Re: Domain Local group and Require strong. GPO Problem
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 11/06/04
- Previous message: Roger Abell: "Re: SQL Administration without Local Admin privilege"
- In reply to: -Sari: "Re: Domain Local group and Require strong. GPO Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 6 Nov 2004 01:03:44 -0700
Like Steve, I believe that you are associating these due to
their occurrance in time, rather than due to any intrinsic
relation between them. AFAIK and can imagine, reducing
the strength of the session keying should not make the DL
groups and only the DL groups disappear. IOW it seems
that you have something else going on.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "-Sari" <Sari@discussions.microsoft.com> wrote in message news:97BB4607-8B55-4F19-84B8-A0E9F25FD88A@microsoft.com... > Steve, > Thanks for the reply. But I am sitll not clear about the relaion between > Domain Local Group and Require Strong.. policy..If you disable this, we will > loose some kind of Windows 2003 Native functionality. > > "Steven L Umbach" wrote: > > > From what I know there should be no relationship to "Require Strong (windows > > 2000 or later) session key" settings and "Domain Local" group in a Windows > > 2000 domain. I would check Event Viewer on the server to see if any > > pertinent errors are recorded there and run the support tool netdiag on it > > to make sure it still has proper connectivity and active computer account in > > the domain. Also see the link below which shows some of the problems that > > can happed due to incompatible security option settings. I also pasted a > > definition of that security option and "potential impact" from the Threats > > and Countermeasures Security Guide. --- Steve > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 > > > > > > Domain member: Require strong (Windows 2000 or later) session key > > The Domain member: Require strong (Windows 2000 or later) session key > > setting determines whether a secure channel can be established with a domain > > controller that is not capable of encrypting secure channel traffic with a > > strong, 128 - bit, session key. Enabling this setting prevents establishing > > a secure channel with any domain controller that cannot encrypt secure > > channel data with a strong key. Disabling this setting allows 64 - bit > > session keys. > > > > Note: To enable this setting on a member workstation or server, all domain > > controllers in the domain that the member belongs to must be capable of > > encrypting secure channel data with a strong, 128 - bit, key. This means > > that all such domain controllers must be running Windows 2000 or later > > > > The possible values for this Group Policy setting are: > > > > . Enabled > > > > . Disabled > > > > . Not defined > > > > > > Vulnerability > > > > Session keys used to establish secure channel communications between domain > > controllers and member computers are much stronger in Windows 2000 than they > > were in previous Microsoft operating systems. > > > > Whenever possible, you should take advantage of these stronger session keys > > to help protect secure channel communications from eavesdropping and session > > hijacking network attacks. Eavesdropping is a form of hacking in which > > network data is read or altered in transit. The data can be modified to hide > > or change the sender, or to redirect it. > > > > Countermeasure > > > > Set Domain member: Require strong (Windows 2000 or later) session key to > > Enabled. > > > > Enabling this setting ensures that all outgoing secure channel traffic will > > require a strong, Windows 2000 or later, encryption key. Disabling this > > setting requires negotiating the key strength is negotiated. Only enable > > this option if the domain controllers in all trusted domains support strong > > keys. By default, this value is disabled. > > > > Potential Impact > > > > You will not be able to join computers with this setting enabled to Windows > > NT 4.0 domains, nor will you be able to join computers that do not support > > this setting to domains where the domain controllers have this setting > > enabled. > > > > "-Sari" <Sari@discussions.microsoft.com> wrote in message > > news:4EF27AB9-2917-40D3-9C1B-B5E2C4B305D1@microsoft.com... > > > Our windows 2003 AD domain is in native mode and we configured the > > > following > > > GPO settings in the Domain Policy > > > > > > Domain member: Require strong (Windows 2000 or later) session key > > > > > > We enabled this key. We configured our SQL server to use a "Domain Local" > > > group for all the permissions. Due the trust requirement between NT and > > > 2003 > > > domain we force to change the "Require Strong (windows 2000 or later) > > > session > > > key" to disabled. Our SQL problem started from there. I cannot see > > > "Domain > > > local" group from SQL Enterprise manager. I can see only "Domain Global" > > > and > > > "Universal" groups. > > > > > > My question is what is the relationship between "Require Strong (windows > > > 2000 or later) session key" settings and "Domain Local" group? > > > > > > I check the Forest and Domain functional levels. It is still in Windows > > > 2003 Native mode. > > > > > > Any help or reference would be greatly appreciated. > > > > > > > > >
- Previous message: Roger Abell: "Re: SQL Administration without Local Admin privilege"
- In reply to: -Sari: "Re: Domain Local group and Require strong. GPO Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
