Prereqs for "Require NTLMv2 session security"?

The ITea Guy

2/24/24, 2:44 PM

I have a requirement to set this up for servers on my Domain environment (both the client and server version). Workstations are Windows 10 and all Servers are Server 2019.

I know how to do it through GPO, but I am wondering if this can be done without certificates? All of our workstations are devoid of any (according to the Cert Manager "Personal" store anyways) and a few of the servers have yet to get any either. Would setting this policy to "Require 128-bit encryption" break things if certain elements of my Domain have no certificates?

As yet when I think "encryption" I think "certificates" so this is what I am basing my question on. MS documentation just says "older clients that don't support it wont be able to communicate" without any elaboration - I'd imagine both Windows versions I'm using are new enough at least, but there may be more I'm not considering.

121

0 + 4

encryption

windows-server-2019

Greg Askew

2/24/24, 3:14 PM

This has been the default setting for over a decade so there typically is not an impact unless it had previously been disabled. This only affects NTLM and not certificates.

The ITea Guy

2/24/24, 4:36 PM

It currently is not configured at all through group policy; a check into the regkey that stores the value reveals 0x20080030 (537395248) but I am not able to find out what that refers to as a setting. Is this what you mean by it having been "previously disabled"? Allegedly it needs to have the value of 537395200, which would be setting it to requiring 128.

Greg Askew

2/24/24, 6:32 PM

`HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0!NTLMMinServerSec` 0x20000000 == require 128 bit encryption, 0x00080000 == Require NTLMv2 session security, 0x00000010 == Require message integrity, 0x00000020 == Require message confidentiality. 0x20080030 or if the value is absent, all values are enabled. That is the default since Windows 7/2010. https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication

The ITea Guy

3/1/24, 7:56 PM

Thanks! I had an opportunity to look further into this and I was surprised to discover that in spite of what I was seeing, this was already received in an existing GPO but not actually setting the regkey - do you know if there's some kind of special setup required for this as a policy object?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Prereqs for "Require NTLMv2 session security"?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.