Microsoft best practices applied to Windows Default Domain policy or Default Domain Controller Policy?
Posted on 2011-03-25
Hello, I've researched Microsoft best practices about LM and NTLM being weak protocols and should not be allowed to be used and the following group policies-
• Domain member: Require strong (Windows 2000 or later) session key: Enabled.
• Domain member: Digitally encrypt or sign secure channel data (always): Enabled.
• Network Security: LAN Manger authentication level: Send NTLMv2 response only\refuse LM & NTLM.
• Network Security: Do not store LAN Manager hash value on next password change: Enabled.
Should I enable these in the Default Domain Policy or Default Domain Controller Policy? Also I assume these apply to Machine Policy? If someone can point me to exactly where these should be enabled, I would appreciate it.