Inside of your "Domain security policy", "Local Policies", "Security Options"
Network Security: (enable these)
1) LAN Manager authentication level: "Send NTLMv2 response only, Refuse LM"
2) LDAP client signing requirements :"Negotiate Signing"
3) Do not allow anonymous enumeration of SAM accounts (and shares)
4) Do not store LAN Manager has value on next password change
Microsoft Network client
5) Digitally sign communications (always + if server agrees) = Enabled
6) Send
Microsoft Network server
7) Digitally sign communications (always + if server agrees) = Enabled
Domain Member:
8) Digitally encrypt and sign whenever possible.
No comments:
Post a Comment