Solved

Is it possible to create an exception for an IP-adress, or a server, in Group Policy NTLM security settings?

Posted on 2011-02-18
6
750 Views
Last Modified: 2012-05-11
If possible, we need to make an exception for a specific server, from the Group Policy, NTLM security settings. The Group Policy is configured as follows:

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients > Enabled
Require NTLMv2 session security > Enabled
Require 128-bit encryption > Enabled

------------

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers > Enabled
Require NTLMv2 session security > Enabled
Require 128-bit encryption > Enabled

From what I could see, there isn´t any option of making such an exception from the Group Policy editor GUI. But perhaps I am missing something, or there might be a way of doing this with some kind of a script...?
0
Comment
Question by:andre_st
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 5

Expert Comment

by:NotVeryFat
ID: 34924674
You could try creating a WMI filter, adding the following line, and then applying to the appropriate Group Policy:

SELECT * FROM Win32_ComputerSystem WHERE Name <> 'ServerName'

This should mean that the Group Policy would apply to all except this server.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34924678
Try with Group Policy Security Filtering and add there that server account and set up deny read/apply this policy. Instead of adding single server to that GPO security filtering, you can create special group add it there and place this server into this group.

More about GPO Security Filtering at this article
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

Regards,
Krzysztof
0
 

Author Comment

by:andre_st
ID: 34924976
I see now that I was a bit unprecise in my question...sorry about that.

The problem is that I want a DC server, to make an exception in its loaded Group Policy settings - so that it wont require 128 bit encrypted communication from a specifc server in the network.

If I use security or WMI-filter to target the DC-server, that would just mean that it wont require 128 bit encryption, regardless of which computer client it is communicating with. And that is not the intention. I just need the DC to make an explicit exception when it comes to a specific server, and still maintain the security settings when it comes to all other servers/clients.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 34925930
Hello again!

I understand exactly what you're asking.

There isn't a method (currently) to allow you to do this.  As has been stated already, you can prevent this policy from applying to this server, however it does exactly what you already know - turns off the 128-bit requirement altogether.

You pose an interesting question, and one I am going to bring up at the Microsoft MVP Summit in two weeks.

I suspect their response to be more of a question of whether adding a "middleman" or server in the middle would be viable.  There are other scenarios where two servers cannot communicate directly but can be configured to communicate through a third server and I'm wondering if we could somehow make this work for you too.

Exactly what type of traffic is being prevented by this 128 bit requirement?  If you know the protocol and ports, that may be of value when trying to provide you with a workaround.

Let us know.
0
 

Author Comment

by:andre_st
ID: 34959326
Thanks for your reply.

Regarding:

"There are other scenarios where two servers cannot communicate directly but can be configured to communicate through a third server and I'm wondering if we could somehow make this work for you too."

I´m afraid this option will not be acceptable from our clients point of view.

We have developed an application that works as an central application server software (contains user database, and other specific user data) - that works in conjunction with some of our other client software. To make it easier for the users to log in to these client application, we have implimented a "Single Sign On"-function that lets the application server authenticate the user from the AD Domain Controller. So from the users perspective, they never need to log in to these programs, as it is enough to have been authenticated during the windows domain login.

During the authentication, the application server communicates with the computer client and the AD Domain Controller with the https/ssl-protocol. So even if the application server software in it self is a "middle man", it should be quite safe. But this application does not support 128bit encryption, and there lies the current problem...

Those customers that have theire NTLM-Group Policy set to 128bit encryption, cant get the Single Sign On function to work.

As the Application Server uses https/ssl, I would regard it as rather safe if one could configure the Group Policy to make explicit exception for a specific IP-adress, or a server.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34964602
Since your app is taking Windows Integrated Authentication, the OS is doing the hard part in securing the comms between AD and itself, so it should only be a matter of leveraging the OS calls using a shim or making the determination based on the local access token presented by the client.  Since the client is already authenticated to that application server (if it uses a share) then the only processing it needs can be localized and not have to go to the DC - basically circumventing the need for a 128-bit call.

Just thinking out loud.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Ready for our next Course of the Month? Here's what's on tap for June.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question