Query Exchange

mjomha · ‎08-06-2019

Description: Query looks for machines using weak authentication types LM/NTLM which use weak encryption algorithms that are almost as similar to sending passwords in plain text. NTLM is also old and vulnerable to relay attacks. Ensuring all devices only use NTLMv2 or higher and refuse LM/NTLM is absolutely necessary, anything below it is a critical security concern and should be re-mediated as soon as possible.  
What The Data Shows: Provides the registry value of all devices, the compatibility reg key which value should always be 5.
 
EDIT: updated the query to only show devices that do not have the "lmcompatibility" reg key value equal to 5 since we are only concerned about devices that allow LM/NTLM).
SQL:

SELECT

CASE COUNT(*)

WHEN 0 THEN "FALSE"

ELSE "TRUE"

END "NTLMv2 Only Enabled"

FROM registry

WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel'

AND data != 5;

jnelson · ‎08-06-2019

@mjomha according to https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960646(v=tec... the name of the key is LMCompatibilityLevel. Additionally, the key is not there by default so this query would return a false negative if it is not present. Would you consider the following to give a definite answer whether the key is there or not:

SELECT

CASE COUNT(*)

WHEN 0 THEN "FALSE"

ELSE "TRUE"

END "NTLMv2 Only Enabled"

FROM registry

WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel'

AND data != 5;

mjomha · ‎08-06-2019

@jnelson

Thanks for noticing, I should avoid playing with queries late night 🙂.

You are correct I missed the full regkey value in my query. I based this query on our environment. We use Microsoft’s GPO security baseline with some of our hardened policies so I was taking into consideration other organizations running this query would be using it or something similar (CIS, NIST...etc baselines) which of course have this reg key and value in their baseline. If organizations do not have this reg key set to 5 it would fire off on all devices which is an easy remediation (New GPO applied to all devices on a domain. My aim was to determine if some machines were not applying the policy in which a sysadmin/security analyst could check the machines in question and troubleshoot why the policy isn’t being applied to it. I have a habit of always using baselines so I was under the assumption that the regkey existed already as I have yet to see a machine without (must be a good thing 🙂).

But your modification does make a lot of sense, appreciate the help!

Updated the query. Thanks!!

jnelson · ‎08-07-2019

Thanks for the great explanation!

jnelson · ‎01-10-2022

@mjomha I was playing around with this query and wanted to make the response a little more definitive. Here is what I came up with:

select

  case

    when data = '5' then 'TRUE'

    when count(*) = 0 then 'FALSE'

    else 'FALSE'

  end 'NTLMv2 Only Enabled',

  case

    when data = '0' then 'Send LM & NTLM responses ONLY'

    when data = '1' then 'Send LM & NTLM – use NTLMv2 session security if negotiated'

    when data = '2' then 'Send NTLM response only'

    when data = '3' then 'Send NTLMv2 response only. LM, NTLM, and NTLMv2 authentication still accepted'

    when data = '4' then 'Send NTLMv2 response only. Refuse LM'

    when count(*) = 0 then 'Registry key does not exist'

    else 'N/A'

   end 'details'

from registry

where path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel';

Query Exchange

Check for weak authentication types (LM/NTLM)