PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Passwords: Windows must be configured to prevent the storage of the LAN Manager hash of passwords

8fbc83d9-7409-41aa-bf3c-a2360a8d9749

The LAN Manager hash is relatively weak and prone to attacks compared to the cryptographically stronger NTLM hash. Because the LM hash is stored on the local device in the security database, the passwords can be compromised if the security database, Security Accounts Manager (SAM), is attacked.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change

Remediation

https://support.microsoft.com/en-us/help/299656/how-to-prevent-windows-from-storing-a-lan-manager-hash-of-your-passwor

Stig Desktop:
W11: https://www.stigviewer.com/stig/microsoft_windows_11/2024-06-10/finding/V-253461
W10: https://www.stigviewer.com/stig/microsoft_windows_10/2024-06-13/finding/V-220937 / https://www.stigviewer.com/stig/windows_10/2021-08-18/finding/V-220937

Server:
2022: https://www.stigviewer.com/stig/microsoft_windows_server_2022/2024-06-14/finding/V-254474
2019: https://www.stigviewer.com/stig/microsoft_windows_server_2019/2024-06-14/finding/V-205654 / https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93467
2016: https://www.stigviewer.com/stig/microsoft_windows_server_2016/2024-02-21/finding/V-225053 / https://www.stigviewer.com/stig/windows_server_2016/2020-06-16/finding/V-73687

NIST 800-53 Rev2: IA-5(1)(c)
NIST 800-53 Rev3: IA-5(1)(c)
NIST 800-171 Rev2: 3.5.8, 3.5.9
NIST 800-171 Rev3: 03.05.07.a, 03.05.07.b, 03.05.07.c, 03.05.07.d, 03.05.07.e, 03.05.07.f, 03.05.12.a, 03.05.12.b, 03.05.12.c, 03.05.12.d, 03.05.12.e, 03.05.12.f
NIST 800-171A: 3.5.8[a], 3.5.8[b], 3.5.9
NIST 800-171A Rev3: A.03.05.12.ODP[01], A.03.05.12.ODP[02], A.03.05.12.a, A.03.05.12.b, A.03.05.12.c[01], A.03.05.12.c[02], A.03.05.12.c[03], A.03.05.12.c[04], A.03.05.12.c[05], A.03.05.12.c[06], A.03.05.12.d, A.03.05.12.e, A.03.05.12.f[01], A.03.05.12.f[02]
CAT: I
CCI: CCI-000196, CCI-004062
PCI DSS v3.2 8.1.2, 8.2, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6
PCI DSS v4: 8.2.4, 8.3, 8.3.1, 8.3.10.1, 8.3.11, 8.3.3, 8.3.5, 8.3.7, 8.3.9, 8.6.3
PCI DSS v4 SAQ A: 8.3.1, 8.3.5, 8.3.7, 8.3.9
PCI DSS v4 SAQ A-EP: 8.2.4, 8.3.1, 8.3.3, 8.3.5, 8.3.7, 8.3.9, 8.3.11, 8.6.3
Rule-ID: SV-253461r1016441_rule
STIG-ID: WN11-SO-000195
Vuln-ID: V-253461
CMMC v2 Level 1: AC.L1-3.1.1
CMMC v2 Level 2: IA.L2-3.5.8, IA.L2-3.5.9
CMMC V2 Level 3: IA.L2-3.5.8, IA.L2-3.5.9
CMMC V2.1 Level 1: IA.L1-b.1.vi
CMMC v2.1 Level 2: IA.L2-3.5.8, IA.L2-3.5.9
CMMC v2.1 Level 3: IA.L2-3.5.8, IA.L2-3.5.9



Tags

stig-high-server stig-high-desktop compliance-desktop compliance-server security-desktop security-server server desktop nist800-171-desktop nist800-171-server nist800-53-desktop nist800-53-server cmmc2-l1-desktop cmmc2-l1-server cmmc2-l2-desktop cmmc2-l2-server pci-dss-v3.2-desktop pci-dss-v3.2-server pci-dss-v4-desktop pci-dss-v4-server