1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Auth Provider

Information

The Kerberos protocol is a more secure protocol than NTLM and is based on ticketing. In this scheme, a user provides a valid user name and password to an authentication server. Then, the authentication server grants the user a ticket. The ticket can be used on the network to request network resources.
Rationale:
The NTLM protocol has a number of vulnerabilities where a malicious attacker can use a pass the hash attack to gain access to user credentials. The Kerberos protocol is a more secure protocol based on a ticketing system and is recommended.

Solution

Navigate to the Inetpub\Adminscripts folder using a Command Prompt window on the server that is running IIS
1. Enter the command cd Drive:\inetpub\adminscripts in the command prompt window.
Note In this command, Drive is the drive where Microsoft Windows is installed.
2. Enter the command cscript adsutil.vbs get w3svc/##/root/NTAuthenticationProviders in the command prompt window.
Note In this command, ## is the virtual server ID number. The virtual server ID number of the Default Web site in IIS is 1.
3. Enter the command cscript adsutil.vbs set w3svc/##/root/NTAuthenticationProviders Negotiate,NTLM
Note In this command, ## is the virtual server ID number.
4. Enter the following command in the command prompt window iisreset to reset IIS.
Impact:
A malicious attacker could exploit vulnerabilities in old NTLM protocols and gain access to user and administrative credentials.
Default Value:
NTLM

See Also

https://workbench.cisecurity.org/files/2031

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13, CSCv6|16.9

Plugin: Windows

Control ID: 5b8cc5db967248a839e6141bd0e86bf117ef0e710ffcb38cf3fad28680c63a8b