Bertrand
December 14th 03, 01:29 AM
Steven and Roger,
Thank you very much to both of you.
By the way, do you know a good place on the net where I can learn a lot
about security policies on Windows2000 and WindowsXP ?
For example, one of my problem is to create a group of user who would have
the same privileges than a local administrator execpted that they cannot
change the setting of the users that are in the Administrators group (at
lest, they cannot change their passwords and group.) Just in order to be
sure that even if I give local administrator rights to someone on his
machine, he will not be able to change the settings of what I would call the
primary administrator of the machine.
Bertrand
"Steven L Umbach" > wrote in message
y.com...
> Thanks Roger. That makes sense. I was not sure if disabling at client
> would solve problem, obviously better for the domain. I know that "lan man
> authentication level" issues along with anonoymous "no access without
> explicit anonymous permissions" issues or various combination there of
> causes a lot of grief in mixed client settings. --- Steve
>
> "Roger Abell [MVP]" > wrote in message
> ...
> > I am not aware whether a fix is yet released either. It seems it
> > once was, and then was not, and I have not chased it down recently.
> >
> > I prefer to advise them to go into the XP client and disable the
> > MS network client : digiatlly sign communications when server agrees
> > policy, rather than lowering the security of the whole domain,
especially
> > if they are only introducing a few XPs.
> > Also, a problem that parades much like this one is that XP is shipping
> > with NTML v2 not enabled, which causes problems when authentication
> > is direct to a W2k that has been configured to insist on NTLM v2.
> > This is best adjusted on the XP client by changing the policy governing
> > the LM Authentication level.
> >
> > --
> > Roger
> >
> > "Steven L Umbach" > wrote in message
> > news:QENya.61712$rt6.24009@sccrnsc02...
> > > There is an issue with incompatible smb signing between W2K
and
> XP
> > > Pro. On the security options of the W2K server, make sure all four
> options
> > > for "digitally sign client/server communications" are disabled for
> > effective
> > > settings,documenting your changes. Reboot server and try again. I am
not
> > > sure if this issue has been resolved via hotfix yet. If it has, please
> > > someone let me know. -- Steve
> > >
> > >
> > > "Bertrand" > wrote in message
> > > ...
> > > > My PC is connected to the local area network of my office. I was
> > > previously
> > > > running Windows2000 SP3 on my PC.
> > > > I recently upgraded to WindowsXP SP1 (HDD reformat and clean
install).
> > > From
> > > > this day, I cannot loggon to my network folders hosted on our office
> > > server
> > > > (Windows2000 SP2 domain controler).
> > > > In fact, I cannot access to ANY shared folder on this server. I
could
> > > > before.
> > > > I have administrator's rights on the network.
> > > >
> > > > The error message I can see in the system event log, due to this,
are
> > > always
> > > > the following 2:
> > > >
> > > > The Security System detected an attempted downgrade attack for
server
> > > > cifs/namedserver. The failure code from authentication protocol
> > Kerberos
> > > > was "There are currently no logon servers available to service the
> logon
> > > > request. (0xc000005e)".
> > > > then:
> > > > The Security System could not establish a secured connection with
the
> > > server
> > > > cifs/namedserver. No authentication protocol was available.
> > > >
> > > > Can one help me fix this problem ?
> > > > Thanks in advance
> > > > (I am still very novice in WindowsXP)
> > > >
> > > > Bertrand
> > > > Tokyo, Japan
> > > >
> > >
> > >
> >
> >
>
>
Thank you very much to both of you.
By the way, do you know a good place on the net where I can learn a lot
about security policies on Windows2000 and WindowsXP ?
For example, one of my problem is to create a group of user who would have
the same privileges than a local administrator execpted that they cannot
change the setting of the users that are in the Administrators group (at
lest, they cannot change their passwords and group.) Just in order to be
sure that even if I give local administrator rights to someone on his
machine, he will not be able to change the settings of what I would call the
primary administrator of the machine.
Bertrand
"Steven L Umbach" > wrote in message
y.com...
> Thanks Roger. That makes sense. I was not sure if disabling at client
> would solve problem, obviously better for the domain. I know that "lan man
> authentication level" issues along with anonoymous "no access without
> explicit anonymous permissions" issues or various combination there of
> causes a lot of grief in mixed client settings. --- Steve
>
> "Roger Abell [MVP]" > wrote in message
> ...
> > I am not aware whether a fix is yet released either. It seems it
> > once was, and then was not, and I have not chased it down recently.
> >
> > I prefer to advise them to go into the XP client and disable the
> > MS network client : digiatlly sign communications when server agrees
> > policy, rather than lowering the security of the whole domain,
especially
> > if they are only introducing a few XPs.
> > Also, a problem that parades much like this one is that XP is shipping
> > with NTML v2 not enabled, which causes problems when authentication
> > is direct to a W2k that has been configured to insist on NTLM v2.
> > This is best adjusted on the XP client by changing the policy governing
> > the LM Authentication level.
> >
> > --
> > Roger
> >
> > "Steven L Umbach" > wrote in message
> > news:QENya.61712$rt6.24009@sccrnsc02...
> > > There is an issue with incompatible smb signing between W2K
and
> XP
> > > Pro. On the security options of the W2K server, make sure all four
> options
> > > for "digitally sign client/server communications" are disabled for
> > effective
> > > settings,documenting your changes. Reboot server and try again. I am
not
> > > sure if this issue has been resolved via hotfix yet. If it has, please
> > > someone let me know. -- Steve
> > >
> > >
> > > "Bertrand" > wrote in message
> > > ...
> > > > My PC is connected to the local area network of my office. I was
> > > previously
> > > > running Windows2000 SP3 on my PC.
> > > > I recently upgraded to WindowsXP SP1 (HDD reformat and clean
install).
> > > From
> > > > this day, I cannot loggon to my network folders hosted on our office
> > > server
> > > > (Windows2000 SP2 domain controler).
> > > > In fact, I cannot access to ANY shared folder on this server. I
could
> > > > before.
> > > > I have administrator's rights on the network.
> > > >
> > > > The error message I can see in the system event log, due to this,
are
> > > always
> > > > the following 2:
> > > >
> > > > The Security System detected an attempted downgrade attack for
server
> > > > cifs/namedserver. The failure code from authentication protocol
> > Kerberos
> > > > was "There are currently no logon servers available to service the
> logon
> > > > request. (0xc000005e)".
> > > > then:
> > > > The Security System could not establish a secured connection with
the
> > > server
> > > > cifs/namedserver. No authentication protocol was available.
> > > >
> > > > Can one help me fix this problem ?
> > > > Thanks in advance
> > > > (I am still very novice in WindowsXP)
> > > >
> > > > Bertrand
> > > > Tokyo, Japan
> > > >
> > >
> > >
> >
> >
>
>