Hi All
We have a Windows 2008R2 domain, We configured a GPO to apply to all PC's / Servers and DC's to configure the below as we had a penertration test done and this was advised
Network security: LAN Manager authentication level to Send NTLMv2 response only\refuse LM & NTLM
We did an audit an only see a couple of servers that would be effected so we mitigated that, however when we actually rolled this out we had over a 1000 account lockouts constantly from people using windows XP SP3.
We eventually rolled back and got back to a stable service levels however now we are looking at why this happened, so far we believe its due to external trust relationships, we have multiple customers on our domain as we are a shared service, it seems the only customers that were impacted were the 2 who access resources in a trusting domain, one customer has Exchange mailboxes ina legacy exchange 2003 domain and another just accesses flat data in another domain.
My main questions are -
If the trusts are external trusts do you have to use LM and NTLM or can you soley use NTMLv2
If users on Windows 7 machines were able to access resources over trusts fine then whats the difference with Win xp SP3
Thanks