RE: [ActiveDir] Hardening Active Directory

[Leney, Justin]

Title: Message

Another setting that can have detrimental affects on down-level clients is the LAN Manager Authentication Level. Set it the highest level only if you will have Win2000/XP clients authenticating the domain.   The AD servers on the net; are they going to just support a web front end or something similar, or are users going to actually authenticate to them on a day to day basis?   -----Original Message----- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 1:59 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Hardening Active Directory I think that Gil is referring to the setting that sets "shut down the computer when the security audit log is full".  That caused servers to reboot over and over.  I also recall that one of the templates set additional restrictions for anonymous connections to "no access without explicit anonymous permissions".  This will kill downlevel trusts and keep downlevel clients from logging on.     Tim Hines, MCSA, MCSE (2000 & NT4) MVP - Active Directory         ----- Original Message ----- From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 1:30 PM Subject: RE: [ActiveDir] Hardening Active Directory Can you expand, Gil? I'd rather not find out the hard way... J   Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241   DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows & .NET Magazine   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gil Kirkpatrick Sent: Friday, December 27, 2002 11:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory   Like the infamous "all my DCs just start rebooting themselves every 15 minutes" problem? ;-)   -gil -----Original Message----- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network.  I have seen some of the templates from the NSA cause problems.      Tim Hines, MCSA, MCSE (2000 & NT4) MVP - Active Directory         ----- Original Message ----- From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory   Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131   Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21     Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241   DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows & .NET Magazine   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Martin Sent: Friday, December 27, 2002 10:11 AM To: Active Directory Mailing List Subject: [ActiveDir] Hardening Active Directory   Anyone have any good links with tips on securing Active Directory?  I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down.   Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250