Applying the GPOs you listed will enforce specific security configurations related to network security, authentication, and session security on your Windows Servers (2022/2019/2016). Here is an overview of each GPO setting and its potential impact:
- Network security: Force logoff when logon hours expire
- Path:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire
- Setting: Enabled
Impact:
- This policy enforces users to be automatically logged off when their allowed logon hours expire.
- Positive Impact: Enhances security by preventing users from staying logged in beyond their permitted hours, which can help mitigate unauthorized access during off-hours.
- Negative Impact: Users might lose unsaved work if they are forcefully logged off. This can be particularly disruptive if applied to servers used for critical tasks that require continuous access.
- Network security: LAN Manager authentication level
- Path:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level
- Setting: Send NTLMv2 response only
Impact:
- This policy restricts the system to only send NTLMv2 responses for authentication.
- Positive Impact: NTLMv2 is more secure than its predecessors (NTLM or LM), reducing the risk of certain types of attacks such as replay attacks or brute-force attacks on older, less secure authentication methods.
- Negative Impact: Legacy systems or applications that rely on older authentication protocols (e.g., NTLMv1 or LM) may fail to authenticate or communicate properly. This could lead to access issues or disruptions in environments where such systems are still in use.
- Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
- Path:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
- Setting: Require NTLMv2 session security, Require 128-bit encryption
Impact:
- This policy enforces NTLMv2 session security with 128-bit encryption for all NTLM SSP-based client communications.
- Positive Impact: Increases the security of sessions by ensuring that all communications are encrypted and use the more secure NTLMv2 protocol.
- Negative Impact: Systems or applications that do not support NTLMv2 or 128-bit encryption may be unable to establish secure sessions, leading to potential communication failures. This might be an issue with older client systems or legacy applications.
- Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
- Path:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
- Setting: Require NTLMv2 session security, Require 128-bit encryption
Impact:
- This policy enforces NTLMv2 session security with 128-bit encryption for all NTLM SSP-based server communications.
- Positive Impact: Similar to the client-side policy, this increases the security of server communications by enforcing stronger encryption and protocol standards.
- Negative Impact: As with the client-side policy, systems or applications that cannot meet these requirements will be unable to connect, potentially leading to service disruptions.
General Considerations
- Compatibility: Before enforcing these policies, it’s essential to assess your environment for compatibility, especially if there are legacy systems or applications that may not support NTLMv2 or 128-bit encryption. Testing these settings in a non-production environment first is highly recommended.
- User Experience: Users and administrators may experience disruptions if they are not accustomed to these security settings, particularly with enforced logoff times and stricter authentication protocols.
- Security: Overall, these settings will strengthen the security posture of your servers by enforcing stronger authentication and encryption standards, which is particularly important in environments handling sensitive data or exposed to potential security threats.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin