HP StorageWorks X5000 Technical Manual page 52

environment.
The Network security: LAN Manager Authentication level security option setting determines which
challenge/response authentication protocol is used for network logons. This choice affects the level of
authentication protocol used by clients, the level of security negotiated, and the level of authentication
accepted by servers as follows. The following numbers in parentheses below are the actual settings
for the LM Compatibility Level registry value. This setting should be configured to the highest level that
the company network environment allows according to the following guidelines:
In a pure Windows NT 4.0 SP4 or later environment-including Windows 2000 and Windows XP
Professional-configure this setting to Send NTLMv2 response only\refuse LM & NTLM on all clients,
and then to Send NTLMv2 response only\refuse LM & NTLM on all servers once all clients are
configured. The exception to this recommendation is Windows 2003 Routing and Remote Access
servers, which will not function properly if this setting is set higher than Send NTLMv2 response
only\refuse LM.
The Enterprise Client environment contains Routing and Remote Access servers. For this reason, the
setting for this environment is configured to Send NTLMv2 response only\refuse LM. The High Security
environment does not contain Routing and Remote Access servers, so the setting for this environment is
configured to Send NTLMv2 response only\refuse LM & NTLM.
If Windows 9x clients exists within the company network and administrators can install the DSClient
on all such clients, Administrators can configure this setting to Send NTLMv2 response only\refuse
LM & NTLM on computers running Windows NT (Widows NT, Windows 2000, and Windows XP
Professional). Otherwise, administrators must leave this setting configured at no higher than Send
NTLMv2 responses only on computers not running Windows 9x.
Member Server Default
Negotiate signing
The Network security: LDAP client signing requirements security option setting determines the level of
data signing that is requested on behalf of clients issuing LDAP BIND requests. Unsigned network
traffic is susceptible to man-in-the-middle attacks. In the case of an LDAP server, this means that an
attacker could cause a server to make decisions based on false queries from the LDAP client.
Therefore, the value for this setting is configured to Negotiate signing in the three environments
defined in this guide.
Minimum session security for NTLM SSP based (including secure RPC) clients
Member Server Default
No minimum
Important: Administrators within multi-protocol heterogeneous environments may want to verify all
applications and protocol communications are working properly within their NAS box, and other
servers within the network, once this setting is set.
The Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
security option setting allows a client to require the negotiation of message confidentiality
(encryption), message signing, 128-bit encryption, or NTLM version 2 (NTLMv2) session security.
Configure this setting as high as possible while still allowing the applications on the network to
function fully to ensure that network traffic from NTLM SSP based servers is protected from man-in-the-
middle attacks and data exposure.
Network security: LDAP client signing requirements
Legacy Client
Negotiate signing
Network security:
Legacy Client
No minimum
52
Enterprise Client
Negotiate signing
Enterprise Client
Enabled all settings
High Security Client
Negotiate signing
High Security Client
Enabled all settings