Archived from groups: microsoft.public.win2000.security (
More info?)
Like Steve, I believe that you are associating these due to
their occurrance in time, rather than due to any intrinsic
relation between them. AFAIK and can imagine, reducing
the strength of the session keying should not make the DL
groups and only the DL groups disappear. IOW it seems
that you have something else going on.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"-Sari" <Sari@discussions.microsoft.com> wrote in message
news:97BB4607-8B55-4F19-84B8-A0E9F25FD88A@microsoft.com...
> Steve,
> Thanks for the reply. But I am sitll not clear about the relaion between
> Domain Local Group and Require Strong.. policy..If you disable this, we
will
> loose some kind of Windows 2003 Native functionality.
>
> "Steven L Umbach" wrote:
>
> > From what I know there should be no relationship to "Require Strong
(windows
> > 2000 or later) session key" settings and "Domain Local" group in a
Windows
> > 2000 domain. I would check Event Viewer on the server to see if any
> > pertinent errors are recorded there and run the support tool netdiag on
it
> > to make sure it still has proper connectivity and active computer
account in
> > the domain. Also see the link below which shows some of the problems
that
> > can happed due to incompatible security option settings. I also pasted
a
> > definition of that security option and "potential impact" from the
Threats
> > and Countermeasures Security Guide. --- Steve
> >
> >
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
> >
> >
> > Domain member: Require strong (Windows 2000 or later) session key
> > The Domain member: Require strong (Windows 2000 or later) session key
> > setting determines whether a secure channel can be established with a
domain
> > controller that is not capable of encrypting secure channel traffic with
a
> > strong, 128 - bit, session key. Enabling this setting prevents
establishing
> > a secure channel with any domain controller that cannot encrypt secure
> > channel data with a strong key. Disabling this setting allows 64 - bit
> > session keys.
> >
> > Note: To enable this setting on a member workstation or server, all
domain
> > controllers in the domain that the member belongs to must be capable of
> > encrypting secure channel data with a strong, 128 - bit, key. This means
> > that all such domain controllers must be running Windows 2000 or later
> >
> > The possible values for this Group Policy setting are:
> >
> > . Enabled
> >
> > . Disabled
> >
> > . Not defined
> >
> >
> > Vulnerability
> >
> > Session keys used to establish secure channel communications between
domain
> > controllers and member computers are much stronger in Windows 2000 than
they
> > were in previous Microsoft operating systems.
> >
> > Whenever possible, you should take advantage of these stronger session
keys
> > to help protect secure channel communications from eavesdropping and
session
> > hijacking network attacks. Eavesdropping is a form of hacking in which
> > network data is read or altered in transit. The data can be modified to
hide
> > or change the sender, or to redirect it.
> >
> > Countermeasure
> >
> > Set Domain member: Require strong (Windows 2000 or later) session key to
> > Enabled.
> >
> > Enabling this setting ensures that all outgoing secure channel traffic
will
> > require a strong, Windows 2000 or later, encryption key. Disabling this
> > setting requires negotiating the key strength is negotiated. Only enable
> > this option if the domain controllers in all trusted domains support
strong
> > keys. By default, this value is disabled.
> >
> > Potential Impact
> >
> > You will not be able to join computers with this setting enabled to
Windows
> > NT 4.0 domains, nor will you be able to join computers that do not
support
> > this setting to domains where the domain controllers have this setting
> > enabled.
> >
> > "-Sari" <Sari@discussions.microsoft.com> wrote in message
> > news:4EF27AB9-2917-40D3-9C1B-B5E2C4B305D1@microsoft.com...
> > > Our windows 2003 AD domain is in native mode and we configured the
> > > following
> > > GPO settings in the Domain Policy
> > >
> > > Domain member: Require strong (Windows 2000 or later) session key
> > >
> > > We enabled this key. We configured our SQL server to use a "Domain
Local"
> > > group for all the permissions. Due the trust requirement between NT
and
> > > 2003
> > > domain we force to change the "Require Strong (windows 2000 or later)
> > > session
> > > key" to disabled. Our SQL problem started from there. I cannot see
> > > "Domain
> > > local" group from SQL Enterprise manager. I can see only "Domain
Global"
> > > and
> > > "Universal" groups.
> > >
> > > My question is what is the relationship between "Require Strong
(windows
> > > 2000 or later) session key" settings and "Domain Local" group?
> > >
> > > I check the Forest and Domain functional levels. It is still in
Windows
> > > 2003 Native mode.
> > >
> > > Any help or reference would be greatly appreciated.
> > >
> >
> >
> >
Facebook
Twitter
Instagram