4

I must just be missing something simple, but I can't for the life of me figure out why a site is failing a PCI scan. It's specifically failing for "Account Brute Force Possible Through IIS NTLM Authentication Scheme."

I've searched the web and come up flat. The one thing I did find was here: https://sites.google.com/site/pcidssadventures/remediation/86693

That said to ensure the Local Policy "Do not store LAN Manager hash value on next password change" was set to "enable." Which it already was.

I've confirmed both via the interface AND the apphostconfig that WindowsAuthentication is DISABLED, but the scan still fails and it clearly fails for a valid reason - it comes back with an NTLM error code.

My only assumption is that somehow IIS still responds to an NTLM attempt even if NTLM is turned OFF. Anyone know how I can prevent this from occurring? Anyone?

Thanks in advance.

doulos2k
  • 53
  • 1
  • 6

1 Answers1

0

I found below solutions which helped me to resolve the issue:

  • One solution is disabling the NTLM authentication for your Web server. This can be done by unchecking the Integrated Windows Authentication.How to do

  • An alternate solution is to ensure an account lockout policy is in place. Be sure to check it before ensuring it.

  • IIS7 Fix:

In local or group policy editor, navigate to:: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options - Enable: Network security: Do not store LAN Manager hash value on next password change.

This fix can easily be applied through group policy if the machine(s) in question are on a domain.

choudhury smrutiranjan parida
  • 2,588
  • 5
  • 28
  • 39