RE: RE: ADS Password Storage Protection
- From: "Roger A. Grimes" <roger@xxxxxxxxxxxxxx>
- Date: Fri, 28 Jul 2006 12:36:37 -0400
GPO-based password polices can only be applied at Domain-level GPOs, and
work against domain accounts. They can be applied elsewhere, but they
don't work.
Roger
*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************
-----Original Message-----
From: e.m.baechle@xxxxxxxx [mailto:e.m.baechle@xxxxxxxx]
Sent: Thursday, July 27, 2006 3:11 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: RE: ADS Password Storage Protection
Rolando,
You can divide up the settings if you want, but the easiest method is to
apply GPO's with these settings to both the DCs and the Workstations.
Establishing the settings for workstations is especially important in
cases where they are laptops operated either in a local-authentication
mode or disconnected from the domain.
In any case you'll want to disable the storage of LM Hash on both the
workstations and the DCs and establish NTLMv2 as the communication
protocol of choice on both sets of systems (otherwise you may not
connect, or experience long authentication delays while the workstations
and DCs negotiate the communication settings).
Sincerely,
Eric B.
------------------------------------------------------------------------
---
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- References:
- Re: RE: ADS Password Storage Protection
- From: e . m . baechle
- Re: RE: ADS Password Storage Protection
- Prev by Date: RE: ADS Password Storage Protection
- Next by Date: lock down personal Win XP workstation
- Previous by thread: Re: RE: ADS Password Storage Protection
- Next by thread: New rootkit detection tool
- Index(es):
Relevant Pages
|
