Modify Security Policies

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To ensure that clients running earlier versions of the Windows operating system can access domain resources in the new Windows Server 2003 domain, you might have to modify default security policies.

In order to increase security, Windows Server 2003–based domain controllers require by default that clients attempting to authenticate to them use SMB packet and secure channel signing. Clients running the Windows 95 operating system without the Directory Service Client Pack or Windows NT 4.0 with Service Pack 2 and earlier do not support SMB packet signing and will not be able to log on or access domain resources on the network. Clients running Windows NT 4.0 with Service Pack 3 and earlier do not support secure channel signing and will not be able to establish communications with a domain controller in their domain.

The most secure way to enable these clients to log on and access domain resources on the network is to apply either the appropriate service pack or the Directory Service Client Pack. If you cannot apply either of these, configure all Windows Server 2003–based domain controllers to not require SMB packet signing and secure channel signing. To do this, disable the following settings in the Default Domain Controllers Policy:

  • Microsoft network server: Digitally sign communications (always)

  • Domain member: Digitally encrypt or sign secure channel data (always)

Important

  • If you modify these policies, the default security policies in your environment are weakened. However, this is necessary to ensure that some clients running earlier versions of Windows can access domain resources. After all the clients in your environment are running versions of Windows that support SMB packet and secure channel signing, you can re-enable these security policies to increase security. It is recommended that you upgrade your Windows clients as soon as possible.

To make SMB packet and secure channel signing optional on Windows Server 2003–based domain controllers

  1. Open Active Directory Users and Computers, right-click the Domain Controllers container, and then click Properties.

  2. Select the Group Policy tab, and then click Edit.

  3. Under Computer Configuration, navigate to Windows Settings\Security Settings\Local Policies\Security Options.

  4. In the details pane, double-click Microsoft network server: Digitally sign communications (always) and then click Disabled to prevent SMB packet signing from being required.

  5. Click OK.

  6. In the Details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always), click Disabled to prevent secure channel signing from being required, and then click OK.

  7. To apply the Group Policy change immediately, either restart the domain controller, or run the gpupdate /force command.

Note

  • Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. Policy changes that are made here are replicated to all other domain controllers in the domain, requiring you to modify these policies only one time.

For more information about SMB packet signing and secure channel signing, see "Background Information for Upgrading to Windows Server 2003 Active Directory" earlier in this chapter.

For more information about security policies, see "Security Options" on the Microsoft Web site.