Solved

Microsoft best practices applied to Windows Default Domain policy or Default Domain Controller Policy?

Posted on 2011-03-25
2
819 Views
Last Modified: 2012-05-11
Hello, I've researched Microsoft best practices about LM and NTLM being weak protocols and should not be allowed to be used and the following group policies-
•      Domain member: Require strong (Windows 2000 or later) session key: Enabled.
•      Domain member: Digitally encrypt or sign secure channel data (always): Enabled.
•      Network Security: LAN Manger authentication level: Send NTLMv2 response only\refuse LM & NTLM.       
•      Network Security: Do not store LAN Manager hash value on next password change: Enabled.

Should I enable these in the Default Domain Policy or Default Domain Controller Policy? Also I assume these apply to Machine Policy? If someone can point me to exactly where these should be enabled, I would appreciate it.
0
Comment
Question by:XAnalyzer
  • 2
2 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 250 total points
Comment Utility
Best Practices are to avoid modifying the Default Domain Policy and Default Domain Controllers policy, as they contain many settings that are needed for AD to operate correctly. If you want to set the policies you've outlined, create a new GPO and link it at the domain level, then set those settings. If you are blocking inheritence anywhere in your environment, you'll also want to set the GPO as Enforced. Once that's done, the settings will be applied to all systems in the network.
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Err, sorry. It will be applied to all systems in the domain (gotta be technically correct I suppose)
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now