Re: kerberos!

From: Rick Bertolett (Richard.Bertolett_at_CI.AUSTIN.TX.US)
Date: 09/10/04

  • Next message: David Schenz: "Re: kerberos!"
    Date:         Fri, 10 Sep 2004 08:49:08 -0500

    Thanks for the common sense perspective on this issue. It hits me a bit
    close to the heart insofar as it ties into the Computer/Domain "Restrict
    Anonymous" security settings.

    My own experience is with a native-mode Windows 2000 domain, albeit with
    Windows NT 4.0 SP6a clients. Budgetary concerns prevent quick migration
    away from these downlevel clients, alas. When I implemented this domain, I
    initially set "Restrict Anonymous" to 2 (no access without explicit
    permissions) and the NTLM authentication level to 4 (NTLMv2 only), as it was
    recommended as a "best practice" in securing a domain. Unfortunately, all
    of the NT4 clients then would randomly "fall off" the domain, and users were
    unable to login, because the NT4 boxes could not initiate a secure channel
    connection to authenticate the machine account. This is bad.

    I had to back off the "Restrict Anonymous" setting to 0, and the NTLM
    authentication to 2, per various MS KB articles, this solved the issue and
    stablized my domain, but at a cost to security.

    I offer this as one exception to your position regarding legacy support, I
    agree with Microsoft's practice of supporting downlevel clients (even beyond
    the useful life of the OS) because some of us simply cannot upgrade quickly.
    Sometimes this process takes years I am sorry to say. I would agree with a
    "default" security setting that was as strong as possible, with a downlevel
    client upgrade to support more secure systems. Absent that, then at the
    very least we need detailed configuration directions on how to back down
    each setting to accommodate which downlevel client.

    One of the Microsoft publications that has helped me the most has been the
    Windows 2000 Hardening Guide. That in addition to study of Hacking Exposed
    enables a good start on Windows domain security plans.

    Thanks for the bandwidth,
    Rick Bertolett
    Austin Water Utility

    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.

  • Next message: David Schenz: "Re: kerberos!"

    Relevant Pages

    • Re: How to restrict program access in guest account?
      ... To enforce file and folder security, boot the computer in Safe Mode and log ... Explorer and locate the file/folder you wish to restrict. ... NoWindowsSetupPage - Disable Windows Components Wizard ... >I want to create an account for visitors to use that will allow then> internet, games, and Office programs and nothing else. ...
    • Re: Limit The Computer Time
      ... MS-MVP Windows Media Center\Windows Powered Smart Display ... > Windows Settings, Security Settings, Local Policies, Security Options. ... > WatchDog 8.3 is the ultimate application to restrict and monitor the ...
    • Re: securing my system
      ... Restrict access to Internet Explorer. ... See, 'Win XP Utilities, Windows XP Security Console for a utility that will allow you to restrict applications on a per user basis. ...
    • Re: restricting access to my computer
      ... To restrict access to files and folders in XP Home, ... To enforce file and folder security, boot the computer in Safe Mode and log ... 2004 Windows MVP "Winny" Award ... >I have my son on a limited account, but with access to my> computer & windows explorer, he can navigate to the> program folder and start programs I am trying to keep him> from using. ...
    • Re: OU Security - best setup?
      ... Ideally for best security for each company and to restrict what users can ... only what is in their OU if you have disabled netbios over tcp/ip in the ... computer from the network to only include authorized groups such as users ...