Query on GPO

Rising Flight 4,536 Reputation points
2024-09-21T13:33:21.0033333+00:00

Hi All

I have a requirement to enable the GPOs listed below on Windows Servers (2022/2019/2016). What could be the possible impact of applying these GPOs? Please guide me as i am not sure.

Network security: Force logoff when logon hours expire-->Enabled
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire

Network security: LAN Manager authentication level-->Send NTLMv2 response only
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients-->Require NTLMv2 session security, Require 128-bit encryption
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers-->Require NTLMv2 session security, Require 128-bit encryption
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,754 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,508 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,090 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,547 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,838 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marcin Policht 24,120 Reputation points MVP
    2024-09-21T14:42:28.3266667+00:00

    Applying the GPOs you listed will enforce specific security configurations related to network security, authentication, and session security on your Windows Servers (2022/2019/2016). Here is an overview of each GPO setting and its potential impact:

    1. Network security: Force logoff when logon hours expire
    • Path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire
    • Setting: Enabled

    Impact:

    • This policy enforces users to be automatically logged off when their allowed logon hours expire.
    • Positive Impact: Enhances security by preventing users from staying logged in beyond their permitted hours, which can help mitigate unauthorized access during off-hours.
    • Negative Impact: Users might lose unsaved work if they are forcefully logged off. This can be particularly disruptive if applied to servers used for critical tasks that require continuous access.
    1. Network security: LAN Manager authentication level
    • Path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level
    • Setting: Send NTLMv2 response only

    Impact:

    • This policy restricts the system to only send NTLMv2 responses for authentication.
    • Positive Impact: NTLMv2 is more secure than its predecessors (NTLM or LM), reducing the risk of certain types of attacks such as replay attacks or brute-force attacks on older, less secure authentication methods.
    • Negative Impact: Legacy systems or applications that rely on older authentication protocols (e.g., NTLMv1 or LM) may fail to authenticate or communicate properly. This could lead to access issues or disruptions in environments where such systems are still in use.
    1. Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
    • Path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
    • Setting: Require NTLMv2 session security, Require 128-bit encryption

    Impact:

    • This policy enforces NTLMv2 session security with 128-bit encryption for all NTLM SSP-based client communications.
    • Positive Impact: Increases the security of sessions by ensuring that all communications are encrypted and use the more secure NTLMv2 protocol.
    • Negative Impact: Systems or applications that do not support NTLMv2 or 128-bit encryption may be unable to establish secure sessions, leading to potential communication failures. This might be an issue with older client systems or legacy applications.
    1. Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
    • Path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
    • Setting: Require NTLMv2 session security, Require 128-bit encryption

    Impact:

    • This policy enforces NTLMv2 session security with 128-bit encryption for all NTLM SSP-based server communications.
    • Positive Impact: Similar to the client-side policy, this increases the security of server communications by enforcing stronger encryption and protocol standards.
    • Negative Impact: As with the client-side policy, systems or applications that cannot meet these requirements will be unable to connect, potentially leading to service disruptions.

    General Considerations

    • Compatibility: Before enforcing these policies, it’s essential to assess your environment for compatibility, especially if there are legacy systems or applications that may not support NTLMv2 or 128-bit encryption. Testing these settings in a non-production environment first is highly recommended.
    • User Experience: Users and administrators may experience disruptions if they are not accustomed to these security settings, particularly with enforced logoff times and stricter authentication protocols.
    • Security: Overall, these settings will strengthen the security posture of your servers by enforcing stronger authentication and encryption standards, which is particularly important in environments handling sensitive data or exposed to potential security threats.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Rising Flight 4,536 Reputation points
    2024-09-23T22:54:04.1233333+00:00

    Thanks alot. Before marking as answer can you please help me on the below two gpos

    Network security: Restrict NTLM: Audit Incoming NTLM Traffic:Enable auditing for all accounts
    
    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Restrict NTLM: Audit Incoming NTLM Traffic
    
    Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers:Audit all or higher
    
    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Restrict NTLM: Outgoing NTLM traffic to remote servers
    
    
    

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.