Modify Default Security Policies IN WINDOWS SERVER 2008

Updated: November 19, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
To increase security, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel signing. If your production environment includes client computers that run platforms that do not support SMB packet signing (for example, Microsoft Windows NT® 4.0 with Service Pack 2 (SP2)) or if it includes client computers that run platforms that do not support secure channel signing (for example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security policies to ensure that client computers running older versions of the Windows operating system or non-Microsoft operating systems will be able to access domain resources in the upgraded domain.

Note

By modifying the settings of the default security policies, you are weakening the default security policies in your environment. Therefore, we recommend that you upgrade your Windows–based client computers as soon as possible. After all client computers in your environment are running versions of Windows that support SMB packet signing and secure channel signing, you can re-enable default security policies to increase security.

To configure a domain controller to not require SMB packet signing or secure channel signing, disable the following settings in the Default Domain Controllers Policy:

• Microsoft network server: Digitally sign communications (always)
  
  
• Domain member: Digitally encrypt or sign secure channel data (always)
  
  

Back up the Default Domain Controllers Policy Group Policy object (GPO) before you modify it. Use the Group Policy Management Console (GPMC) to back up the GPO so that it can be restored, if necessary.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To disable SMB packet signing enforcement based domain controllers

1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.
   
2. In the console tree, right-click Default Domain Controllers Policy in Domains\Current Domain Name\Group Policy objects\Default Domain Controllers Policy, and then click Edit.
   
3. In the Group Policy Management Editor window, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.
   
4. In the details pane, double-click Microsoft network server: Digitally sign communications (always).
   
5. Verify that the Define this policy setting check box is selected, click Disabled to prevent SMB packet signing from being required, and then click OK.
   To apply the Group Policy change immediately, either restart the domain controller or open a command prompt, type the following command, and then press ENTER: