HP Survivable Branch Communication zl Module powered by Microsoft Lync Planning and Design Guide 2011-02
2-43
Design Considerations
Planning Security
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
\System\Kerberos\Parameters\SupportedEncryptionTypes
Policy setting:
Network Security: Configure encryption types allowed for
Kerberos
Enabled: RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future Encryption Types
HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilit
yLevel
Policy setting:
Network security: LAN Manager authentication level
Send NTLMv2 Response
only. Refuse LM and NTLM
set as part of local security policy;
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\allown
ullsessionfallback
Policy setting:
Network security: Allow LocalSystem NULL session fallback
Disabled
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLM
MinClientSec
Policy setting:
Network security: Minimum session security for NTLM SSP
based (including secure RPC) clients
Require NTLMv2 session
security, Require 128 bit
encryption
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLM
MinServerSec
Policy setting:
Network security: Minimum session security for NTLM SSP
based (including secure RPC) servers
Require NTLMv2 session
security, Require 128 bit
encryption
HKLM\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnl
ineID
Policy setting:
Network Security: Allow PKU2U authentication requests to the
computer to use online identities
Disabled
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnony
mous
Policy setting:
Network access: Do not allow anonymous enumeration of
SAM accounts and shares
Enabled
HKLM\System\CurrentControlSet\Control\Lsa\UseMachineId
Policy setting:
Network security: Allow Local System to use computer identity
for NTLM
Enabled
Setting’s Registry Path or Policy Path Windows 7 USGCB
Recommended Setting