?
Solved

Microsoft best practices applied to Windows Default Domain policy or Default Domain Controller Policy?

Posted on 2011-03-25
2
Medium Priority
?
875 Views
Last Modified: 2012-05-11
Hello, I've researched Microsoft best practices about LM and NTLM being weak protocols and should not be allowed to be used and the following group policies-
•      Domain member: Require strong (Windows 2000 or later) session key: Enabled.
•      Domain member: Digitally encrypt or sign secure channel data (always): Enabled.
•      Network Security: LAN Manger authentication level: Send NTLMv2 response only\refuse LM & NTLM.       
•      Network Security: Do not store LAN Manager hash value on next password change: Enabled.

Should I enable these in the Default Domain Policy or Default Domain Controller Policy? Also I assume these apply to Machine Policy? If someone can point me to exactly where these should be enabled, I would appreciate it.
0
Comment
Question by:XAnalyzer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 35219264
Best Practices are to avoid modifying the Default Domain Policy and Default Domain Controllers policy, as they contain many settings that are needed for AD to operate correctly. If you want to set the policies you've outlined, create a new GPO and link it at the domain level, then set those settings. If you are blocking inheritence anywhere in your environment, you'll also want to set the GPO as Enforced. Once that's done, the settings will be applied to all systems in the network.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 35219267
Err, sorry. It will be applied to all systems in the domain (gotta be technically correct I suppose)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We take a look at some of the most common obstacles that IT teams run into as they work relentlessly to keep all the alarms and sirens from going off at once.
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month14 days, 13 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question