Re: ntlmv2 & Kerberos (General questions)

by dirk, Friday, May 01, 2009, 01:31 (5685 days ago) @ woddrazen

you're right there is a part missing:

o Interactive logon: Prompt user to change password before expiration 14 days
o Interactive logon: Require Domain Controller authentication to unlock workstation Enabled
o Interactive logon: Require smart card Disabled
o Interactive logon: Smart card removal behavior Lock Workstation
o Microsoft network client: Digitally sign communications (always) Enabled
o Microsoft network client: Digitally sign communications (if server agrees) Enabled
o Microsoft network client: Send unencrypted password to third-party SMB servers Disabled
o Microsoft network server: Amount of idle time required before suspending session 15 minutes
o Microsoft network server: Digitally sign communications (always) Enabled
o Microsoft network server: Digitally sign communications (if client agrees) Enabled
o Microsoft network server: Disconnect clients when logon hours expire Enabled
o Network access: Allow anonymous SID/Name translation Disabled
o Network access: Do not allow anonymous enumeration of SAM accounts Enabled
o Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
o Network access: Do not allow storage of credentials or .NET Passports for network authentication Enabled
o Network access: Let Everyone permissions apply to anonymous users Disabled
o Network access: Named Pipes that can be accessed anonymously COMNAP,COMNODE,SQLQUERY,SPOOLSS,BROWSER,netlogon,lsarpc,samr
o Network access: Remotely accessible registry paths SystemCurrentControlSetControlProductOptions,SystemCurrentControlSetControlServer Applications,SoftwareMicrosoftWindows NTCurrentVersion
o Network access: Remotely accessible registry paths and sub-paths SoftwareMicrosoftWindows NTCurrentVersionPrint,SoftwareMicrosoftWindows NTCurrentVersionWindows,SystemCurrentControlSetControlPrintPrinters,SystemCurrentControlSetServicesEventlog,SoftwareMicrosoftOLAP Server,SystemCurrentControlSetControlContentIndex,SystemCurrentControlSetControlTerminal Server,SystemCurrentControlSetControlTerminal ServerUserConfig,SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration,SoftwareMicrosoftWindows NTCurrentVersionPerflib,SystemCurrentControlSetServicesSysmonLog
o Network access: Restrict anonymous access to Named Pipes and Shares Enabled
o Network access: Sharing and security model for local accounts Classic - local users authenticate as themselves
o Network security: Do not store LAN Manager hash value on next password change Enabled
o Network security: Force logoff when logon hours expire Enabled
o Network security: LAN Manager authentication level Send NTLMv2 response only
efuse LM & NTLM
o Network security: LDAP client signing requirements Negotiate signing
o Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption
o Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption
o Recovery console: Allow automatic administrative logon Disabled
o Recovery console: Allow floppy copy and access to all drives and all folders Disabled
o Shutdown: Allow system to be shut down without having to log on Disabled
o Shutdown: Clear virtual memory pagefile Enabled
o System cryptography: Force strong key protection for user keys stored on the computer User must enter a password each tim