Domain Local group and Require strong. GPO Problem

Archived from groups: microsoft.public.win2000.security (More info?)

Our windows 2003 AD domain is in native mode and we configured the following
GPO settings in the Domain Policy

Domain member: Require strong (Windows 2000 or later) session key

We enabled this key. We configured our SQL server to use a “Domain Local�
group for all the permissions. Due the trust requirement between NT and 2003
domain we force to change the “Require Strong (windows 2000 or later) session
key� to disabled. Our SQL problem started from there. I cannot see “Domain
local� group from SQL Enterprise manager. I can see only “Domain Global� and
“Universal� groups.

My question is what is the relationship between “Require Strong (windows
2000 or later) session key� settings and “Domain Local� group?

I check the Forest and Domain functional levels. It is still in Windows
2003 Native mode.

Any help or reference would be greatly appreciated.
3 answers Last reply
More about domain local group require strong problem
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    From what I know there should be no relationship to "Require Strong (windows
    2000 or later) session key" settings and "Domain Local" group in a Windows
    2000 domain. I would check Event Viewer on the server to see if any
    pertinent errors are recorded there and run the support tool netdiag on it
    to make sure it still has proper connectivity and active computer account in
    the domain. Also see the link below which shows some of the problems that
    can happed due to incompatible security option settings. I also pasted a
    definition of that security option and "potential impact" from the Threats
    and Countermeasures Security Guide. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;823659


    Domain member: Require strong (Windows 2000 or later) session key
    The Domain member: Require strong (Windows 2000 or later) session key
    setting determines whether a secure channel can be established with a domain
    controller that is not capable of encrypting secure channel traffic with a
    strong, 128 - bit, session key. Enabling this setting prevents establishing
    a secure channel with any domain controller that cannot encrypt secure
    channel data with a strong key. Disabling this setting allows 64 - bit
    session keys.

    Note: To enable this setting on a member workstation or server, all domain
    controllers in the domain that the member belongs to must be capable of
    encrypting secure channel data with a strong, 128 - bit, key. This means
    that all such domain controllers must be running Windows 2000 or later

    The possible values for this Group Policy setting are:

    . Enabled

    . Disabled

    . Not defined


    Vulnerability

    Session keys used to establish secure channel communications between domain
    controllers and member computers are much stronger in Windows 2000 than they
    were in previous Microsoft operating systems.

    Whenever possible, you should take advantage of these stronger session keys
    to help protect secure channel communications from eavesdropping and session
    hijacking network attacks. Eavesdropping is a form of hacking in which
    network data is read or altered in transit. The data can be modified to hide
    or change the sender, or to redirect it.

    Countermeasure

    Set Domain member: Require strong (Windows 2000 or later) session key to
    Enabled.

    Enabling this setting ensures that all outgoing secure channel traffic will
    require a strong, Windows 2000 or later, encryption key. Disabling this
    setting requires negotiating the key strength is negotiated. Only enable
    this option if the domain controllers in all trusted domains support strong
    keys. By default, this value is disabled.

    Potential Impact

    You will not be able to join computers with this setting enabled to Windows
    NT 4.0 domains, nor will you be able to join computers that do not support
    this setting to domains where the domain controllers have this setting
    enabled.

    "-Sari" <Sari@discussions.microsoft.com> wrote in message
    news:4EF27AB9-2917-40D3-9C1B-B5E2C4B305D1@microsoft.com...
    > Our windows 2003 AD domain is in native mode and we configured the
    > following
    > GPO settings in the Domain Policy
    >
    > Domain member: Require strong (Windows 2000 or later) session key
    >
    > We enabled this key. We configured our SQL server to use a "Domain Local"
    > group for all the permissions. Due the trust requirement between NT and
    > 2003
    > domain we force to change the "Require Strong (windows 2000 or later)
    > session
    > key" to disabled. Our SQL problem started from there. I cannot see
    > "Domain
    > local" group from SQL Enterprise manager. I can see only "Domain Global"
    > and
    > "Universal" groups.
    >
    > My question is what is the relationship between "Require Strong (windows
    > 2000 or later) session key" settings and "Domain Local" group?
    >
    > I check the Forest and Domain functional levels. It is still in Windows
    > 2003 Native mode.
    >
    > Any help or reference would be greatly appreciated.
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve,
    Thanks for the reply. But I am sitll not clear about the relaion between
    Domain Local Group and Require Strong.. policy..If you disable this, we will
    loose some kind of Windows 2003 Native functionality.

    "Steven L Umbach" wrote:

    > From what I know there should be no relationship to "Require Strong (windows
    > 2000 or later) session key" settings and "Domain Local" group in a Windows
    > 2000 domain. I would check Event Viewer on the server to see if any
    > pertinent errors are recorded there and run the support tool netdiag on it
    > to make sure it still has proper connectivity and active computer account in
    > the domain. Also see the link below which shows some of the problems that
    > can happed due to incompatible security option settings. I also pasted a
    > definition of that security option and "potential impact" from the Threats
    > and Countermeasures Security Guide. --- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
    >
    >
    > Domain member: Require strong (Windows 2000 or later) session key
    > The Domain member: Require strong (Windows 2000 or later) session key
    > setting determines whether a secure channel can be established with a domain
    > controller that is not capable of encrypting secure channel traffic with a
    > strong, 128 - bit, session key. Enabling this setting prevents establishing
    > a secure channel with any domain controller that cannot encrypt secure
    > channel data with a strong key. Disabling this setting allows 64 - bit
    > session keys.
    >
    > Note: To enable this setting on a member workstation or server, all domain
    > controllers in the domain that the member belongs to must be capable of
    > encrypting secure channel data with a strong, 128 - bit, key. This means
    > that all such domain controllers must be running Windows 2000 or later
    >
    > The possible values for this Group Policy setting are:
    >
    > . Enabled
    >
    > . Disabled
    >
    > . Not defined
    >
    >
    > Vulnerability
    >
    > Session keys used to establish secure channel communications between domain
    > controllers and member computers are much stronger in Windows 2000 than they
    > were in previous Microsoft operating systems.
    >
    > Whenever possible, you should take advantage of these stronger session keys
    > to help protect secure channel communications from eavesdropping and session
    > hijacking network attacks. Eavesdropping is a form of hacking in which
    > network data is read or altered in transit. The data can be modified to hide
    > or change the sender, or to redirect it.
    >
    > Countermeasure
    >
    > Set Domain member: Require strong (Windows 2000 or later) session key to
    > Enabled.
    >
    > Enabling this setting ensures that all outgoing secure channel traffic will
    > require a strong, Windows 2000 or later, encryption key. Disabling this
    > setting requires negotiating the key strength is negotiated. Only enable
    > this option if the domain controllers in all trusted domains support strong
    > keys. By default, this value is disabled.
    >
    > Potential Impact
    >
    > You will not be able to join computers with this setting enabled to Windows
    > NT 4.0 domains, nor will you be able to join computers that do not support
    > this setting to domains where the domain controllers have this setting
    > enabled.
    >
    > "-Sari" <Sari@discussions.microsoft.com> wrote in message
    > news:4EF27AB9-2917-40D3-9C1B-B5E2C4B305D1@microsoft.com...
    > > Our windows 2003 AD domain is in native mode and we configured the
    > > following
    > > GPO settings in the Domain Policy
    > >
    > > Domain member: Require strong (Windows 2000 or later) session key
    > >
    > > We enabled this key. We configured our SQL server to use a "Domain Local"
    > > group for all the permissions. Due the trust requirement between NT and
    > > 2003
    > > domain we force to change the "Require Strong (windows 2000 or later)
    > > session
    > > key" to disabled. Our SQL problem started from there. I cannot see
    > > "Domain
    > > local" group from SQL Enterprise manager. I can see only "Domain Global"
    > > and
    > > "Universal" groups.
    > >
    > > My question is what is the relationship between "Require Strong (windows
    > > 2000 or later) session key" settings and "Domain Local" group?
    > >
    > > I check the Forest and Domain functional levels. It is still in Windows
    > > 2003 Native mode.
    > >
    > > Any help or reference would be greatly appreciated.
    > >
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Like Steve, I believe that you are associating these due to
    their occurrance in time, rather than due to any intrinsic
    relation between them. AFAIK and can imagine, reducing
    the strength of the session keying should not make the DL
    groups and only the DL groups disappear. IOW it seems
    that you have something else going on.

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "-Sari" <Sari@discussions.microsoft.com> wrote in message
    news:97BB4607-8B55-4F19-84B8-A0E9F25FD88A@microsoft.com...
    > Steve,
    > Thanks for the reply. But I am sitll not clear about the relaion between
    > Domain Local Group and Require Strong.. policy..If you disable this, we
    will
    > loose some kind of Windows 2003 Native functionality.
    >
    > "Steven L Umbach" wrote:
    >
    > > From what I know there should be no relationship to "Require Strong
    (windows
    > > 2000 or later) session key" settings and "Domain Local" group in a
    Windows
    > > 2000 domain. I would check Event Viewer on the server to see if any
    > > pertinent errors are recorded there and run the support tool netdiag on
    it
    > > to make sure it still has proper connectivity and active computer
    account in
    > > the domain. Also see the link below which shows some of the problems
    that
    > > can happed due to incompatible security option settings. I also pasted
    a
    > > definition of that security option and "potential impact" from the
    Threats
    > > and Countermeasures Security Guide. --- Steve
    > >
    > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
    > >
    > >
    > > Domain member: Require strong (Windows 2000 or later) session key
    > > The Domain member: Require strong (Windows 2000 or later) session key
    > > setting determines whether a secure channel can be established with a
    domain
    > > controller that is not capable of encrypting secure channel traffic with
    a
    > > strong, 128 - bit, session key. Enabling this setting prevents
    establishing
    > > a secure channel with any domain controller that cannot encrypt secure
    > > channel data with a strong key. Disabling this setting allows 64 - bit
    > > session keys.
    > >
    > > Note: To enable this setting on a member workstation or server, all
    domain
    > > controllers in the domain that the member belongs to must be capable of
    > > encrypting secure channel data with a strong, 128 - bit, key. This means
    > > that all such domain controllers must be running Windows 2000 or later
    > >
    > > The possible values for this Group Policy setting are:
    > >
    > > . Enabled
    > >
    > > . Disabled
    > >
    > > . Not defined
    > >
    > >
    > > Vulnerability
    > >
    > > Session keys used to establish secure channel communications between
    domain
    > > controllers and member computers are much stronger in Windows 2000 than
    they
    > > were in previous Microsoft operating systems.
    > >
    > > Whenever possible, you should take advantage of these stronger session
    keys
    > > to help protect secure channel communications from eavesdropping and
    session
    > > hijacking network attacks. Eavesdropping is a form of hacking in which
    > > network data is read or altered in transit. The data can be modified to
    hide
    > > or change the sender, or to redirect it.
    > >
    > > Countermeasure
    > >
    > > Set Domain member: Require strong (Windows 2000 or later) session key to
    > > Enabled.
    > >
    > > Enabling this setting ensures that all outgoing secure channel traffic
    will
    > > require a strong, Windows 2000 or later, encryption key. Disabling this
    > > setting requires negotiating the key strength is negotiated. Only enable
    > > this option if the domain controllers in all trusted domains support
    strong
    > > keys. By default, this value is disabled.
    > >
    > > Potential Impact
    > >
    > > You will not be able to join computers with this setting enabled to
    Windows
    > > NT 4.0 domains, nor will you be able to join computers that do not
    support
    > > this setting to domains where the domain controllers have this setting
    > > enabled.
    > >
    > > "-Sari" <Sari@discussions.microsoft.com> wrote in message
    > > news:4EF27AB9-2917-40D3-9C1B-B5E2C4B305D1@microsoft.com...
    > > > Our windows 2003 AD domain is in native mode and we configured the
    > > > following
    > > > GPO settings in the Domain Policy
    > > >
    > > > Domain member: Require strong (Windows 2000 or later) session key
    > > >
    > > > We enabled this key. We configured our SQL server to use a "Domain
    Local"
    > > > group for all the permissions. Due the trust requirement between NT
    and
    > > > 2003
    > > > domain we force to change the "Require Strong (windows 2000 or later)
    > > > session
    > > > key" to disabled. Our SQL problem started from there. I cannot see
    > > > "Domain
    > > > local" group from SQL Enterprise manager. I can see only "Domain
    Global"
    > > > and
    > > > "Universal" groups.
    > > >
    > > > My question is what is the relationship between "Require Strong
    (windows
    > > > 2000 or later) session key" settings and "Domain Local" group?
    > > >
    > > > I check the Forest and Domain functional levels. It is still in
    Windows
    > > > 2003 Native mode.
    > > >
    > > > Any help or reference would be greatly appreciated.
    > > >
    > >
    > >
    > >
Ask a new question

Read More

Domain Windows 2000 Windows Server 2003 Windows