how to make a specific windows 2003 GPO setting visible in a 2008 network

Posted on 2016-10-12
Medium Priority
Last Modified: 2016-11-18
I'm asked to make this setting in 50 windows server 2003 boxes:

'Network security: Minimum session security for NTLM
SSP based (including secure RPC) clients' to 'Require message
integrity,Require message confidentiality,Require NTLMv2 session
security,Require 128-bit encryption'

my problem is that the Domain Controller is Windows 2008.  in 2008, only the two last ones appear in the Group Policy Manager.
While this works with my Server 2008 servers, my 2003 servers still need the other two set.

Can I still do this?
Question by:Evan Cutler
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 42

Expert Comment

by:Adam Brown
ID: 41840493
Can you clarify what you've been asked to do? Is someone asking you to set the security setting to be all four of those at the same time? Because that isn't possible. You can only set one of those options to exist. Require Message Integrity and Require Message Confidentiality or lower security settings that are both accomplished by setting Require NTLMv2 Session Security or Require 128-bit encryption. Require 128-bit encryption is the highest security level that setting allows and effectively accomplishes the same thing as all the other settings. All you need to do is make sure all of your 2003 and 2008 systems are set to the same value, either Require NTLMv2 or Require 128-bit. Note that all systems are configured with the Require 128-bit encryption setting in local policy by default as long as they are running Windows Vista/2008 or later.

Author Comment

by:Evan Cutler
ID: 41840529
I've been asked to follow a series of guidelines to harden my environment.  Exceptions to policy are extremely difficult to obtain.

In this guideline, I'm asked to set all four in 2003,
and the other two (NTLMv2, 128-bit) for 2008 and 2012.

I have to be able to explain why I shouldn't or can't and what the mediation would be if I didn't follow the guidelines.

LVL 42

Expert Comment

by:Adam Brown
ID: 41840539
Sounds like the guidelines are poorly written. I would state that the setting "Require 128-bit Encryption" is already set by default and supercedes or includes the other 3 settings, and only one of the settings can be enabled at any time. From a hardening standpoint, you're using the highest possible setting, so it can't be hardened any further, as far as this particular setting is concerned.
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI


Author Comment

by:Evan Cutler
ID: 41840545
do you have an example URL where I can use that as doctrine?  That way I can send references in with my request?
LVL 42

Accepted Solution

Adam Brown earned 2000 total points
ID: 41840632
Oops. Did a little more digging on it. Sorry, it *is* possible to set all of them at the same time... https://books.google.com/books?id=jEZcFYmX0wYC&lpg=PA87&ots=g4omp-ZlCT&dq=require%20message%20integrity%20require%20confidentiality&pg=PA87#v=onepage&q=require%20message%20integrity%20require%20confidentiality&f=false has information on what the 4 settings *do*. Require Message Integrity requires a digital signature, which is *always* included in an Encrypted message. Require Confidentiality causes the system to require encryption, which is the same thing as Require 128-bit encryption. It's just that Confidentiality alone allows weaker encryption. NTLMv2 requires signing as well, so it includes the integrity requirement. You can set the two options for NTLMv2 session security and Require 128-bit security and achieve the same results as the two options that aren't available. Essentially, both options include the other two options. That's a big part of why they were eliminated. https://technet.microsoft.com/en-us/library/jj852240(v=ws.11).aspx Explains the settings.

Author Comment

by:Evan Cutler
ID: 41840644
ok, so to get this straight.
your suggesting that since NTLMv2 and 128-bit includes encryption and integrity, then asking for a policy change would be easier than a registry change to include them as part of the policy.  This is more implementation streamlining, then policy differences, yes?

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses
Course of the Month12 days, 15 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question