial in protecting your Active Directory environment from sophisticated attacks. By setting the authentication level to 3, you significantly reduce the risk of attackers capturing and cracking NTLM hashes. Regularly monitor your environment for any signs of unauthorized access and ensure that all systems are up-to-date with the latest security patches. For more detailed steps, refer to the GitHub repository mentioned in the article.

Related URLs:

References:

Reported By: Spenceralessi If – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: