ISA 2004 alatti OS megerősítése

Erősen ajánlott a security template-ek használata. Ezzel nem csak dokumentált a rendszer, de könnyebben  ellenőrizhető, továbbá a beépített template-ek miatt nem kell a semmiből indulni.

Mindenképpen nem a gyári, hanem a Windows Server 2003 Security Guide által nyújtott template-eket kell használni, mert azok ténylegesen szigorúbb beállításokat produkálnak. A security guide tartalmaz egy olyan PDF-et, amely minden egyes security beállítás pontos következményeit is tartalmazza. Itt egy példa:

Network security: LAN Manager authentication level

Table 3.96: Settings

Member Server Default Legacy Client Enterprise Client High Security

Send NTLM response only Send NTLMv2

responses only

Send NTLMv2 response

onlyrefuse LM

Send NTLMv2 response

onlyrefuse LM & NTLM

The Network security: LAN Manager authentication level security option setting

determines which challenge/response authentication protocol is used for network logons.

This choice affects the level of authentication protocol used by clients, the level of

security negotiated, and the level of authentication accepted by servers as follows. The

following numbers in parentheses below are the actual settings for the

LMCompatibilityLevel registry value. This setting should be configured to the highest

level that your environment allows according to the following guidelines:

In a pure Windows NT 4.0 SP4 or later environment — including Windows 2000 and

Windows XP Professional — configure this setting to

Send NTLMv2 response

onlyrefuse LM & NTLM

on all clients, and then to Send NTLMv2 response

onlyrefuse LM & NTLM

on all servers once all clients are configured. The exception to

this recommendation is Windows 2003 Routing and Remote Access servers, which will

not function properly if this setting is set higher than

Send NTLMv2 response

onlyrefuse LM.

The Enterprise Client environment contains Routing and Remote Access servers. For this

reason, the setting for this environment is configured to Send NTLMv2 response

onlyrefuse LM

. The High Security environment does not contain Routing and Remote

Access servers, so the setting for this environment is configured to

Send NTLMv2

response onlyrefuse LM & NTLM

.

If you have Windows 9x clients, and you can install the DSClient on all such clients,

configure this setting to

Send NTLMv2 response onlyrefuse LM & NTLM on

computers running Windows NT (Widows NT, Windows 2000, and Windows XP

Professional) Otherwise, you must leave this setting configured at no higher than

Send

NTLMv2 responses only

on computers not running Windows 9x.

95

If you find applications that break when this setting is enabled, roll it back one step at a

time to discover what breaks. At a minimum, this setting should be set to

Send LM &

NTLM – use NTLMv2 session security if negotiated

on all computers and can typically

be set to Send NTLMv2 responses only on all computers in the environment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: