XAnalyzer
asked on
Microsoft best practices applied to Windows Default Domain policy or Default Domain Controller Policy?
Hello, I've researched Microsoft best practices about LM and NTLM being weak protocols and should not be allowed to be used and the following group policies-
• Domain member: Require strong (Windows 2000 or later) session key: Enabled.
• Domain member: Digitally encrypt or sign secure channel data (always): Enabled.
• Network Security: LAN Manger authentication level: Send NTLMv2 response only\refuse LM & NTLM.
• Network Security: Do not store LAN Manager hash value on next password change: Enabled.
Should I enable these in the Default Domain Policy or Default Domain Controller Policy? Also I assume these apply to Machine Policy? If someone can point me to exactly where these should be enabled, I would appreciate it.
• Domain member: Require strong (Windows 2000 or later) session key: Enabled.
• Domain member: Digitally encrypt or sign secure channel data (always): Enabled.
• Network Security: LAN Manger authentication level: Send NTLMv2 response only\refuse LM & NTLM.
• Network Security: Do not store LAN Manager hash value on next password change: Enabled.
Should I enable these in the Default Domain Policy or Default Domain Controller Policy? Also I assume these apply to Machine Policy? If someone can point me to exactly where these should be enabled, I would appreciate it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Err, sorry. It will be applied to all systems in the domain (gotta be technically correct I suppose)