Fixlet Issue on W05: Windows Configuration Weaknesses - Disable LM Aut

(imported topic written by SmearODeer91)

On This fixlet, “W05: Windows Configuration Weaknesses - Disable LM Authentication Across the Network - Windows NT/2000/XP/2003 Clients”, the SANS referance and the Microsoft resources point to a Different answer then is presented in this Fixlet. The value presented in this fixlet is an Absolute value of “is not 3” when in reality if the value is “< 3” the fixlet appies as 3 4 and 5 values represent meeting/Good, more restrictive/Better and most/Best. I Have not gone through all the content in regards to security but will be based on this finding.

Hence: Is this an intentional setting or would it be in all users best interest to have it set to not be relevetent if any of the 3, 4, or 5 values are met? As 3 and above meet the recommendation for security.

(imported comment written by anne_young)

Hi SmearODeer,

Thanks for pointing this out. The value in the relevance check for LMCompatibility Level “is not 3” did in fact need to be changed.

As you suggested and based on the Microsoft KB article http://support.microsoft.com/kb/239869, an LMCompatibility value of 4 or 5 will also force the client to exclusively use NTLMv2 encryption. The “is not 3” has been modified to “< 3 AND > 5”, which excludes LMCompatibility levels 3, 4, and 5.

The Fixlet content in the SANS 2007 site has been modified accordingly and published.

Thanks,

Anne Young

Product Engineer

BigFix, Inc.