Sign in with
Sign up | Sign in
Your question

Domain Local group and Require strong. GPO Problem

Last response: in Windows 2000/NT
Share
Anonymous
November 3, 2004 7:17:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Our windows 2003 AD domain is in native mode and we configured the following
GPO settings in the Domain Policy

Domain member: Require strong (Windows 2000 or later) session key

We enabled this key. We configured our SQL server to use a “Domain Local�
group for all the permissions. Due the trust requirement between NT and 2003
domain we force to change the “Require Strong (windows 2000 or later) session
key� to disabled. Our SQL problem started from there. I cannot see “Domain
local� group from SQL Enterprise manager. I can see only “Domain Global� and
“Universal� groups.

My question is what is the relationship between “Require Strong (windows
2000 or later) session key� settings and “Domain Local� group?

I check the Forest and Domain functional levels. It is still in Windows
2003 Native mode.

Any help or reference would be greatly appreciated.
Anonymous
November 5, 2004 8:27:39 AM

Archived from groups: microsoft.public.win2000.security (More info?)

From what I know there should be no relationship to "Require Strong (windows
2000 or later) session key" settings and "Domain Local" group in a Windows
2000 domain. I would check Event Viewer on the server to see if any
pertinent errors are recorded there and run the support tool netdiag on it
to make sure it still has proper connectivity and active computer account in
the domain. Also see the link below which shows some of the problems that
can happed due to incompatible security option settings. I also pasted a
definition of that security option and "potential impact" from the Threats
and Countermeasures Security Guide. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;823659


Domain member: Require strong (Windows 2000 or later) session key
The Domain member: Require strong (Windows 2000 or later) session key
setting determines whether a secure channel can be established with a domain
controller that is not capable of encrypting secure channel traffic with a
strong, 128 - bit, session key. Enabling this setting prevents establishing
a secure channel with any domain controller that cannot encrypt secure
channel data with a strong key. Disabling this setting allows 64 - bit
session keys.

Note: To enable this setting on a member workstation or server, all domain
controllers in the domain that the member belongs to must be capable of
encrypting secure channel data with a strong, 128 - bit, key. This means
that all such domain controllers must be running Windows 2000 or later

The possible values for this Group Policy setting are:

. Enabled

. Disabled

. Not defined


Vulnerability

Session keys used to establish secure channel communications between domain
controllers and member computers are much stronger in Windows 2000 than they
were in previous Microsoft operating systems.

Whenever possible, you should take advantage of these stronger session keys
to help protect secure channel communications from eavesdropping and session
hijacking network attacks. Eavesdropping is a form of hacking in which
network data is read or altered in transit. The data can be modified to hide
or change the sender, or to redirect it.

Countermeasure

Set Domain member: Require strong (Windows 2000 or later) session key to
Enabled.

Enabling this setting ensures that all outgoing secure channel traffic will
require a strong, Windows 2000 or later, encryption key. Disabling this
setting requires negotiating the key strength is negotiated. Only enable
this option if the domain controllers in all trusted domains support strong
keys. By default, this value is disabled.

Potential Impact

You will not be able to join computers with this setting enabled to Windows
NT 4.0 domains, nor will you be able to join computers that do not support
this setting to domains where the domain controllers have this setting
enabled.

"-Sari" <Sari@discussions.microsoft.com> wrote in message
news:4EF27AB9-2917-40D3-9C1B-B5E2C4B305D1@microsoft.com...
> Our windows 2003 AD domain is in native mode and we configured the
> following
> GPO settings in the Domain Policy
>
> Domain member: Require strong (Windows 2000 or later) session key
>
> We enabled this key. We configured our SQL server to use a "Domain Local"
> group for all the permissions. Due the trust requirement between NT and
> 2003
> domain we force to change the "Require Strong (windows 2000 or later)
> session
> key" to disabled. Our SQL problem started from there. I cannot see
> "Domain
> local" group from SQL Enterprise manager. I can see only "Domain Global"
> and
> "Universal" groups.
>
> My question is what is the relationship between "Require Strong (windows
> 2000 or later) session key" settings and "Domain Local" group?
>
> I check the Forest and Domain functional levels. It is still in Windows
> 2003 Native mode.
>
> Any help or reference would be greatly appreciated.
>
Anonymous
November 5, 2004 11:59:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Steve,
Thanks for the reply. But I am sitll not clear about the relaion between
Domain Local Group and Require Strong.. policy..If you disable this, we will
loose some kind of Windows 2003 Native functionality.

"Steven L Umbach" wrote:

> From what I know there should be no relationship to "Require Strong (windows
> 2000 or later) session key" settings and "Domain Local" group in a Windows
> 2000 domain. I would check Event Viewer on the server to see if any
> pertinent errors are recorded there and run the support tool netdiag on it
> to make sure it still has proper connectivity and active computer account in
> the domain. Also see the link below which shows some of the problems that
> can happed due to incompatible security option settings. I also pasted a
> definition of that security option and "potential impact" from the Threats
> and Countermeasures Security Guide. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
>
>
> Domain member: Require strong (Windows 2000 or later) session key
> The Domain member: Require strong (Windows 2000 or later) session key
> setting determines whether a secure channel can be established with a domain
> controller that is not capable of encrypting secure channel traffic with a
> strong, 128 - bit, session key. Enabling this setting prevents establishing
> a secure channel with any domain controller that cannot encrypt secure
> channel data with a strong key. Disabling this setting allows 64 - bit
> session keys.
>
> Note: To enable this setting on a member workstation or server, all domain
> controllers in the domain that the member belongs to must be capable of
> encrypting secure channel data with a strong, 128 - bit, key. This means
> that all such domain controllers must be running Windows 2000 or later
>
> The possible values for this Group Policy setting are:
>
> . Enabled
>
> . Disabled
>
> . Not defined
>
>
> Vulnerability
>
> Session keys used to establish secure channel communications between domain
> controllers and member computers are much stronger in Windows 2000 than they
> were in previous Microsoft operating systems.
>
> Whenever possible, you should take advantage of these stronger session keys
> to help protect secure channel communications from eavesdropping and session
> hijacking network attacks. Eavesdropping is a form of hacking in which
> network data is read or altered in transit. The data can be modified to hide
> or change the sender, or to redirect it.
>
> Countermeasure
>
> Set Domain member: Require strong (Windows 2000 or later) session key to
> Enabled.
>
> Enabling this setting ensures that all outgoing secure channel traffic will
> require a strong, Windows 2000 or later, encryption key. Disabling this
> setting requires negotiating the key strength is negotiated. Only enable
> this option if the domain controllers in all trusted domains support strong
> keys. By default, this value is disabled.
>
> Potential Impact
>
> You will not be able to join computers with this setting enabled to Windows
> NT 4.0 domains, nor will you be able to join computers that do not support
> this setting to domains where the domain controllers have this setting
> enabled.
>
> "-Sari" <Sari@discussions.microsoft.com> wrote in message
> news:4EF27AB9-2917-40D3-9C1B-B5E2C4B305D1@microsoft.com...
> > Our windows 2003 AD domain is in native mode and we configured the
> > following
> > GPO settings in the Domain Policy
> >
> > Domain member: Require strong (Windows 2000 or later) session key
> >
> > We enabled this key. We configured our SQL server to use a "Domain Local"
> > group for all the permissions. Due the trust requirement between NT and
> > 2003
> > domain we force to change the "Require Strong (windows 2000 or later)
> > session
> > key" to disabled. Our SQL problem started from there. I cannot see
> > "Domain
> > local" group from SQL Enterprise manager. I can see only "Domain Global"
> > and
> > "Universal" groups.
> >
> > My question is what is the relationship between "Require Strong (windows
> > 2000 or later) session key" settings and "Domain Local" group?
> >
> > I check the Forest and Domain functional levels. It is still in Windows
> > 2003 Native mode.
> >
> > Any help or reference would be greatly appreciated.
> >
>
>
>
Anonymous
November 6, 2004 4:03:44 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Like Steve, I believe that you are associating these due to
their occurrance in time, rather than due to any intrinsic
relation between them. AFAIK and can imagine, reducing
the strength of the session keying should not make the DL
groups and only the DL groups disappear. IOW it seems
that you have something else going on.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"-Sari" <Sari@discussions.microsoft.com> wrote in message
news:97BB4607-8B55-4F19-84B8-A0E9F25FD88A@microsoft.com...
> Steve,
> Thanks for the reply. But I am sitll not clear about the relaion between
> Domain Local Group and Require Strong.. policy..If you disable this, we
will
> loose some kind of Windows 2003 Native functionality.
>
> "Steven L Umbach" wrote:
>
> > From what I know there should be no relationship to "Require Strong
(windows
> > 2000 or later) session key" settings and "Domain Local" group in a
Windows
> > 2000 domain. I would check Event Viewer on the server to see if any
> > pertinent errors are recorded there and run the support tool netdiag on
it
> > to make sure it still has proper connectivity and active computer
account in
> > the domain. Also see the link below which shows some of the problems
that
> > can happed due to incompatible security option settings. I also pasted
a
> > definition of that security option and "potential impact" from the
Threats
> > and Countermeasures Security Guide. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
> >
> >
> > Domain member: Require strong (Windows 2000 or later) session key
> > The Domain member: Require strong (Windows 2000 or later) session key
> > setting determines whether a secure channel can be established with a
domain
> > controller that is not capable of encrypting secure channel traffic with
a
> > strong, 128 - bit, session key. Enabling this setting prevents
establishing
> > a secure channel with any domain controller that cannot encrypt secure
> > channel data with a strong key. Disabling this setting allows 64 - bit
> > session keys.
> >
> > Note: To enable this setting on a member workstation or server, all
domain
> > controllers in the domain that the member belongs to must be capable of
> > encrypting secure channel data with a strong, 128 - bit, key. This means
> > that all such domain controllers must be running Windows 2000 or later
> >
> > The possible values for this Group Policy setting are:
> >
> > . Enabled
> >
> > . Disabled
> >
> > . Not defined
> >
> >
> > Vulnerability
> >
> > Session keys used to establish secure channel communications between
domain
> > controllers and member computers are much stronger in Windows 2000 than
they
> > were in previous Microsoft operating systems.
> >
> > Whenever possible, you should take advantage of these stronger session
keys
> > to help protect secure channel communications from eavesdropping and
session
> > hijacking network attacks. Eavesdropping is a form of hacking in which
> > network data is read or altered in transit. The data can be modified to
hide
> > or change the sender, or to redirect it.
> >
> > Countermeasure
> >
> > Set Domain member: Require strong (Windows 2000 or later) session key to
> > Enabled.
> >
> > Enabling this setting ensures that all outgoing secure channel traffic
will
> > require a strong, Windows 2000 or later, encryption key. Disabling this
> > setting requires negotiating the key strength is negotiated. Only enable
> > this option if the domain controllers in all trusted domains support
strong
> > keys. By default, this value is disabled.
> >
> > Potential Impact
> >
> > You will not be able to join computers with this setting enabled to
Windows
> > NT 4.0 domains, nor will you be able to join computers that do not
support
> > this setting to domains where the domain controllers have this setting
> > enabled.
> >
> > "-Sari" <Sari@discussions.microsoft.com> wrote in message
> > news:4EF27AB9-2917-40D3-9C1B-B5E2C4B305D1@microsoft.com...
> > > Our windows 2003 AD domain is in native mode and we configured the
> > > following
> > > GPO settings in the Domain Policy
> > >
> > > Domain member: Require strong (Windows 2000 or later) session key
> > >
> > > We enabled this key. We configured our SQL server to use a "Domain
Local"
> > > group for all the permissions. Due the trust requirement between NT
and
> > > 2003
> > > domain we force to change the "Require Strong (windows 2000 or later)
> > > session
> > > key" to disabled. Our SQL problem started from there. I cannot see
> > > "Domain
> > > local" group from SQL Enterprise manager. I can see only "Domain
Global"
> > > and
> > > "Universal" groups.
> > >
> > > My question is what is the relationship between "Require Strong
(windows
> > > 2000 or later) session key" settings and "Domain Local" group?
> > >
> > > I check the Forest and Domain functional levels. It is still in
Windows
> > > 2003 Native mode.
> > >
> > > Any help or reference would be greatly appreciated.
> > >
> >
> >
> >
!