From: Rick Bertolett (Richard.Bertolett_at_CI.AUSTIN.TX.US)
Date: Fri, 10 Sep 2004 08:49:08 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Thanks for the common sense perspective on this issue. It hits me a bit
close to the heart insofar as it ties into the Computer/Domain "Restrict
Anonymous" security settings.
My own experience is with a native-mode Windows 2000 domain, albeit with
Windows NT 4.0 SP6a clients. Budgetary concerns prevent quick migration
away from these downlevel clients, alas. When I implemented this domain, I
initially set "Restrict Anonymous" to 2 (no access without explicit
permissions) and the NTLM authentication level to 4 (NTLMv2 only), as it was
recommended as a "best practice" in securing a domain. Unfortunately, all
of the NT4 clients then would randomly "fall off" the domain, and users were
unable to login, because the NT4 boxes could not initiate a secure channel
connection to authenticate the machine account. This is bad.
I had to back off the "Restrict Anonymous" setting to 0, and the NTLM
authentication to 2, per various MS KB articles, this solved the issue and
stablized my domain, but at a cost to security.
I offer this as one exception to your position regarding legacy support, I
agree with Microsoft's practice of supporting downlevel clients (even beyond
the useful life of the OS) because some of us simply cannot upgrade quickly.
Sometimes this process takes years I am sorry to say. I would agree with a
"default" security setting that was as strong as possible, with a downlevel
client upgrade to support more secure systems. Absent that, then at the
very least we need detailed configuration directions on how to back down
each setting to accommodate which downlevel client.
One of the Microsoft publications that has helped me the most has been the
Windows 2000 Hardening Guide. That in addition to study of Hacking Exposed
enables a good start on Windows domain security plans.
Thanks for the bandwidth,
Austin Water Utility
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.