as a part of effort to integrate buffalo NAS terrastation pro with our AD, we found out that following changes need to be made in the Group policy;
The following need to be altered in Domain-> Windows Setttings->Security Settings->Local Policies-> Security Options.
Microsoft Network Server: Digitally Sign Communications(always) (Needs to be Disabled, currently its Not Defined)
Network Security: Lan Manager Authentication Level(needs to be altered from Not Defined to Ntlm2 negotiate if needed)
My questions are , is it worthy/risky to change the policy for the domain for couple of NAS servers?
Second one , can they be changed on the individual DC's(probably via SECPOL) since we will be pointing the NAs to only 1 DC?
I am familiar with these devices and these particular changes. These settings do compromise security somewhat. I don't know that the practical risk is much better than the already sorry state of NTLMv2 and hash-based attacks, but it does increase risk somewhat. It would be nice if Buffalo spent some money addressing the need to downgrade security to support their devices.
To your second question: Anything you might do to create different security policy for different Domain Controllers (DCs) would result in an unsupported configuration and I'd advise against trying it. It might be possible to work something out but you'd be on your own re: support if it created oddball behavior.
External links referenced by this document: