Home page logo
/

basics logo Security Basics mailing list archives

RE: RE: ADS Password Storage Protection
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 28 Jul 2006 12:36:37 -0400

GPO-based password polices can only be applied at Domain-level GPOs, and
work against domain accounts. They can be applied elsewhere, but they
don't work. 

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************



-----Original Message-----
From: e.m.baechle () ieee org [mailto:e.m.baechle () ieee org] 
Sent: Thursday, July 27, 2006 3:11 PM
To: security-basics () securityfocus com
Subject: Re: RE: ADS Password Storage Protection

Rolando,

You can divide up the settings if you want, but the easiest method is to
apply GPO's with these settings to both the DCs and the Workstations.

Establishing the settings for workstations is especially important in
cases where they are laptops operated either in a local-authentication
mode or disconnected from the domain.

In any case you'll want to disable the storage of LM Hash on both the
workstations and the DCs and establish NTLMv2 as the communication
protocol of choice on both sets of systems (otherwise you may not
connect, or experience long authentication delays while the workstations
and DCs negotiate the communication settings).

Sincerely,

Eric B.

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault