Re: Domain Local group and Require strong. GPO Problem
From: -Sari (Sari_at_discussions.microsoft.com)
Date: 11/05/04
- Next message: Lionel Fourquaux: "Re: Give user acces to regkeys"
- Previous message: Steven L Umbach: "Re: Erase Password List on windows2000 PC"
- In reply to: Steven L Umbach: "Re: Domain Local group and Require strong. GPO Problem"
- Next in thread: Roger Abell: "Re: Domain Local group and Require strong. GPO Problem"
- Reply: Roger Abell: "Re: Domain Local group and Require strong. GPO Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 5 Nov 2004 08:59:03 -0800
Steve,
Thanks for the reply. But I am sitll not clear about the relaion between
Domain Local Group and Require Strong.. policy..If you disable this, we will
loose some kind of Windows 2003 Native functionality.
"Steven L Umbach" wrote:
> From what I know there should be no relationship to "Require Strong (windows
> 2000 or later) session key" settings and "Domain Local" group in a Windows
> 2000 domain. I would check Event Viewer on the server to see if any
> pertinent errors are recorded there and run the support tool netdiag on it
> to make sure it still has proper connectivity and active computer account in
> the domain. Also see the link below which shows some of the problems that
> can happed due to incompatible security option settings. I also pasted a
> definition of that security option and "potential impact" from the Threats
> and Countermeasures Security Guide. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
>
>
> Domain member: Require strong (Windows 2000 or later) session key
> The Domain member: Require strong (Windows 2000 or later) session key
> setting determines whether a secure channel can be established with a domain
> controller that is not capable of encrypting secure channel traffic with a
> strong, 128 - bit, session key. Enabling this setting prevents establishing
> a secure channel with any domain controller that cannot encrypt secure
> channel data with a strong key. Disabling this setting allows 64 - bit
> session keys.
>
> Note: To enable this setting on a member workstation or server, all domain
> controllers in the domain that the member belongs to must be capable of
> encrypting secure channel data with a strong, 128 - bit, key. This means
> that all such domain controllers must be running Windows 2000 or later
>
> The possible values for this Group Policy setting are:
>
> . Enabled
>
> . Disabled
>
> . Not defined
>
>
> Vulnerability
>
> Session keys used to establish secure channel communications between domain
> controllers and member computers are much stronger in Windows 2000 than they
> were in previous Microsoft operating systems.
>
> Whenever possible, you should take advantage of these stronger session keys
> to help protect secure channel communications from eavesdropping and session
> hijacking network attacks. Eavesdropping is a form of hacking in which
> network data is read or altered in transit. The data can be modified to hide
> or change the sender, or to redirect it.
>
> Countermeasure
>
> Set Domain member: Require strong (Windows 2000 or later) session key to
> Enabled.
>
> Enabling this setting ensures that all outgoing secure channel traffic will
> require a strong, Windows 2000 or later, encryption key. Disabling this
> setting requires negotiating the key strength is negotiated. Only enable
> this option if the domain controllers in all trusted domains support strong
> keys. By default, this value is disabled.
>
> Potential Impact
>
> You will not be able to join computers with this setting enabled to Windows
> NT 4.0 domains, nor will you be able to join computers that do not support
> this setting to domains where the domain controllers have this setting
> enabled.
>
> "-Sari" <Sari@discussions.microsoft.com> wrote in message
> news:4EF27AB9-2917-40D3-9C1B-B5E2C4B305D1@microsoft.com...
> > Our windows 2003 AD domain is in native mode and we configured the
> > following
> > GPO settings in the Domain Policy
> >
> > Domain member: Require strong (Windows 2000 or later) session key
> >
> > We enabled this key. We configured our SQL server to use a "Domain Local"
> > group for all the permissions. Due the trust requirement between NT and
> > 2003
> > domain we force to change the "Require Strong (windows 2000 or later)
> > session
> > key" to disabled. Our SQL problem started from there. I cannot see
> > "Domain
> > local" group from SQL Enterprise manager. I can see only "Domain Global"
> > and
> > "Universal" groups.
> >
> > My question is what is the relationship between "Require Strong (windows
> > 2000 or later) session key" settings and "Domain Local" group?
> >
> > I check the Forest and Domain functional levels. It is still in Windows
> > 2003 Native mode.
> >
> > Any help or reference would be greatly appreciated.
> >
>
>
>
- Next message: Lionel Fourquaux: "Re: Give user acces to regkeys"
- Previous message: Steven L Umbach: "Re: Erase Password List on windows2000 PC"
- In reply to: Steven L Umbach: "Re: Domain Local group and Require strong. GPO Problem"
- Next in thread: Roger Abell: "Re: Domain Local group and Require strong. GPO Problem"
- Reply: Roger Abell: "Re: Domain Local group and Require strong. GPO Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
