T 2.114 Inconsistent security settings for SMB, RPC, and LDAP under Windows Server

For Windows servers, the inherently insecure communication protocols SMB/CIFS and LDAP were equipped with extended signature and encryption mechanisms. In Windows Server 2003 and higher, some of the mechanisms are already configured with default settings in the local security policy. The use of these mechanisms affects both the communication with all other Windows servers in the network as well as many basic services provided by Windows, and their use therefore affects the entire network. If these settings are not specified consistently and correctly throughout the network, then problems ranging from side effects that are difficult to track down to the malfunctioning of individual Windows servers and clients may be the result.

The availability of large sections of the Windows network can be severely affected by faulty configurations, executing procedures incorrectly, and activating the signature and encryption settings for SMB/CIFS and LDAP in the wrong order. In large environments, it may be very difficult to restore the Windows network to an operable state since many network-based administration and control functions are disrupted in such situations.

Inconsistent settings in a domain, especially on domain controllers, pose a great threat because the symptoms (malfunctions in administration functions such as group policies) may only be noticed after a while under some circumstances.

Older Windows versions are not directly compatible with the stricter security settings for SMB/CIFS, RPC, and LDAP. For example, trust relationship settings without Kerberos authentication, which are commonly used in large information systems distributed across several sites, are not directly compatible with the stricter security settings. Through inadequate analysis of all affected IT systems and insufficient planning of the application, unexpected problems in communication can seriously restrict the overall availability in all areas. Insufficient planning can lead to high implementation costs later on.

Example:

In large environments, problems can arise when adding a server to a domain as well as with trust relationships if no continuous trust relationship on a Kerberos basis is used. Although the correct password has been entered, login attempts sporadically fail depending on the domain controller that is randomly selected for authentication attempts. Even the functionality of applications can be adversely affected.

© Federal Office for Information Security. All rights reserved.