Solved

Is it possible to create an exception for an IP-adress, or a server, in Group Policy NTLM security settings?

Posted on 2011-02-18
6
745 Views
Last Modified: 2012-05-11
If possible, we need to make an exception for a specific server, from the Group Policy, NTLM security settings. The Group Policy is configured as follows:

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients > Enabled
Require NTLMv2 session security > Enabled
Require 128-bit encryption > Enabled

------------

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers > Enabled
Require NTLMv2 session security > Enabled
Require 128-bit encryption > Enabled

From what I could see, there isn´t any option of making such an exception from the Group Policy editor GUI. But perhaps I am missing something, or there might be a way of doing this with some kind of a script...?
0
Comment
Question by:andre_st
6 Comments
 
LVL 5

Expert Comment

by:NotVeryFat
ID: 34924674
You could try creating a WMI filter, adding the following line, and then applying to the appropriate Group Policy:

SELECT * FROM Win32_ComputerSystem WHERE Name <> 'ServerName'

This should mean that the Group Policy would apply to all except this server.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34924678
Try with Group Policy Security Filtering and add there that server account and set up deny read/apply this policy. Instead of adding single server to that GPO security filtering, you can create special group add it there and place this server into this group.

More about GPO Security Filtering at this article
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

Regards,
Krzysztof
0
 

Author Comment

by:andre_st
ID: 34924976
I see now that I was a bit unprecise in my question...sorry about that.

The problem is that I want a DC server, to make an exception in its loaded Group Policy settings - so that it wont require 128 bit encrypted communication from a specifc server in the network.

If I use security or WMI-filter to target the DC-server, that would just mean that it wont require 128 bit encryption, regardless of which computer client it is communicating with. And that is not the intention. I just need the DC to make an explicit exception when it comes to a specific server, and still maintain the security settings when it comes to all other servers/clients.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 34925930
Hello again!

I understand exactly what you're asking.

There isn't a method (currently) to allow you to do this.  As has been stated already, you can prevent this policy from applying to this server, however it does exactly what you already know - turns off the 128-bit requirement altogether.

You pose an interesting question, and one I am going to bring up at the Microsoft MVP Summit in two weeks.

I suspect their response to be more of a question of whether adding a "middleman" or server in the middle would be viable.  There are other scenarios where two servers cannot communicate directly but can be configured to communicate through a third server and I'm wondering if we could somehow make this work for you too.

Exactly what type of traffic is being prevented by this 128 bit requirement?  If you know the protocol and ports, that may be of value when trying to provide you with a workaround.

Let us know.
0
 

Author Comment

by:andre_st
ID: 34959326
Thanks for your reply.

Regarding:

"There are other scenarios where two servers cannot communicate directly but can be configured to communicate through a third server and I'm wondering if we could somehow make this work for you too."

I´m afraid this option will not be acceptable from our clients point of view.

We have developed an application that works as an central application server software (contains user database, and other specific user data) - that works in conjunction with some of our other client software. To make it easier for the users to log in to these client application, we have implimented a "Single Sign On"-function that lets the application server authenticate the user from the AD Domain Controller. So from the users perspective, they never need to log in to these programs, as it is enough to have been authenticated during the windows domain login.

During the authentication, the application server communicates with the computer client and the AD Domain Controller with the https/ssl-protocol. So even if the application server software in it self is a "middle man", it should be quite safe. But this application does not support 128bit encryption, and there lies the current problem...

Those customers that have theire NTLM-Group Policy set to 128bit encryption, cant get the Single Sign On function to work.

As the Application Server uses https/ssl, I would regard it as rather safe if one could configure the Group Policy to make explicit exception for a specific IP-adress, or a server.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34964602
Since your app is taking Windows Integrated Authentication, the OS is doing the hard part in securing the comms between AD and itself, so it should only be a matter of leveraging the OS calls using a shim or making the determination based on the local access token presented by the client.  Since the client is already authenticated to that application server (if it uses a share) then the only processing it needs can be localized and not have to go to the DC - basically circumventing the need for a 128-bit call.

Just thinking out loud.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question