Solved

Differences between server 2003 NTLM SSP and the newer server versions in GPO

Posted on 2016-10-10
5
29 Views
Last Modified: 2016-10-11
I'm being asked to set Server 2003 NTLM SSP to include:

No Minimum
Require message integrity
Require message confidentiality
Require NTMLv2 Session Security
Require 128-bit encryption
However, for my 2008, 2008r2, and 2012 servers, I'm only asked to run the last two.

Require NTLMv2 session security
Require 128-bit encryption
if I do this, will it break communications between the 2003 boxes and the others, or does the added settings make it work?

Thank you
0
Comment
Question by:Evan Cutler
  • 3
  • 2
5 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41837663
The difference between 2003 and 2008 and later versions is that 2008 and later don't allow you to set the NTLMSSP minimum to the first three options available on server 2003. A basic explanation of what each setting does should help:
No minimum: No requirements for NTLMSSP. This means non-secure messages will be accepted.

Require Message Integrity: This sets the minimum to require all messages be digitally signed at a minimum. This will cause messages that are not signed with a digital certificate to be rejected, but will accept all messages that are digitally signed, regardless of the source.

Require Message Confidentiality: This causes the system to require encryption, but does not set requirements for what *type* of encryption to use. This setting allows messages using LANMAN generated keys, which are incredibly weak (like, the whole keyspace has been calculated).

Require NTLMv2 session security: This sets the server to reject any message that isn't secured with NTLMv2 at a minimum. This prevents the use of extremely weak encryption, but allows NTLMv2, which still isn't the best encryption you could use.

Require 128-bit encryption: This will cause all servers to reject messages that are not encrypted with 128bit encryption algorithms at a minimum.

When Server 2008 came out, MS eliminated the default backward compatibility settings that allowed use of LANMAN hashes and encryption with keys based on LANMAN. Windows 2008 and later servers, when configured to use NTLMSSP, will no longer accept messages from any system that is not set up to use NTLMv2 or better encryption, and there is no way to make it accept those messages. The only systems that are incapable of using NTLMv2 or better encryption are NT4 servers, which are so badly deprecated at this point that they should be immediately thrown into a fire if found (My opinion at least). Since NT4 was completely End of Life when 2008 was released, they removed the ability to accept NTLMSSP messages that weren't secured with NTLMv2 at a minimum. So that's why there's a difference there.

Now, as to what will happen...as long as your 2003 servers are set up to properly encrypt messages, you'll have no problem setting the minimum to NTLMv2 session security. If you have your systems configured to use NTLMSSP and the 2003 servers are *not* configured to encrypt data with NTLMv2 or better, setting the policy you're looking at will break communication between servers. So make sure the NTLMSSP setup is done correctly. This is fairly simple to do by just making sure both the Client and Server settings are set to the same value on all systems.
0
 
LVL 9

Author Comment

by:Evan Cutler
ID: 41837751
Thank you so much,

So basically, what I'm hearing is that server 2003 is a "pivot" version, where it is the last version to talk to LANMAN.
If you require "NTLMv2", is there a need to select the first two?  does this not cover that? or does each one only resolve to the direction of the incoming message?
Ie, LANMAN-enabled machines vs newer servers?


Thanks
0
 
LVL 9

Author Closing Comment

by:Evan Cutler
ID: 41838841
This is enough information to make an informed decision.  Adam made his comment well thought out and is good for anyone forced to learn about this setting.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41838901
NTLMv2 includes the capabilities of the first two options. LANMAN is still *available* but completely disabled by default on never versions of Windows. 2003/Windows XP were the last versions to have LANMAN capabilities enabled by default.

To clarify, there are two settings that need to be configured here. One for servers and one for clients. The client setting applies to incoming NTLMSSP messages, while the server setting applies to outgoing messages. There are default settings for both in Local policy for each version of windows, but it isn't configured by Domain policies by default. In 2008/Vista and later versions of Windows, the settings are both set to use 128bit encryption by default when NTLMSSP is used. 2003 and XP were (I think) configured to use NTLMv2.
1
 
LVL 9

Author Comment

by:Evan Cutler
ID: 41839137
ok.  You are awesome.  Thanks much.

since the domain controller is in win2008, it only shows the 2,
can I make it show the other 2 as well, to set the 2003 boxes?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now