Microsoft Windows NT 4.0 Guide Manual de usuario descargar pdf (Pagina 101)

Microsoft

Windows Server

™

2003 White Paper

Windows NT 4.0 Server Upgrade Guide 96

Required Server Message Block (SMB) Packet Signing on Domain Controllers

This change provides integrity checking for client domain controller SMB communications and

applies to Named Pipe Applications in particular.

By default, Windows Server 2003 domain controllers require that all clients digitally sign SMB-

based communications. The SMB protocol is used to provide file sharing, print sharing, various

remote administration functions, and logon authentication for some down-level clients. However,

the following operating systems are not capable of performing SMB signing and therefore cannot

connect to Windows Server 2003 domain controllers by default:

• Windows for Workgroups

• Windows 95–based computers without the DS Client Pack

• Windows NT 4.0–based computers prior to SP3

• Devices, including Pocket PC 2002 and previous versions, based on the Windows CE .NET

version 4.1 or earlier

If such clients cannot be upgraded to a current operating system or upgraded to meet the

minimum requirements described earlier in this article, then the SMB signing requirement can be

removed by disabling the following security policy in the Default Domain Controller GPO on the

domain controller’s OU:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security

Options\Microsoft Network Server: Digitally sign communications (always)

Warning Disabling this security setting exposes all your domain controller communications to "man in

the middle" types of attacks. Therefore, it is highly recommended that you upgrade your clients rather

than disabling this security setting. The DS Client Pack, necessary for Windows 95 clients to perform

SMB signing, can be obtained from the \clients\win9x subdirectory of the Windows 2000 Server CD.

Required Secure Channel Communications

By default, Windows Server 2003 domain controllers require that all secure channel communications

be either signed or encrypted. Secure channels are used by Windows NT–based computers for

communications between domain members and domain controllers as well as among domain

controllers that have a trust relationship. Windows NT 4.0–based computers prior to SP4 are not

capable of signing or encrypting secure channel communications. If Windows NT 4.0–based

computers prior to SP4 must join this domain, or this domain must trust other domains that contain

pre-SP4 domain controllers, then the secure channel-signing requirement can be removed by

disabling the following security policy in the Default Domain Controller Group Policy Object:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security

Options\Domain Member: Digitally encrypt or sign secure channel data (always)

Warning Disabling this security setting exposes secure channel communications to "man in the

middle" types of attacks. Therefore, it is highly recommended that you upgrade your Windows NT

4.0–based computers rather than disabling this security setting.

1 2 ... 96 97 98 99 100 101 102 103 104 105 106 ... 154 155

Sin comentarios

Microsoft Windows NT 4.0 Guide Manual de usuario Pagina 101