Unsolved
This post is more than 5 years old
1 Message
0
44801
Thin clients in a high security windows network
Apologies in advance, I'm a windows administrator with no experience with Thin clients :emotion-1:
I am about to apply security settings from Microsofts Security Configuration Manger GPO's to domain controllers. I want to import the GPO "WS2012R2 domain controller security compliance 1.0" in a GPO targeting the domain controllers. The current domain controller GPO contain many low security settings, and I need to fix this. I believeThe settings of interest are:
Domain Controller: LDAP server signing requirements: Require signing
Domain Member: Digitally encrypt or sign secure channel data (always).
Mirosoft Network Server: Server SPN target name validation level: “required by client”
Network security: Allow local system to use computer identity for NTLM.
Network security: Allow localsystem NULL session fallback: disabled
Network security: Configure encryption types allowed for Kerberos: not allowed DES_CBC_CRC or DES_CBC_MD5.
Network security: LAN Manager Authentication level: Send NTLMv2 only, refuse LM and NTLM.
Network security: Minmum Session Security for NTLM SSP based servers (including RPC) clients: NTLMv2 and 128 bit.
Network security: Minmum Session Security for NTLM SSP based servers (including RPC) servers: NTLMv2 128 bit.
Most users are using Wyse thin clients. They log on to the thin clients using domain credentials. CItrix and storefront is used in the organization. I have very little knowledge of the thin clients, but the version number is 8.0_210. I believe there are different versions in the organization, but i can find out.
Will the thin clients continue to work after i apply the SCM GPO to the domain contollers? Do i need any software update or specific configuration on the thin clients to make this work?
Advice is highly appreciated!
Ragnar
RMontalvo
560 Posts
0
July 7th, 2015 09:00
Ragnar,
With Wyse ThinOS thin clients, there are some configuration files that may need to be modified (WNOS.INI, MAC.INI and USER.INI) depending on your layout. Current firmware version is 8.0_512, but you may want to try your new GPO settings to see if they work before any mayor deployment.