Re: Domain Local group and Require strong. GPO Problem

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 11/06/04

  • Next message: a: "Multiple Failed Password Change Attempts!"
    Date: Sat, 6 Nov 2004 01:03:44 -0700
    
    

    Like Steve, I believe that you are associating these due to
    their occurrance in time, rather than due to any intrinsic
    relation between them. AFAIK and can imagine, reducing
    the strength of the session keying should not make the DL
    groups and only the DL groups disappear. IOW it seems
    that you have something else going on.

    -- 
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCSE (W2k3,W2k,Nt4)  MCDBA
    "-Sari" <Sari@discussions.microsoft.com> wrote in message
    news:97BB4607-8B55-4F19-84B8-A0E9F25FD88A@microsoft.com...
    > Steve,
    > Thanks for the reply.  But I am sitll not clear about the relaion between
    > Domain Local Group and Require Strong.. policy..If you disable this, we
    will
    > loose some kind of Windows 2003 Native functionality.
    >
    > "Steven L Umbach" wrote:
    >
    > > From what I know there should be no relationship to "Require Strong
    (windows
    > > 2000 or later) session key" settings and "Domain Local" group in a
    Windows
    > > 2000 domain. I would check Event Viewer on the server to see if any
    > > pertinent errors are recorded there and run the support tool netdiag on
    it
    > > to make sure it still has proper connectivity and active computer
    account in
    > > the domain. Also see the link below which shows some of the problems
    that
    > > can happed due to incompatible security option settings.  I also pasted
    a
    > > definition of that security option and "potential impact" from the
    Threats
    > > and Countermeasures Security Guide. --- Steve
    > >
    > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
    > >
    > >
    > > Domain member: Require strong (Windows 2000 or later) session key
    > > The Domain member: Require strong (Windows 2000 or later) session key
    > > setting determines whether a secure channel can be established with a
    domain
    > > controller that is not capable of encrypting secure channel traffic with
    a
    > > strong, 128 - bit, session key. Enabling this setting prevents
    establishing
    > > a secure channel with any domain controller that cannot encrypt secure
    > > channel data with a strong key. Disabling this setting allows 64 - bit
    > > session keys.
    > >
    > > Note: To enable this setting on a member workstation or server, all
    domain
    > > controllers in the domain that the member belongs to must be capable of
    > > encrypting secure channel data with a strong, 128 - bit, key. This means
    > > that all such domain controllers must be running Windows 2000 or later
    > >
    > > The possible values for this Group Policy setting are:
    > >
    > >       . Enabled
    > >
    > >       . Disabled
    > >
    > >       . Not defined
    > >
    > >
    > > Vulnerability
    > >
    > > Session keys used to establish secure channel communications between
    domain
    > > controllers and member computers are much stronger in Windows 2000 than
    they
    > > were in previous Microsoft operating systems.
    > >
    > > Whenever possible, you should take advantage of these stronger session
    keys
    > > to help protect secure channel communications from eavesdropping and
    session
    > > hijacking network attacks. Eavesdropping is a form of hacking in which
    > > network data is read or altered in transit. The data can be modified to
    hide
    > > or change the sender, or to redirect it.
    > >
    > > Countermeasure
    > >
    > > Set Domain member: Require strong (Windows 2000 or later) session key to
    > > Enabled.
    > >
    > > Enabling this setting ensures that all outgoing secure channel traffic
    will
    > > require a strong, Windows 2000 or later, encryption key. Disabling this
    > > setting requires negotiating the key strength is negotiated. Only enable
    > > this option if the domain controllers in all trusted domains support
    strong
    > > keys. By default, this value is disabled.
    > >
    > > Potential Impact
    > >
    > > You will not be able to join computers with this setting enabled to
    Windows
    > > NT 4.0 domains, nor will you be able to join computers that do not
    support
    > > this setting to domains where the domain controllers have this setting
    > > enabled.
    > >
    > > "-Sari" <Sari@discussions.microsoft.com> wrote in message
    > > news:4EF27AB9-2917-40D3-9C1B-B5E2C4B305D1@microsoft.com...
    > > > Our windows 2003 AD domain is in native mode and we configured the
    > > > following
    > > > GPO settings in the Domain Policy
    > > >
    > > > Domain member: Require strong (Windows 2000 or later) session key
    > > >
    > > > We enabled this key.  We configured our SQL server to use a "Domain
    Local"
    > > > group for all the permissions.  Due the trust requirement between NT
    and
    > > > 2003
    > > > domain we force to change the "Require Strong (windows 2000 or later)
    > > > session
    > > > key" to disabled.  Our SQL problem started from there.  I cannot see
    > > > "Domain
    > > > local" group from SQL Enterprise manager.  I can see only "Domain
    Global"
    > > > and
    > > > "Universal" groups.
    > > >
    > > > My question is what is the relationship between "Require Strong
    (windows
    > > > 2000 or later) session key" settings and "Domain Local" group?
    > > >
    > > > I check the Forest and Domain functional levels.  It is still in
    Windows
    > > > 2003 Native mode.
    > > >
    > > > Any help or reference would be greatly appreciated.
    > > >
    > >
    > >
    > >
    

  • Next message: a: "Multiple Failed Password Change Attempts!"

    Relevant Pages

    • Re: Domain Local group and Require strong. GPO Problem
      ... 2000 or later) session key" settings and "Domain Local" group in a Windows ... setting determines whether a secure channel can be established with a domain ... this option if the domain controllers in all trusted domains support strong ...
      (microsoft.public.win2000.security)
    • Re: Opera pain
      ... emacs, vi, are all about keys. ... tab menu instead. ... With Opera, i have to read the titles or small thumbnails. ... in my key macro app (on Windows it's AutoHotkey http://xahlee.org/mswin/autohotkey.html ...
      (comp.infosystems.www.authoring.html)
    • Re: My experiences with a Dell D620 Laptop. Part 1.
      ... Specification of the Dell. ... highlights extra key functions on the keys accessible via the Fn key. ... Powerbook and MacBook screens. ... - There are the usual irritating Intel Core Duo and 'Windows Designed ...
      (comp.sys.mac.advocacy)
    • RE: The string universal unique identifier (UUID) is invalid.
      ... when you install multiple brands of cards in Windows XP. ... The issue may be caused by a corrupt winsock or TCP/IP ... Delete corrupted registry keys and reinstall TCP/IP protocol. ...
      (microsoft.public.windowsxp.network_web)
    • Re: My experiences with a Dell D620 Laptop. Part 1.
      ... This post is to show Mac Users just what they are missing compared to a 9 month old PowerBook G4/15.4/1.6Mhz and a white MacBook. ... On a number of occasions I've opened up the machine only to find the battery is drained or find a very hot laptop in my bag. ... It has a rather tacky looking two-tone appearance around the keyboard and trackpad with the keys being a different colour to the inner silver 'ring'. ... Why couldn't these go underneath with the WIndows XP license label? ...
      (comp.sys.mac.advocacy)