Link to home
Start Free TrialLog in
Avatar of Evan Cutler
Evan CutlerFlag for United States of America

asked on

how to make a specific windows 2003 GPO setting visible in a 2008 network

I'm asked to make this setting in 50 windows server 2003 boxes:

'Network security: Minimum session security for NTLM
SSP based (including secure RPC) clients' to 'Require message
integrity,Require message confidentiality,Require NTLMv2 session
security,Require 128-bit encryption'

my problem is that the Domain Controller is Windows 2008.  in 2008, only the two last ones appear in the Group Policy Manager.
While this works with my Server 2008 servers, my 2003 servers still need the other two set.

Can I still do this?
Thanks
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Can you clarify what you've been asked to do? Is someone asking you to set the security setting to be all four of those at the same time? Because that isn't possible. You can only set one of those options to exist. Require Message Integrity and Require Message Confidentiality or lower security settings that are both accomplished by setting Require NTLMv2 Session Security or Require 128-bit encryption. Require 128-bit encryption is the highest security level that setting allows and effectively accomplishes the same thing as all the other settings. All you need to do is make sure all of your 2003 and 2008 systems are set to the same value, either Require NTLMv2 or Require 128-bit. Note that all systems are configured with the Require 128-bit encryption setting in local policy by default as long as they are running Windows Vista/2008 or later.
Avatar of Evan Cutler

ASKER

I've been asked to follow a series of guidelines to harden my environment.  Exceptions to policy are extremely difficult to obtain.

In this guideline, I'm asked to set all four in 2003,
and the other two (NTLMv2, 128-bit) for 2008 and 2012.

I have to be able to explain why I shouldn't or can't and what the mediation would be if I didn't follow the guidelines.

Thanks.
Sounds like the guidelines are poorly written. I would state that the setting "Require 128-bit Encryption" is already set by default and supercedes or includes the other 3 settings, and only one of the settings can be enabled at any time. From a hardening standpoint, you're using the highest possible setting, so it can't be hardened any further, as far as this particular setting is concerned.
do you have an example URL where I can use that as doctrine?  That way I can send references in with my request?
ASKER CERTIFIED SOLUTION
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ok, so to get this straight.
your suggesting that since NTLMv2 and 128-bit includes encryption and integrity, then asking for a policy change would be easier than a registry change to include them as part of the policy.  This is more implementation streamlining, then policy differences, yes?