Click here to get back home

Group Policy Options for Signing and Encryption
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Group Policy Options for Signing and Encryption Will 11-30-2005
Posted by Will on November 30, 2005, 2:28 am
Please log in for more thread options
 Do the Group Policy Security options for client and server signing and
encrypting of secure channel data require that you have a public key
infrastructure setup with a dedicated PKI server?

--
Will



Posted by Paul Adare on November 30, 2005, 3:19 am
Please log in for more thread options
 microsoft.public.windows.server.security news group, Will <westes-
usc@noemail.nospam> says...

> Do the Group Policy Security options for client and server signing and
> encrypting of secure channel data require that you have a public key
> infrastructure setup with a dedicated PKI server?
>

No.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

Posted by Will on November 30, 2005, 3:40 am
Please log in for more thread options
Whenever I have tried turning these options on in a Windows 2000 domain
running W2K native mode and all W2K member servers, literally everything
breaks. Clients won't talk to each other and won't talk to the DC either.
Various references I saw online said this is a common result without saying
why or how to fix it, aside from turning off the signing and encryption.

What are some possible causes for that behavior?

--
Will


> microsoft.public.windows.server.security news group, Will <westes-
> usc@noemail.nospam> says...
>
> > Do the Group Policy Security options for client and server signing and
> > encrypting of secure channel data require that you have a public key
> > infrastructure setup with a dedicated PKI server?
> >
>
> No.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/



Posted by Roger Abell [MVP] on November 30, 2005, 10:45 pm
Please log in for more thread options
You do need to coordinate the settings so that it is possible for
the two parties to negotiate an agreed upon, common choice.
The security/hardening and threats and countermeasures guides
have some discussion for these policies and their implications
(at least the W2k3/XP generation of papers do).

--
Roger Abell
Microsoft MVP (Windows Server : Security)

> Whenever I have tried turning these options on in a Windows 2000 domain
> running W2K native mode and all W2K member servers, literally everything
> breaks. Clients won't talk to each other and won't talk to the DC
> either.
> Various references I saw online said this is a common result without
> saying
> why or how to fix it, aside from turning off the signing and encryption.
>
> What are some possible causes for that behavior?
>
> --
> Will
>
>
>> microsoft.public.windows.server.security news group, Will <westes-
>> usc@noemail.nospam> says...
>>
>> > Do the Group Policy Security options for client and server signing and
>> > encrypting of secure channel data require that you have a public key
>> > infrastructure setup with a dedicated PKI server?
>> >
>>
>> No.
>>
>> --
>> Paul Adare
>> MVP - Windows - Virtual Machine
>> http://www.identit.ca/blogs/paul/
>
>



Posted by Steven L Umbach on December 1, 2005, 12:30 am
Please log in for more thread options
There used to be problems reported with XP and SMB signing in a Windows 2000
domain but I believe that was all fixed with SP2. Beyond that as Roger said
it is important to make sure all computers have compatible settings for
server/client. I believe by default the two "when possible" options are
enabled. You might try testing just a server or two having only always
enabled after making sure all the other computers are at least in "when
possible" mode to see what happens. --- Steve


> Whenever I have tried turning these options on in a Windows 2000 domain
> running W2K native mode and all W2K member servers, literally everything
> breaks. Clients won't talk to each other and won't talk to the DC
> either.
> Various references I saw online said this is a common result without
> saying
> why or how to fix it, aside from turning off the signing and encryption.
>
> What are some possible causes for that behavior?
>
> --
> Will
>
>
>> microsoft.public.windows.server.security news group, Will <westes-
>> usc@noemail.nospam> says...
>>
>> > Do the Group Policy Security options for client and server signing and
>> > encrypting of secure channel data require that you have a public key
>> > infrastructure setup with a dedicated PKI server?
>> >
>>
>> No.
>>
>> --
>> Paul Adare
>> MVP - Windows - Virtual Machine
>> http://www.identit.ca/blogs/paul/
>
>



Similar ThreadsPosted
There is no encryption recovery policy configured for this system September 23, 2007, 12:06 am
Group Policy???? June 26, 2005, 11:39 am
Group Policy April 25, 2006, 11:58 pm
Group Policy May 7, 2007, 3:57 pm
Set MaximumDynamicBacklog via Group Policy? October 26, 2005, 11:12 am
IAS server and group policy November 2, 2005, 11:04 am
A question on Group Policy November 17, 2005, 9:26 am
Group Policy Restrict All Drives February 23, 2006, 10:31 am
Group Policy without Active Directory February 27, 2007, 3:31 pm
Group Policy - Power Management September 2, 2008, 6:13 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap