?
Solved

Is it possible to create an exception for an IP-adress, or a server, in Group Policy NTLM security settings?

Posted on 2011-02-18
6
Medium Priority
?
751 Views
Last Modified: 2012-05-11
If possible, we need to make an exception for a specific server, from the Group Policy, NTLM security settings. The Group Policy is configured as follows:

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients > Enabled
Require NTLMv2 session security > Enabled
Require 128-bit encryption > Enabled

------------

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers > Enabled
Require NTLMv2 session security > Enabled
Require 128-bit encryption > Enabled

From what I could see, there isn´t any option of making such an exception from the Group Policy editor GUI. But perhaps I am missing something, or there might be a way of doing this with some kind of a script...?
0
Comment
Question by:andre_st
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 5

Expert Comment

by:NotVeryFat
ID: 34924674
You could try creating a WMI filter, adding the following line, and then applying to the appropriate Group Policy:

SELECT * FROM Win32_ComputerSystem WHERE Name <> 'ServerName'

This should mean that the Group Policy would apply to all except this server.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34924678
Try with Group Policy Security Filtering and add there that server account and set up deny read/apply this policy. Instead of adding single server to that GPO security filtering, you can create special group add it there and place this server into this group.

More about GPO Security Filtering at this article
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

Regards,
Krzysztof
0
 

Author Comment

by:andre_st
ID: 34924976
I see now that I was a bit unprecise in my question...sorry about that.

The problem is that I want a DC server, to make an exception in its loaded Group Policy settings - so that it wont require 128 bit encrypted communication from a specifc server in the network.

If I use security or WMI-filter to target the DC-server, that would just mean that it wont require 128 bit encryption, regardless of which computer client it is communicating with. And that is not the intention. I just need the DC to make an explicit exception when it comes to a specific server, and still maintain the security settings when it comes to all other servers/clients.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 34925930
Hello again!

I understand exactly what you're asking.

There isn't a method (currently) to allow you to do this.  As has been stated already, you can prevent this policy from applying to this server, however it does exactly what you already know - turns off the 128-bit requirement altogether.

You pose an interesting question, and one I am going to bring up at the Microsoft MVP Summit in two weeks.

I suspect their response to be more of a question of whether adding a "middleman" or server in the middle would be viable.  There are other scenarios where two servers cannot communicate directly but can be configured to communicate through a third server and I'm wondering if we could somehow make this work for you too.

Exactly what type of traffic is being prevented by this 128 bit requirement?  If you know the protocol and ports, that may be of value when trying to provide you with a workaround.

Let us know.
0
 

Author Comment

by:andre_st
ID: 34959326
Thanks for your reply.

Regarding:

"There are other scenarios where two servers cannot communicate directly but can be configured to communicate through a third server and I'm wondering if we could somehow make this work for you too."

I´m afraid this option will not be acceptable from our clients point of view.

We have developed an application that works as an central application server software (contains user database, and other specific user data) - that works in conjunction with some of our other client software. To make it easier for the users to log in to these client application, we have implimented a "Single Sign On"-function that lets the application server authenticate the user from the AD Domain Controller. So from the users perspective, they never need to log in to these programs, as it is enough to have been authenticated during the windows domain login.

During the authentication, the application server communicates with the computer client and the AD Domain Controller with the https/ssl-protocol. So even if the application server software in it self is a "middle man", it should be quite safe. But this application does not support 128bit encryption, and there lies the current problem...

Those customers that have theire NTLM-Group Policy set to 128bit encryption, cant get the Single Sign On function to work.

As the Application Server uses https/ssl, I would regard it as rather safe if one could configure the Group Policy to make explicit exception for a specific IP-adress, or a server.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34964602
Since your app is taking Windows Integrated Authentication, the OS is doing the hard part in securing the comms between AD and itself, so it should only be a matter of leveraging the OS calls using a shim or making the determination based on the local access token presented by the client.  Since the client is already authenticated to that application server (if it uses a share) then the only processing it needs can be localized and not have to go to the DC - basically circumventing the need for a 128-bit call.

Just thinking out loud.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question