Inconsistent Application of "Network security: Minimum session security" GPO settings between Host Servers and Domain Controllers

ME 311 Reputation points
2023-04-27T13:49:03.2466667+00:00

I have set two settings in Group Policy on all my Windows 2019 servers:

Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients"

This is set to "Require NTLMv2 session security" and "Require 128-bit encryption"

Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers"

Similarly set to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).

All my servers are receiving this setting - GPResult and the local GPEdit console both show that this setting is in place, and going to the regkey where the setting actually lives (HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec and NTLMMinClientSec) shows that data is received.

The problem is, on all my Host servers - i.e. every one that is not a Domain Controller - I have the apparently correct value of 0x20080000 (537395200). However, on every one of my Domain Controllers, I have a different value: 0x20080030 (537395248)

This seems to be the case on the D_WORDS involved.

Should these be different from each other? The auditing tool we are using definitely flags the Domain Controllers as being out-of-spec, but I am not familiar enough with this specific setting to know if maybe it is the tool that is wrong.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,167 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,098 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,316 Reputation points
    2023-04-28T15:04:20.2433333+00:00

    Hi,

    I'd be happy to help you out with your question. Sorry for the inconvenience caused.

    The settings you've applied to your servers are correct. The "Network security: Minimum session security" settings are meant to be applied differently based on the role of the computer in the network, with domain controllers having a higher level of security requirements compared to regular servers.

    The values you're seeing in the registry for your domain controllers, 0x20080030 (537395248), represent the correct setting for "Require NTLMv2 session security" and "Require 128-bit encryption" on domain controllers. On the other hand, the value you're seeing for your host servers, 0x20080000 (537395200), represents the correct setting for those servers.

    It's normal for auditing tools to flag domain controllers as being out-of-spec because they have a different security configuration compared to regular servers. However, in this case, the difference in settings is intentional and correct based on the role of the computers in the network.

    If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.