Modify Default Security Policies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To ensure that clients running older versions of the Windows operating system will be able to access domain resources in the new Windows Server 2003 domain, you might have to modify default security policies.

Important

• Be aware that by modifying these policies you are weakening the default security policies in your environment. However, this is necessary to ensure that some clients running earlier versions of Windows will be able to access domain resources. After all clients in your environment are running versions of Windows that support SMB packet and secure channel signing, you can re-enable these security policies to increase security. It is recommended that you upgrade your Windows–based clients as soon as possible.

In order to increase security, Windows Server 2003–based domain controllers require by default that clients attempting to authenticate to them use SMB packet and secure channel signing. Clients running Windows 95 or Windows NT 4.0 with Service Pack 2 (SP2) and earlier without the Directory Service Client Pack do not support SMB packet signing and will not be able to log on or access domain resources on the network. Clients running Windows NT 4.0 with Service Pack 3 (SP3) and earlier do not support secure channel signing and will not be able to establish communications with a domain controller in their domain.

The most secure way to enable these clients to logon and access domain resources on the network is to apply the appropriate service pack or the Directory Service Client Pack. If you cannot apply the most recent service pack or the Directory Service Client Pack, configure all Windows Server 2003–based domain controllers to not require SMB packet signing or secure channel signing by disabling the following settings in the Default Domain Controllers Policy:

• Microsoft network server: Digitally sign communications (always)

• Domain member: Digitally encrypt or sign secure channel data (always)

Back up the Default Domain Controllers Policy Group Policy object before modifying it. Use the Group Policy Management Console (GPMC) to back up the Group Policy object so that it can be restored if necessary. The Group Policy Management Console (GPMC) is a tool that permits you to manage Group Policy for multiple domains and sites in one or more forests. GPMC is the recommended method for managing Group Policy; however this chapter does not assume that you are using GPMC for security policy management and deployment.

GPMC is not included with Windows Server 2003. To obtain GPMC, see the Group Policy Management Console (GPMC) link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

To disable SMB packet and secure channel signing enforcement on Windows Server 2003–based domain controllers

1. Open Active Directory Users and Computers, right-click the Domain Controllers container, and then click Properties.

2. Click the Group Policy tab, and then click Edit.

3. Under Computer Configuration, go to the Windows Settings\Security Settings\Local Policies\Security Options folder.

4. In the details pane, double-click Microsoft network server: Digitally sign communications (always), and then click Disabled to prevent SMB packet signing from being required.

5. Click OK.

6. In the details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always),and then click Disabled to prevent secure channel signing from being required.

7. Click OK.

To apply the Group Policy change immediately, either restart the domain controller, or type gpupdate /force at a command line, and then press ENTER.

Note

• Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. Policy changes made here will be replicated to all other domain controllers in the domain, so you only need to modify these policies one time to affect the Default Domain Controllers Policy on all domain controllers.

For more information about SMB packet signing and secure channel signing, see "Background Information for Upgrading Windows 2000 Domains to Windows Server 2003 Domains" earlier in this chapter.

For more information about security policies, see "Security Setting Descriptions" on the Microsoft Web site.

For more information about managing and deploying security policies and the Group Policy Management Console (GPMC), see "Deploying Security Policy" in Designing a Managed Environment in this kit.