HPE Community
ProLiant Deployment and Provisioning
1753943 Members
9129 Online
108811 Solutions
New Discussion юеВ

RDP and Windows 2003 SMB Signing

 
John Hutchinson
New Member

тАО10-20-2004 10:57 PM

тАО10-20-2004 10:57 PM

RDP and Windows 2003 SMB Signing

I'm having problems running RDP within a Win2k3 enviroment as SMB signing is required for all communications within the domain. I've read a couple of docs within the Altiris support forum but the only answer is basically don't install RDP onto a Server or into a domain that require SMB signing. This is not really appropriate as my customer is not prepared to run without it, does anyone know have any other comments.
0 Kudos
7 REPLIES 7
Jonas Back_2
Super Advisor

тАО10-22-2004 04:58 AM

тАО10-22-2004 04:58 AM

Re: RDP and Windows 2003 SMB Signing

Hi John,

Intereseting discussion. I've spent much time hardening our Windows 2003 systems and run into several problems with different applications. One of them is Altiris/RDP.

You are talking about the GPO-settings:
- Microsoft Network client: Digitally sign communications (always)
- Microsoft Network client: Digitally sign communications (if server agrees)
- Microsoft Network server: Digitally sign communications (always)
- Microsoft Network server: Digitally sign communications (if client agrees)

correct?

Are we also talking about applying those settings on the RDP-server and/or the Domain Controllers?
0 Kudos
John Hutchinson
New Member

тАО10-24-2004 11:22 PM

тАО10-24-2004 11:22 PM

Re: RDP and Windows 2003 SMB Signing

Thanks for the reply, I'm actually working with my customer on this problem so I've asked them to comment on your reply. They have responded with the following comments to your question.

Local Policies/Security Options
Domain Controller
Domain controller: LDAP server signing requirements None

Domain Member
Domain member: Digitally encrypt or sign secure channel data (always) Enabled

Microsoft Network Server
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled

Network Security
Network security: LAN Manager authentication level Send NTLM response only
We are working with the default policies that are installed with fresh builds of Windows Server 2003.
0 Kudos
Jonas Back_2
Super Advisor

тАО10-25-2004 03:19 AM

тАО10-25-2004 03:19 AM

Re: RDP and Windows 2003 SMB Signing

Hi again,

I'm working with the exact same things so I definitly think we can exchange some thoughts.

Just to clarify. Have you set those policy settings on the Domain Controller only or also the RDP server? Or are you just PLANNING to enforce those security settings if it will work with RDP?

You can reply now if you can. I'll get back to you tomorrow with the exact policysettings we have in our domain.
0 Kudos
Derek_31
Valued Contributor

тАО11-16-2004 01:35 PM

тАО11-16-2004 01:35 PM

Re: RDP and Windows 2003 SMB Signing

For the very reasons discussed, we do not allow Altiris to be loaded on any productional network. It does not provide adequate security. SMB signing, NTLMv2 and other settings all break their MS-DOS client.

I would suggest looking at the SMS 2003 OS deployment application (released this week), MS ADS, or other solutions.

I'm very disappointed that Altiris/HP don't take security seriously for OS deployment.
0 Kudos
Jonas Back_2
Super Advisor

тАО11-19-2004 01:41 AM

тАО11-19-2004 01:41 AM

Re: RDP and Windows 2003 SMB Signing

Hi Derek!

Thanks for helping out! I'm also very dissappointed at HP for not taking this seariously. I understand this is not a HP-product but we're running another product from HP OpenView-family that fails when we det these settings and their only answer is: "We don't support that! And we're not planning to do anything about it! Sorry!".

Anyway, if you just tighten this setting on the DOMAIN CONTROLLER and not the actual RDP-server, does this work if you use a LOCAL user to connect to the share instead of a domain user? I have a hard time trying this at the moment since I'm attendning the MS ITForum.

But please let me know what you have tried and failed doing with Altiris.
0 Kudos
Derek_31
Valued Contributor

тАО11-20-2004 02:58 AM

тАО11-20-2004 02:58 AM

Re: RDP and Windows 2003 SMB Signing

It does seem to work if you use a local account on the RDP server, don't force NTLMv2 and SMB signing. You are also limited to 8 character usernames and passwords.

0 Kudos
Jonas Back_2
Super Advisor

тАО12-15-2004 05:49 AM

тАО12-15-2004 05:49 AM

Re: RDP and Windows 2003 SMB Signing

Hi Derek an John,

I also am dissapointed about this. I just posted on the Altiris forum to get some attention about the matter. Would be nice to see if someone else thinks like me.

Please feel free to also post an reply so I'm not the only one who wants this in future releases :)

http://www.altiris.com/support/forum/tm.asp?m=343224&appid=&p=1&mpage=1&key=&language=&tmode=1&s=#343224
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.