Security Templates and 2000 server to down-level clients

[MoCity]

Hi,
I was wondering where I could get more information
regarding use of the built-in security templates for
windows 2000 for networks that running 2000 servers
but down-level clients (NT, 98, 95).
It's clear that the Hi-Secure template will not work in
this situation: The Microsoft Windows Security Resource Kit
says "The High Secure template configurs many operational
parameters to their extreme values without regard for
performance, operational ease of use, or connectivity with
clients using third-party or earlier versions of
NTLM...Using high secure templates in an environment with
windows 98 or Windows NT can cause problems."
But what about the secure template?
what specific security settings cause non-compatibility
with down-level clients?
As usual, all help is appreciated. have a nice weekend.

 

[Steven L Umbach]

Be careful with security templates. The secure template changes on a few things which
you can and should view in the mmc snapin for Security Templates. I would also
suggest that you run the Security Configuration and Analysis tool against that
template to see what the changes are for your computers which will help you document
changes. And ALWAYS have a backout plan which may include backups and a "rollback"
template that you can configure manually [unlike in 2003].

The main changes it makes is to enable password complexity and account lockout. It
also enables some auditing of security events and changes a few security options -
two main ones in particular are changing additional restrictions for anonymous
connection to "do not allow enumeration of sam accounts and shares" and lan manager
authentication level is changed to "send ntlm responses only". The change in
additional restrictions for anonymous connections may cause some problems with your
downlevel clients such as not being able to change passwords, and lan manager
authentication level of "send ntlm responses only" could cause problems with 95/98 as
they only use lm authentication unless you install Client for Directory Services on
them and modify their registry to the "3" level for lan manager authentication level
which will allow them to use NTLMV2 which would allow you to set that security option
to "send ntlmv2 responses only" for the domain and domain controller security policy.

For your configuration, refer to the Windows 2000 Security Guide in the link below to
help determine how to set security settings and then see the KB link on how to
configure settings in mixed environments and the tricks and traps involved. --
Steve

http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659