If you would like to read the other parts in this article series please go to
- Top 10 Windows Security Configurations: Where and How! (Part 1)
- Top 10 Windows Security Configurations: Where and How! (Part 3)
Introduction
Now, on with the countdown! In my last installment, I covered 5 of the most important security settings that you need to set for your Windows environment. Those were great and important, but to be honest, I like these 5 even more. If you feel confident in certain security technologies by Microsoft, some of these might change your mind! I travel around the world educating admins and auditors on Windows security, and in turn, their comments and debates always make for interesting discussions. Trust me, this is the best place to understand how the technology works. Let us dive straight into it.
Note:
If you want to see the first 5 configurations from the previous installment, you can find them here.
6. Remove LanManager use
When you consider the all around security features for Windows, you have to keep in mind the days when authentication was handled by LanManager, or LM as it is sometimes referred to. Or do you? Well, unfortunately, Microsoft does still support LM in many of the operating systems, which can lead to a significant “hole” in your security wall against attackers. LM has to be one of the worst authentication protocols ever built, simply because of the way that it attempts to protect the password hash. Therefore, you need to take all precautions to protect your Windows environment from using it.
There will be two different settings that you want to configure in order to protect against the use of LM. The first protects against LM hashes, sent across the network. The second protects against LM hashes that are stored in the accounts database.
To protect the first portion of LM, you can configure a Group Policy Object policy. To set the policy, which I suggest you place in a GPO linked to the domain node, go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options. Here you will find the LAN Manager Authentication Level policy, seen in Figure 1.
Figure 1: LAN Manager authentication levels can be set using Group Policy
Notice that in Figure 1 the policy is set to Send NTLMv2 response only. This is level 3 out of 6 levels (in our case it is actually level 4, but level 1 is named level 0, due to the Registry value that is configured when you select it. You can also argue that they refer to it as level 0 because it provides “zero” security!) You can see the 6 levels, level 0-5, in Figure 2.
Figure 2: The 6 levels of LAN Manager authentication levels
Ideally, you will want to configure this to level 5, Send NTLMv2 response only, Refuse LM and NTLM, but you might find that some legacy clients and/or legacy software have issues with this setting. You will need to test before you implement it in a company environment.
The second setting that you will want to set in order to protect LM is in the same GPO path. This setting, not configured on most versions of Windows and Active Directory, helps protect the LM hash as it sits in the Active Directory database or the local Security Accounts Manager (SAM) on servers and desktops. The setting, do not store LAN Manager hash value on next password change, can be seen in Figure 3.
Figure 3: The storage of the LAN Manager hash can be controlled with Group Policy
This setting has only two options for you: Enabled or Disabled. Ideally, you want this setting to be enabled. Like this, it will not store the LAN Manager hash value in the database the next time the user changes password.
7. Set fine grained passwords for administrators
This is possibly what everyone reading this article is waiting for. I know for a fact that 90% of all Windows administrators wanted this technology for years, and now it is here! The technology is called “fine grained password policies” (FGPP) and it allows for multiple password policies in the same Active Directory domain. Yes, this means that IT admins can have a minimum password length of 20 characters! Finance users can have a minimum password length of 15 characters, and executives can have a minimum password length of 2 characters (which is about all they can handle! Just kidding!).
Here is the trick… this is NOT configured using Group Policy! That’s right; you configure FGPP in the raw AD database. The best way to do this is to use ADSIEdit.msc, but there are other companies that have solutions with much simpler settings for you to set these up (Specopssoft’s Password Policy Basic tool for example). For more information on FGPP, check out Jakob Heidelberg’s article on WindowSecurity.com.
However, I want to at least give you the run down on what you need to get these running:
- Every domain controller must be running Windows Server 2008 or greater
- The domain must be at Windows Server 2008 functional level
- You must have all users within a department located in a group, which is how the permissions work for FGPP
There are alternatives to using the built-in Microsoft password policies in Group Policy or the fine grained password policy solution. These solutions require a third party installation, but they do not just replace what Microsoft provides, they also give you much more granular control over passwords. Every admin knows that basic password controls do not help with advanced password cracking technologies. So, solutions like Specops Password Policy gives you control over what Microsoft does, plus:
- Including a dictionary list of words that users can use
- Forcing 4 out of 4 characters in the password
- Going above the 14 character limit for a password
- Creating custom rules for password formatting
- Better communication with end user for when they are trying to input a complex password, telling them where they are close and how they need to configure the password to meet the requirements
Summary
Taking care of LAN Manager can go a long way. Consider the fact that if an attacker gains access to even a single admin level user, the entire network is compromised. Therefore, taking the precautions and making the configurations that I suggest in this article are essential. You need to cover both basis for LAN Manager: over the network interception and the storage of the LAN Manger hash in Active Directory and the local SAM on every desktop and server. Establishing a good, in-depth password policy is essential, which is why Microsoft gave you the ability to setup fine grained password policies. The ability for the company to have different password policies for a single Active Directory domain should immediately allow better security, more granular control, and an overall cost savings. All this of course, saving you from having to purchase a third party solution in order to install multiple Active Directory domains. In the final installment of this series, I will cover some technologies that most admins are not even aware of!
If you would like to read the other parts in this article series please go to
