Modify Default Security Policies on Windows Server 2008-Based Domain Controllers

Updated: April 11, 2008

Applies To: Windows Server 2008, Windows Server 2008 R2

To increase security, Windows Server 2008–based domain controllers require (by default) that all clients attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel signing. If your production environment includes clients that run platforms that do not support SMB packet signing (for example, Microsoft Windows NT® 4.0 with Service Pack 2 (SP2)) or if it includes clients that run platforms that do not support secure channel signing (for example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security policies to ensure that clients running older versions of the Windows operating system or non-Microsoft operating systems will be able to access domain resources in the new Windows Server 2008 domain.

noteNote
By modifying the settings of the default security policies, you are weakening the default security policies in your environment. Therefore, we recommend that you upgrade your Windows–based clients as soon as possible. After all clients in your environment are running versions of Windows that support SMB packet signing and secure channel signing, you can re-enable default security policies to increase security.

To configure a Windows Server 2008–based domain controller to not require SMB packet signing or secure channel signing, disable the following settings in the Default Domain Controllers Policy:

  • Microsoft network server: Digitally sign communications (always)

  • Domain member: Digitally encrypt or sign secure channel data (always)

Back up the Default Domain Controllers Policy Group Policy object (GPO) before you modify it. Use the Group Policy Management Console (GPMC) to back up the GPO so that it can be restored, if necessary.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

To disable SMB packet signing enforcement on Windows Server 2008–based domain controllers

  1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.

  2. In the console tree, right-click Default Domain Controllers Policy in Domains\Current Domain Name\Group Policy objects\Default Domain Controllers Policy, and then click Edit.

  3. In the Group Policy Management Editor window, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.

  4. In the details pane, double-click Microsoft network server: Digitally sign communications (always).

  5. Verify that the Define this policy setting check box is selected, click Disabled to prevent SMB packet signing from being required, and then click OK.

    To apply the Group Policy change immediately, either restart the domain controller or open a command prompt, type the following command, and then press ENTER:

    gpupdate /force

    noteNote
    Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. Policy changes that you make here will be replicated to all other domain controllers in the domain. Therefore, you only have to modify these policies one time to affect the Default Domain Controllers Policy on all domain controllers.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

To disable secure channel signing enforcement on Windows Server 2008–based domain controllers

  1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.

  2. In the console tree, right-click Default Domain Controllers Policy in Domains/Current Domain Name/Group Policy objects/Default Domain Controllers Policy, and then click Edit.

  3. In the Group Policy Management Editor window, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.

  4. In the details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always), click Disabled to prevent secure channel signing from being required, and then click OK.

    To apply the Group Policy change immediately, either restart the domain controller or open a command prompt, type the following command, and then press ENTER:

    gpupdate /force

    noteNote
    Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. Policy changes that you make here will be replicated to all other domain controllers in the domain. Therefore, you only have to modify these policies one time to affect the Default Domain Controllers Policy on all domain controllers.

For more information about SMB packet signing and secure channel signing, see Appendix A: Background Information for Upgrading Active Directory Domains to Windows Server 2008 AD DS Domains.

By default, Windows Server 2008 domain controllers also prohibit clients running non-Microsoft operating systems or Windows NT 4.0 operating systems to establish security channels using weak Windows NT 4.0 style cryptography algorithms. Any security channel dependent operation that is initiated by clients running older versions of the Windows operating system or non-Microsoft operating systems that do not support strong cryptographic algorithms will fail against a Windows Server 2008-based domain controller.

Until you are able to upgrade all of the clients in your infrastructure, you can temporarily relax this requirement by modifying the following default domain policy setting on your Windows Server 2008-based domain controllers:

  • Allow cryptography algorithms compatible with Windows NT 4.0

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

To allow cryptography algorithms that are compatible with Windows NT 4.0 on Windows Server 2008–based domain controllers

  1. To open the Group Policy Management Console (GPMC), click Start, click Run, type gpmc.msc, and then click OK.

  2. In the console tree, right-click Default Domain Controllers Policy in Domains/Current Domain Name/Group Policy objects/Default Domain Controllers Policy, and then click Edit.

  3. In the Group Policy Management Editor window, in the console tree, go to Computer Configuration/Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine/System/Net Logon.

  4. In the details pane, double-click Allow cryptography algorithms compatible with Windows NT 4.0, and then click Enabled.

    noteNote
    By default, the Not Configured option is selected, but, programmatically, after you upgrade a server to Windows Server 2008 domain controller status, this policy is set to Disabled.

    To apply the Group Policy change immediately, either restart the domain controller or open command line, type the following command, and then press ENTER:

    gpupdate /force

    noteNote
    Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. Policy changes that are made here will be replicated to all other domain controllers in the domain. Therefore, you only have to modify these policies one time to affect the Default Domain Controllers Policy on all domain controllers.

For more information, see Effects of netlogon cryptographic support changes in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=106380).

Tags :


Page view tracker