Obstáculos en la toma de decisiones

If you’re dual-booting a computer, you should be aware that Windows sees each installation as a separate computer, and a separate machine account. Each installation generates its own unique password.

You must create a unique computer name for each version of Windows in a dual-booting computer; otherwise, the name/password combination fails when the computer attempts to create a secure channel for logging on to the domain.

Figure 5-1. There are several policies for changing the way machine accounts manage passwords and secure communications.

154

Complete Reference/ Windows Ser ver 2003: TCR / Ivens / 219484-7 / Chapter 5

Digitally Encrypt or Sign Secure Channel Data (Always) This policy is not enabled by default, but if you have computers in an OU, or an individual computer, for which youwant to enable this policy, double-click the listing and select the Enable radio button. It’s almost never necessary to enable this policy, because the policy Digitally encrypt or sign secure channel data (when possible) is enabled by default (that policy is discussed next). If digitally encrypted or signed channel data is always possible, then data will always be encrypted. You should take the following facts into consideration before deciding to enable this policy:

■ Logon information that’s transmitted over the secure channel is always encrypted, even if all other traffic across the secure channel isn’t.

■ The secure channel traffic managed by this policy is only the traffic initiated by the domain member computer.

■ You cannot enable this policy unless all the domain controllers on the domain are running Windows NT 4 Service Pack 6 or higher.

■ If you enable this policy, the policy Digitally sign secure channel data (when possible) is also assumed to be enabled (irrespective of its setting).

Digitally Encrypt or Sign Secure Channel Data (When Possible) This setting, which is enabled by default, specifies that the computer must attempt to negotiate encryption for all the traffic it initiates over the secure channel. If the domain controller supports encryption of all secure channel traffic (DCs running Windows NT 4.0 Service Pack 6 or higher support encryption), then all the traffic is encrypted. If the DC doesn’t support encryption of all traffic, only logon information that’s sent over the secure channel is encrypted.

I cannot think of a single reason (or excuse) for disabling this policy. Not only would that action substantially lower the security of your network, but it may interfere with applications that use the secure channel, because many API calls in applications written for Windows Server 2003/Windows 2000 require that the secure channel be encrypted or signed.

Digitally Sign Secure Channel Data (When Possible) This policy, which is enabled by default, specifies that the computer attempts to negotiate signing for all the traffic it initiates over the secure channel. As long as the DC supports signing of secure channel traffic (DCs running NT4 SP6 or higher do), all secure channel traffic is signed.

Signing differs from encryption in that encryption is designed to stop outsiders from reading data that’s passed through the secure channel, whereas signing is designed to stop outsiders from tampering with the data.

Disable Machine Account Password Changes This policy is disabled by default (I get so annoyed at policies that start with the word “disable” and are enabled to avoid disabling something). If you enable the policy, you’re disabling the security inherent in

Complete Reference/ Windows .NET Ser ver 2003: TCR / Ivens / 219484-7 / Chapter 5 Color profile: Generic CMYK printer profile

password changes, because you’re telling the computers to stop changing their passwords. This means a hacker who found some way to break the password has permanent access to the secure channel data initiated by the computer.

Some administrators enable this policy because a computer is denied access to the domain. In every case, the computer was dual-booting and the administrator didn’t realize that each Windows installation requires a discrete computer name in order to create a machine account (discussed earlier in this chapter).

Maximum Machine Account Password Age Double-click this policy to change the default setting for the interval set for creating a new password. The policy is labeled “not defined” but the truth is that it’s defined as 30 days. To change the interval between password changes, select Define the Policy Setting, and specify the new interval, in days. You can use this policy to reduce the strain on the DCs. Most of the time, this isn’t necessary (or advisable), but if you rolled out a new Windows Server 2003 domain, it’s possible that all the computers that log on to the domain now have the same password expiration date. For most of my clients, that means hundreds of computers trying to notify the DCs of a new password, followed by instant replication of each password to the other DCs. For many of you, the numbers are in the thousands.

To stagger the workload for the DC, it’s a good idea to make this change on an OU basis, setting a different interval for each OU.

Require Strong (Windows 2000 or Later) Session Key This setting, disabled by default, specifies whether 128-bit key strength is required for encrypted secure channel data. Youcannot enable this setting unless all the domain controllers are running Windows 2000 or Windows Server 2003.