question

Sakura434-3888 avatar image
0 Votes"
Sakura434-3888 asked DaisyZhou-MSFT commented

Policy types

I have DC 2016 and Win10 v1909/20H and 2004
im doing hardening for Win10 policy however, some of policies are not configured on Security Options but patches are updated.

Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Network access: Restrict clients allowed to make remote calls to SAM ----- >what happened if configure these both server and client


Thanks

windows-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Sakura434-3888,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @Sakura434-3888,
I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this post, please let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

1 Answer

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @Sakura434-3888,

Thank you for posting here.

I have check 2016 DC in my lab.

By default, the following settings are not defined in Default Domain Policy.

Domain member: Digitally encrypt or sign secure channel data (always)==>Not defined
Domain member: Digitally encrypt secure channel data (when possible)==>Not defined
Domain member: Digitally sign secure channel data (when possible)==>Not defined
Domain member: Disable machine account password changes==>Not defined
Network access: Restrict clients allowed to make remote calls to SAM==>Not defined

the following settings are not defined in Default Domain Controller Policy except the first settings.

Domain member: Digitally encrypt or sign secure channel data (always)==>Enabled
Domain member: Digitally encrypt secure channel data (when possible)==>Not defined
Domain member: Digitally sign secure channel data (when possible)==>Not defined
Domain member: Disable machine account password changes==>Not defined
Network access: Restrict clients allowed to make remote calls to SAM==>Not defined

Q: Network access: Restrict clients allowed to make remote calls to SAM ----- >what happened if configure these both server and client
A: If the policy is defined, admin tools, scripts and software that formerly enumerated users, groups and group membership may fail.


For more information, please refer to link below.
Network access: Restrict clients allowed to make remote calls to SAM
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.