Solved

Differences between server 2003 NTLM SSP and the newer server versions in GPO

Posted on 2016-10-10
5
63 Views
Last Modified: 2016-10-11
I'm being asked to set Server 2003 NTLM SSP to include:

No Minimum
Require message integrity
Require message confidentiality
Require NTMLv2 Session Security
Require 128-bit encryption
However, for my 2008, 2008r2, and 2012 servers, I'm only asked to run the last two.

Require NTLMv2 session security
Require 128-bit encryption
if I do this, will it break communications between the 2003 boxes and the others, or does the added settings make it work?

Thank you
0
Comment
Question by:Evan Cutler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41837663
The difference between 2003 and 2008 and later versions is that 2008 and later don't allow you to set the NTLMSSP minimum to the first three options available on server 2003. A basic explanation of what each setting does should help:
No minimum: No requirements for NTLMSSP. This means non-secure messages will be accepted.

Require Message Integrity: This sets the minimum to require all messages be digitally signed at a minimum. This will cause messages that are not signed with a digital certificate to be rejected, but will accept all messages that are digitally signed, regardless of the source.

Require Message Confidentiality: This causes the system to require encryption, but does not set requirements for what *type* of encryption to use. This setting allows messages using LANMAN generated keys, which are incredibly weak (like, the whole keyspace has been calculated).

Require NTLMv2 session security: This sets the server to reject any message that isn't secured with NTLMv2 at a minimum. This prevents the use of extremely weak encryption, but allows NTLMv2, which still isn't the best encryption you could use.

Require 128-bit encryption: This will cause all servers to reject messages that are not encrypted with 128bit encryption algorithms at a minimum.

When Server 2008 came out, MS eliminated the default backward compatibility settings that allowed use of LANMAN hashes and encryption with keys based on LANMAN. Windows 2008 and later servers, when configured to use NTLMSSP, will no longer accept messages from any system that is not set up to use NTLMv2 or better encryption, and there is no way to make it accept those messages. The only systems that are incapable of using NTLMv2 or better encryption are NT4 servers, which are so badly deprecated at this point that they should be immediately thrown into a fire if found (My opinion at least). Since NT4 was completely End of Life when 2008 was released, they removed the ability to accept NTLMSSP messages that weren't secured with NTLMv2 at a minimum. So that's why there's a difference there.

Now, as to what will happen...as long as your 2003 servers are set up to properly encrypt messages, you'll have no problem setting the minimum to NTLMv2 session security. If you have your systems configured to use NTLMSSP and the 2003 servers are *not* configured to encrypt data with NTLMv2 or better, setting the policy you're looking at will break communication between servers. So make sure the NTLMSSP setup is done correctly. This is fairly simple to do by just making sure both the Client and Server settings are set to the same value on all systems.
0
 
LVL 9

Author Comment

by:Evan Cutler
ID: 41837751
Thank you so much,

So basically, what I'm hearing is that server 2003 is a "pivot" version, where it is the last version to talk to LANMAN.
If you require "NTLMv2", is there a need to select the first two?  does this not cover that? or does each one only resolve to the direction of the incoming message?
Ie, LANMAN-enabled machines vs newer servers?


Thanks
0
 
LVL 9

Author Closing Comment

by:Evan Cutler
ID: 41838841
This is enough information to make an informed decision.  Adam made his comment well thought out and is good for anyone forced to learn about this setting.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 41838901
NTLMv2 includes the capabilities of the first two options. LANMAN is still *available* but completely disabled by default on never versions of Windows. 2003/Windows XP were the last versions to have LANMAN capabilities enabled by default.

To clarify, there are two settings that need to be configured here. One for servers and one for clients. The client setting applies to incoming NTLMSSP messages, while the server setting applies to outgoing messages. There are default settings for both in Local policy for each version of windows, but it isn't configured by Domain policies by default. In 2008/Vista and later versions of Windows, the settings are both set to use 128bit encryption by default when NTLMSSP is used. 2003 and XP were (I think) configured to use NTLMv2.
1
 
LVL 9

Author Comment

by:Evan Cutler
ID: 41839137
ok.  You are awesome.  Thanks much.

since the domain controller is in win2008, it only shows the 2,
can I make it show the other 2 as well, to set the 2003 boxes?
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question