Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

76 lines
5.4 KiB

  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">
  2. <HTML DIR="LTR">
  3. <HEAD>
  4. <TITLE>Compatibility Details</TITLE>
  5. <META HTTP-EQUIV="Content-Type" CONTENT="text-html;charset=Windows-1252">
  6. </HEAD>
  7. <BODY BGCOLOR="#ffffff">
  8. <FONT FACE="verdana" SIZE="2">
  9. <P>Windows 95 and Windows NT 4.0 interoperability issues.
  10. </P>
  11. <P>&nbsp;</P>
  12. <P>SUMMARY
  13. </P>
  14. <P>Windows Server 2003 Domain Controllers implement default security settings
  15. that help prevent Domain Controller communications from being hijacked or
  16. otherwise tampered with. Certain downlevel machines are not capable of meeting
  17. these security requirements and thus cannot communicate with Windows Server 2003 Domain
  18. Controllers without administrative intervention.
  19. </P>
  20. <P>Affected machines include Windows for Workgroups, Windows 95 machines that do not have the DS client pack installed, Windows NT 4.0 machines prior to Service Pack 4, and devices, including Pocket PC 2002 and previous versions, based on the Windows CE .NET version 4.1 or earlier.</P>
  21. <P>&nbsp;</P>
  22. <P>SMB SIGNING</P>
  23. <P>By default, Windows Server 2003 Domain Controllers require that all clients digitally sign SMB-based communications. The SMB protocol is used to provide file sharing, print sharing, various remote administration functions, and logon authentication for some downlevel clients. Windows for Workgroups, Windows 95 machines without the DS Client Pack, Windows NT 4.0 machines prior to Service Pack 3, and devices, including Pocket PC 2002 and previous versions, based on the Windows CE .NET version 4.1 or earlier are not capable of performing SMB signing and therefore cannot connect to Windows Server 2003 Domain Controllers by default. If such clients cannot be upgraded to a current operating system or upgraded to meet the minimum requirements described above, then the SMB signing requirement can be removed by disabling the following security policy in the Default Domain Controller GPO on the domain controllers OU:
  24. </P>
  25. <P>Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally sign communications (always)</P>
  26. <P>Detailed instructions on how to modify this setting are provided below.</P>
  27. <P>Warning: Disabling this security setting exposes all of your Domain Controller communications to "man in the middle" types of attacks. Therefore it is highly recommended that you upgrade your clients rather than disabling this security setting. The DS Client Pack, necessary for Windows 95 clients to perform SMB signing, can be obtained from the \clients\win9x sub-directory of the Windows 2000 Server CD.</P>
  28. <P>&nbsp;</P>
  29. <P>SECURE CHANNEL SIGNING</P>
  30. <P>By default, Windows Server 2003 Domain Controllers require that all secure channel communications be either signed or encrypted. Secure channels are used by Windows NT-based machines for communications between domain members and domain controllers as well as between domain controllers that have a trust relationship. Windows NT 4.0 machines prior to Service Pack 4 are not capable of signing or encrypting secure channel communications. If Windows NT 4.0 machines prior to SP4 must join this domain, or this domain must trust other domains that contain pre-SP4 Domain Controllers, then the secure channel signing requirement can be removed by disabling the following security policy in the Default Domain Controller GPO:</P>
  31. <P>Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain Member: Digitally encrypt or sign secure channel data (always)</P>
  32. <P>Detailed instructions on how to modify this setting are provided below.</P>
  33. <P>Warning: Disabling this security setting exposes secure channel communications to "man in the middle" types of attacks. Therefore it is highly recommended that you upgrade your Windows NT 4.0 machines rather than disabling this security setting.</P>
  34. <P>&nbsp;</P>
  35. <P>MODIFYING THE DEFAULT DOMAIN CONTROLLER GPO</P>
  36. <P>To ensure all domain controllers are enforcing the same SMB and secure channel
  37. signing requirements, define the corresponding security settings in the Default
  38. Domain Controller GPO as follows:</P>
  39. <OL>
  40. <LI>
  41. Log on to a machine that has the Active Directory Users and Computers Snap-in
  42. installed.
  43. </LI>
  44. <LI>
  45. Start --&gt; Run --&gt; DSA.MSC
  46. </LI>
  47. <LI>
  48. Expand the Domain that contains your Windows Server 2003 Domain Controllers.
  49. </LI>
  50. <LI>
  51. Right-click on the Domain Controllers OU, and then click Properties.
  52. </LI>
  53. <LI>
  54. Click the Group Policy tab, select the "Default Domain Controller Policy", and
  55. then click Edit.
  56. </LI>
  57. <LI>
  58. Expand Computer Configuration, Windows Settings, Security Settings, Local
  59. Policies, Security Options
  60. </LI>
  61. <LI>
  62. In the result pane, double click the security option you want to modify. For
  63. example, Microsoft Network Server: Digitally sign communications (always) or
  64. Domain Member: Digitally encrypt or sign secure channel data (always).
  65. </LI>
  66. <LI>
  67. Check the "Define this policy setting" box.
  68. </LI>
  69. <LI>
  70. Disable or Enable the security setting as desired, and then select OK.
  71. </LI>
  72. </OL>
  73. </FONT>
  74. </BODY>
  75. </HTML>