Chris, we are seeing the same thing here with our techs, saying there boot disks aren't working after they change their passwords, since we are Win2k8 R2 DFL/FFL, the authentication requirement default is higher than the NTLM and LM hashes of old, which I can agree that they need to get there boot disks or deployment process up to the 21st century.
IN same boat as you, not changing domain wide settings to allow folks to ghost stuff with old boot disk, there are better tools ( WIM, WINPE etc etc) Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Christopher Bodnar [mailto:[email protected]] Sent: Monday, December 27, 2010 12:31 PM To: NT System Admin Issues Cc: NT System Admin Issues Subject: Re: OT: NTL M and bootable DOS CD I'm definitely going to try and fight this, from a security perspective it's a no brainer. The issue will be that the desktop group will say this will push back the deployment of existing systems by a month while they engineer a new process. Almost no way to fight that unless our group is willing to take over the responsibility of doing that work, which we could easily do. Just hate knowing that those guys will put up this road block on something that should take them less than a day to do. I'd love for their management to step in and say " you know what? You are right. we need to redo this process and it's not going to take us a month to do it. we'll have it done by end of the week!" Never going to happen. Chris Bodnar, MCSE Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected] Phone: 610-807-6459 Fax: 610-807-6003 From: Kurt Buff <[email protected]> To: "NT System Admin Issues" <[email protected]> Date: 12/27/2010 11:37 AM Subject: Re: OT: NTL M and bootable DOS CD ________________________________ Uh, you've already proved that your way works. I'd call a meeting, go over their setup with them and identify the points that need improving. I'll bet that the re-engineering isn't really all that much, and that the end result will actually be faster and better installs. Kurt On Mon, Dec 27, 2010 at 07:32, Christopher Bodnar <[email protected]> wrote: > Sorry, just venting: > > OK, so we implemented our new SCCM infrastructure about 9 months ago (all > W2K8 servers). Almost done with the migration from our old SMS 2003 > infrastructure (W2K3 R2 servers). I get a request from our desktop guys last > week to create a few shares on the new SCCM servers to hold the workstation > images. No problem. So I get a call from the desktop guys saying they can't > access the new shares. I ask them how they are being accessed. They say from > a bootable DOS CD. I thought them meant WinPE, so I tested that, and > verified there are no issues. Go back to the desktop guys and they say, no > it's really DOS 6.22 using NDIS 2.0. So I start looking into it and found > that the old SMS servers have a GPO setting that allows NTLM connections, > the rest of the network doesn't. I was not aware of this. Our currently > policy is to allow NTLMv2 only, and refuse LM and NTLM. I ask them if they > can move to WinPE. They tell me the engineering involved will be too much > work. So now the question is..... do I put up a fight and go to our Security > group and tell them I want to keep NTLMv2, and have the desktops guys > re-engineer the process? My guess is that I'll be over ruled, and be forced > to allow NTLM for the new SCCM servers. > > Uggghhhh......... > > > > Chris Bodnar, MCSE > Systems Engineer > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: [email protected] > Phone: 610-807-6459 > Fax: 610-807-6003 ----------------------------------------- This message, > and any attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the reader > of this message is not the intended recipient, you are notified that any > use, dissemination, distribution, copying, or communication of this message > is strictly prohibited. If you have received this message in error, please > notify the sender immediately by return e-mail and delete the message and > any attachments. Thank you. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ <http://lyris.sunbelt-software.com/read/my_forums/> > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ <http://lyris.sunbelt-software.com/read/my_forums/> or send an email to [email protected] with the body: unsubscribe ntsysadmin ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
