Solved

Microsoft best practices applied to Windows Default Domain policy or Default Domain Controller Policy?

Posted on 2011-03-25
2
857 Views
Last Modified: 2012-05-11
Hello, I've researched Microsoft best practices about LM and NTLM being weak protocols and should not be allowed to be used and the following group policies-
•      Domain member: Require strong (Windows 2000 or later) session key: Enabled.
•      Domain member: Digitally encrypt or sign secure channel data (always): Enabled.
•      Network Security: LAN Manger authentication level: Send NTLMv2 response only\refuse LM & NTLM.       
•      Network Security: Do not store LAN Manager hash value on next password change: Enabled.

Should I enable these in the Default Domain Policy or Default Domain Controller Policy? Also I assume these apply to Machine Policy? If someone can point me to exactly where these should be enabled, I would appreciate it.
0
Comment
Question by:XAnalyzer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 40

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 35219264
Best Practices are to avoid modifying the Default Domain Policy and Default Domain Controllers policy, as they contain many settings that are needed for AD to operate correctly. If you want to set the policies you've outlined, create a new GPO and link it at the domain level, then set those settings. If you are blocking inheritence anywhere in your environment, you'll also want to set the GPO as Enforced. Once that's done, the settings will be applied to all systems in the network.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 35219267
Err, sorry. It will be applied to all systems in the domain (gotta be technically correct I suppose)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question