+ Post New Thread
Results 1 to 9 of 9
Windows Server 2000/2003 Thread, GPO "Security Options" in Technical; I have been reviewing our GPO settings in the category: Security Settings\Local Policies\Security Options. Some of them were lowered for ...
  1. #1

    Join Date
    Nov 2011
    Posts
    214
    Thank Post
    260
    Thanked 22 Times in 18 Posts
    Rep Power
    10

    Question GPO "Security Options"

    I have been reviewing our GPO settings in the category: Security Settings\Local Policies\Security Options. Some of them were lowered for compatibility with Windows 98 clients, now long gone, and the defaults do not seem that secure.

    I have found this Microsoft Support Article useful, but I wondered if anyone had any warnings of compatibility or performance issues caused by raising the settings.

    I am thinking it would be a good idea to force traffic to be signed, that is turning on:
    Digitally encrypt or sign secure channel data (always)
    Microsoft network client: Digitally sign communications (always)
    Microsoft network server: Digitally sign communications (always)
    Require strong (Windows 2000 or later) session key
    Though I don't know that man-in-the-middle attacks are that likely in our environment, and there are warnings of a 15% performance hit. For the last setting the article I cite above says "Enabling the Domain member: Require strong (Windows 2000 or later) session key setting is a harmful configuration setting.", but then appears to spend the rest of section saying what a good idea to set it is unless you have windows NT on your network.

    I am also thinking it would be a good idea to disable all the anonymous access options.
    Network access: Allow anonymous SID/Name translation - thinking disable
    Network access: Do not allow anonymous enumeration of SAM accounts and shares - thinking enable

    Thoughts? What do you have set?

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    I checked two 2008 R2 domains I support:

    Domain member: Digitally encrypt or sign secure channel data (always) - Not Defined
    Microsoft network client: Digitally sign communications (always) - Not Defined
    Microsoft network server: Digitally sign communications (always) - Disabled
    Domain member: Require strong (Windows 2000 or later) session key - Not Defined
    Network access: Allow anonymous SID/Name translation - Not Defined
    Network access: Do not allow anonymous enumeration of SAM accounts and shares - Not Defined

  3. Thanks to Michael from:

    Jollity (22nd April 2012)

  4. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,692
    Thank Post
    824
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    This hardening may work fine for the workstations but if you use anything like a NAS or linux gear it may well break it as practically none of it supports the higher security levels by default or in many cases at all.

  5. Thanks to SYNACK from:

    Jollity (22nd April 2012)

  6. #4

    Join Date
    Nov 2011
    Posts
    214
    Thank Post
    260
    Thanked 22 Times in 18 Posts
    Rep Power
    10
    Quote Originally Posted by SYNACK View Post
    This hardening may work fine for the workstations but if you use anything like a NAS or linux gear it may well break it as practically none of it supports the higher security levels by default or in many cases at all.
    That's the kind of thing I am worried about. We do not have any linux machines, and no NASes at the moment. Network printers seem likely thing to break and perhaps the couple of Macbooks on the network.

    The fact that no one has come forward to support tightening the settings rather cools my heels. I was worried it was an area our security was slack, but it seems that we would be going above and beyond.

    I might have a go at tightening up the anonymous access settings - it seems less likely anything is using that, and I can't see how it could affect performance.

  7. #5

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    To be honest, having a properly managed hardware firewall and WSUS are the way to go instead of tweaking the above settings, which as Synack pointing out can be more trouble than they're worth. Best leave well alone

  8. #6
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,723
    Thank Post
    206
    Thanked 254 Times in 206 Posts
    Rep Power
    65
    @Jollity I was also worried about this. @Michael This is more to do with Internal security rather than external (internet facing) threats. I know it's possible for all server client packets to be authenticated and encrypted but I also know that I don't fully understand what will break if I do that.

    Currently it's possible for a malicious user to hook a PC into a lanport here arp spoof and wireshark to read all the data flying around my network. My switches can halt some mischeif but I think they could cripple my network if determined enough. I think server client encryption would further reduce the risk but I lack the technical knowhow.

  9. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,692
    Thank Post
    824
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    Well you could use group policy to enforce IPSec encrypted connections between all clients and servers or even only some servers and their clients but you may well be getting into overkill land.

    Keeping devices off can be partially done using 802.11x on your switches and blocking unknown MAC addresses but the workaround is to simply clone an existing station MAC. You can further split the network into VLANs and subnets with ACLs inbetween to prevent leakage of certain kinds of traffic from one secton to another. You can also use something like packetfence to keep a close eye on the traffic and watch for ARP poisoning etc but you are rapidly approaching overkill land again. Even most universities don't go that far when it comes to proofing their networks. Usually the CS one gets a little extra scrutiny but other than that it is usually jsut VLANs and 802.11x in my experience.

    What level of security are you trying to achive?

  10. #8

    Join Date
    Nov 2011
    Posts
    214
    Thank Post
    260
    Thanked 22 Times in 18 Posts
    Rep Power
    10
    Interesting to hear what could be done. Definitely heading into overkill in our case - relatively small primary. I am not aiming for much in the way of protection from a human hacker with a direct physical connection to the LAN, but I would like to stop anything easily exploitable. It seems to me that a man-in-the-middle attack on windows traffic would be pretty difficult to get right and would likely involve luck or planning in finding an exploitable connection, but maybe someone has automated the process...

    Quote Originally Posted by SYNACK View Post
    the CS one
    Which measure does that refer to?

  11. #9

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,692
    Thank Post
    824
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    Quote Originally Posted by Jollity View Post
    Which measure does that refer to?

    The danger is more from traffic intersecption or from ARP poisoning redirecting stuff to a differnet server which is largely taken care of with existing end to end verification and decent network partitioning.

    Out CS department had a strictly firewalled section all to itself and with 802.11x auth and staticlly assigned addresses (not that that last bit actually helped much).

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 5
    Last Post: 13th August 2009, 12:56 PM
  2. Replies: 0
    Last Post: 25th March 2009, 02:23 PM
  3. Application security options
    By broken_url in forum Windows
    Replies: 20
    Last Post: 16th May 2008, 10:07 PM
  4. IC Technology - sign an NDA for a quote?!
    By sahmeepee in forum Bad Experiences
    Replies: 7
    Last Post: 4th July 2006, 10:43 AM
  5. Quote of the day
    By NetworkGeezer in forum *nix
    Replies: 3
    Last Post: 5th May 2006, 09:49 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •