Solved

Is it possible to create an exception for an IP-adress, or a server, in Group Policy NTLM security settings?

Posted on 2011-02-18
6
742 Views
Last Modified: 2012-05-11
If possible, we need to make an exception for a specific server, from the Group Policy, NTLM security settings. The Group Policy is configured as follows:

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients > Enabled
Require NTLMv2 session security > Enabled
Require 128-bit encryption > Enabled

------------

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers > Enabled
Require NTLMv2 session security > Enabled
Require 128-bit encryption > Enabled

From what I could see, there isn´t any option of making such an exception from the Group Policy editor GUI. But perhaps I am missing something, or there might be a way of doing this with some kind of a script...?
0
Comment
Question by:andre_st
6 Comments
 
LVL 5

Expert Comment

by:NotVeryFat
ID: 34924674
You could try creating a WMI filter, adding the following line, and then applying to the appropriate Group Policy:

SELECT * FROM Win32_ComputerSystem WHERE Name <> 'ServerName'

This should mean that the Group Policy would apply to all except this server.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34924678
Try with Group Policy Security Filtering and add there that server account and set up deny read/apply this policy. Instead of adding single server to that GPO security filtering, you can create special group add it there and place this server into this group.

More about GPO Security Filtering at this article
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

Regards,
Krzysztof
0
 

Author Comment

by:andre_st
ID: 34924976
I see now that I was a bit unprecise in my question...sorry about that.

The problem is that I want a DC server, to make an exception in its loaded Group Policy settings - so that it wont require 128 bit encrypted communication from a specifc server in the network.

If I use security or WMI-filter to target the DC-server, that would just mean that it wont require 128 bit encryption, regardless of which computer client it is communicating with. And that is not the intention. I just need the DC to make an explicit exception when it comes to a specific server, and still maintain the security settings when it comes to all other servers/clients.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 34925930
Hello again!

I understand exactly what you're asking.

There isn't a method (currently) to allow you to do this.  As has been stated already, you can prevent this policy from applying to this server, however it does exactly what you already know - turns off the 128-bit requirement altogether.

You pose an interesting question, and one I am going to bring up at the Microsoft MVP Summit in two weeks.

I suspect their response to be more of a question of whether adding a "middleman" or server in the middle would be viable.  There are other scenarios where two servers cannot communicate directly but can be configured to communicate through a third server and I'm wondering if we could somehow make this work for you too.

Exactly what type of traffic is being prevented by this 128 bit requirement?  If you know the protocol and ports, that may be of value when trying to provide you with a workaround.

Let us know.
0
 

Author Comment

by:andre_st
ID: 34959326
Thanks for your reply.

Regarding:

"There are other scenarios where two servers cannot communicate directly but can be configured to communicate through a third server and I'm wondering if we could somehow make this work for you too."

I´m afraid this option will not be acceptable from our clients point of view.

We have developed an application that works as an central application server software (contains user database, and other specific user data) - that works in conjunction with some of our other client software. To make it easier for the users to log in to these client application, we have implimented a "Single Sign On"-function that lets the application server authenticate the user from the AD Domain Controller. So from the users perspective, they never need to log in to these programs, as it is enough to have been authenticated during the windows domain login.

During the authentication, the application server communicates with the computer client and the AD Domain Controller with the https/ssl-protocol. So even if the application server software in it self is a "middle man", it should be quite safe. But this application does not support 128bit encryption, and there lies the current problem...

Those customers that have theire NTLM-Group Policy set to 128bit encryption, cant get the Single Sign On function to work.

As the Application Server uses https/ssl, I would regard it as rather safe if one could configure the Group Policy to make explicit exception for a specific IP-adress, or a server.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34964602
Since your app is taking Windows Integrated Authentication, the OS is doing the hard part in securing the comms between AD and itself, so it should only be a matter of leveraging the OS calls using a shim or making the determination based on the local access token presented by the client.  Since the client is already authenticated to that application server (if it uses a share) then the only processing it needs can be localized and not have to go to the DC - basically circumventing the need for a 128-bit call.

Just thinking out loud.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 76
Lockdown of laptops 10 37
GPO warning 15 24
Allow users from Trusted Domain to Access Resources 1 21
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now