|

ENET Email IT Support

|

ENET Phone IT Support

|

Security recommendations

Related Component

Network

The LAN Manager authentication level should be set to ‘Send NTLMv2 response only. Refuse LM & NTLM’ to mitigate the potential risk of attackers sniffing traffic to reproduce user passwords. Disable the installation and configuration of Network Bridge, as it can allow unauthorized access between network segments. Additionally, disable IP source routing and require digitally…

Categories

We provide a comprehensive list of vulnerabilities and remediation options on this page for our visitors’ reference. However, we would like to inform you that EireaNet, Inc. offers a free of charge automated mitigation service to our monthly subscribers. This service is designed to detect and remediate any vulnerabilities or other security issues on your system. Our mitigation service is constantly updated with the latest threats and vulnerabilities, ensuring that our subscribers are always protected against the latest security threats.

In addition to the automated mitigation service, EireaNet, Inc. also provides personalized consulting for businesses that require a more tailored approach to their security needs. Our team of experts can conduct thorough security assessments and provide customized recommendations to address specific vulnerabilities within your system. This personalized consulting service aims to empower businesses with the knowledge and tools to enhance their overall security posture and mitigate potential risks effectively.

We understand the critical importance of staying ahead of evolving security threats, which is why we remain dedicated to continuously updating our mitigation service and staying informed about emerging vulnerabilities. By offering both automated and personalized solutions, we aim to cater to the diverse security needs of our subscribers, ultimately contributing to a more secure digital environment for all.

Set LAN Manager authentication level to ‘Send NTLMv2 response only. Refuse LM & NTLM’

Description

Determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers.

Potential risk

Using older/weaker authentication levels (LM & NTLM) make it potentially possible for attackers to sniff that traffic to more easily reproduce the user’s password.

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security\LAN Manager authentication level
To the following value: Send NTLMv2 response only. Refuse LM & NTLM

Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
To the following REG_DWORD value: 5

Disable ‘Installation and configuration of Network Bridge on your DNS domain network’

Description

Determines whether a user can install and configure the Network Bridge. The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segments together.servers.

Potential risk

A Network Bridge can connect two or more network segments, allowing unauthorized access or exposure of sensitive data in another network segment.

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit installation and configuration of Network Bridge on your DNS domain network
To the following value: Enabled

Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA
To the following REG_DWORD value: 0

Disable IP source routing

Description

Determines whether a user can install and configure the Network Bridge. The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segments together.servers.

Potential risk

A Network Bridge can connect two or more network segments, allowing unauthorized access or exposure of sensitive data in another network segment.

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS\(DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
To the following value: Enabled\Highest protection, source routing is completely disabled

Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
To the following REG_DWORD value: 2

Enable ‘Microsoft network client: Digitally sign communications (always)’

Description

Determines whether packet signing is required by the SMB client component. If this is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing.

Potential risk

Unsigned traffic exposes you to man-in-the-middle attacks. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data.

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)
To the following value: Enabled

Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
To the following REG_DWORD value: 1

Enable ‘Require domain users to elevate when setting a network’s location’

Description

Determines whether to require domain users to elevate when setting a network’s location.

Potential risk

Selecting an incorrect network location may allow greater exposure of a system

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network’s location
To the following value: Enabled

Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation
To the following REG_DWORD value: 1

Prohibit use of Internet Connection Sharing on your DNS domain network

Description

Determines whether an existing internet connection, such as through wireless, can be shared and used by other systems essentially creating a mobile hotspot.

Potential risk

This exposes the system sharing the connection to others with potentially malicious purpose.

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network
To the following value: Enabled

Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI
To the following REG_DWORD value: 0

Set IPv6 source routing to highest protection

Description

Determines whether IPv6 source routing is enabled.

Potential risk

Configuring the system to disable IP source routing protects against spoofing.

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS\(DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
To the following value: Enabled\Highest protection, source routing is completely disabled

Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting
To the following REG_DWORD value: 2

Set ‘Remote Desktop security level’ to ‘TLS’

Description

Determines the method used by the server and client for authentication prior to a remote desktop connection being established.

Potential risk

If the authentication level isn’t secure enough, an attacker could gain remote access to the machine

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote (RDP) connections
To the following value: SSL (TLS 1.0)

Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer
To the following REG_DWORD value: 2

Disable ‘Network access: Let Everyone permissions apply to anonymous users’

Description

Determines whether anonymous network users have the same rights and permissions as the built-in ‘Everyone’ group..

This security control is only assessed for machines on Windows 10, version 1709 or later.

Potential risk

If not disabled, unauthorized users could anonymously access shared resources, list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks.

Remediation options

Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users
To the following value: Disabled

Disable ‘Store LAN Manager hash value on next password change’

Description

Controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed.

Potential risk

The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords.

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security\Do not store LAN Manager hash value on next password change
To the following value: Enabled

Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
To the following REG_ DWORD value: 1

Disable sending unencrypted password to third-party SMB servers

Description

Determines whether the SMB redirector will send unencrypted (plain text) passwords when authenticating to third-party SMB servers that do not support password encryption.

Potential risk

Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment and introduces a significant security risk. Check with the vendor of the SMB server to see if there is a way to support encrypted password authentication..

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password to third-party SMB servers
To the following value: Disabled

Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ EnablePlainTextPassword
To the following REG_DWORD value: 0

Disable SMBv1 client driver

Description

Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1.

Potential risk

SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure SMB v1 client driver
To the following value: Enabled\Disable driver

Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb10\Start
To the following REG_DWORD value: 4

Disable SMBv1 server

Description

Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1.

Potential risk

SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure SMB v1 server
To the following value: Disabled

Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1
To the following REG_DWORD value: 0

Set user authentication for remote connections by using Network Level Authentication to ‘Enabled’

Description

Determines whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication.

Potential risk

By completing user authentication before creating a remote desktop connection, Network-Level Authentication requires fewer remote computer resources and thus protects the remote computer from denial of service attacks. It also protects the remote computer from attacks that abuse accessibility features over login sessions.

Remediation options

Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication
To the following value: Enabled

Enable ‘Network Protection’

Description

Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname)

This security control is only assessed for machines with Windows 10, version 1709 or later, and Windows Server 2019.

Potential risk

Not enabling Network Protection in block mode exposes your users and machines to phishing scams, as well as to internet delivered exploits and malicious content.

Remediation options
  1. Ensure that Microsoft Defender Antivirus with Real-Time Protection is enabled
  2. Ensure that Cloud-delivered protection is enabled
  3. Enable Network Protection in Block mode using either MEM (Windows 10 only)Group Policy or MDM

Already a client?

We are here to help!

Reach our friendly support team!

ENET Email IT Support

|

ENET Phone IT Support

|

Have questions or need a hand?

Fill out the form and let us know how we can help with your technology needs.

← Back

Congratulations !

You’re One Step Away from Proactive IT Services! nnOne of our Team members will reach out to you within 24 hours.

Vulnerability mitigation

All our monthly subscribers enjoy our automated remediation options

free of charge

Our Promise

Deliver The Highest Quality of service

Our team comprises experienced professionals with expertise in handling all your IT needs. We use the latest technologies and industry best practices to keep your business safe and secure and are always available to provide fast and friendly support whenever you need it

Get To Know Us!

Contact Us

Interested in our services? Would you like us to contact you? Please submit this form and we’ll get back to you right away.

← Back

Your message has been sent!

Thank you for considering our company. We will be in touch soon.

Business Hours.

ENET Email IT Support

|

ENET Phone IT Support

|

Our Managed Detection and Response (MDR) services provide advanced threat detection and response capabilities to safeguard your organization against cyber threats. Our team of security experts monitors your network 24/7 and provides real-time threat detection and rapid response to any potential threats.

Monday
9:00 am – 5:00 pm
Tuesday
9:00 am – 5:00 pm
Wednesday
9:00 am – 5:00 pm
Thursday
9:00 am – 5:00 pm
Friday
9:00 am – 5:00 pm
Saturday
Closed
Sunday
Closed

After Hours IT Support is available at additional rates.