System Administration & Network Administration
active-directory group-policy network-attached-storage buffalo
Updated Wed, 21 Sep 2022 13:59:51 GMT

Buffalo NAS Active Directory Integration Group Policy Changes


as a part of effort to integrate buffalo NAS terrastation pro with our AD, we found out that following changes need to be made in the Group policy;

The following need to be altered in Domain-> Windows Setttings->Security Settings->Local Policies-> Security Options.

Microsoft Network Server: Digitally Sign Communications(always) (Needs to be Disabled, currently its Not Defined)

Network Security: Lan Manager Authentication Level(needs to be altered from Not Defined to Ntlm2 negotiate if needed)

My questions are , is it worthy/risky to change the policy for the domain for couple of NAS servers?

Second one , can they be changed on the individual DC's(probably via SECPOL) since we will be pointing the NAs to only 1 DC?




Solution

I am familiar with these devices and these particular changes. These settings do compromise security somewhat. I don't know that the practical risk is much better than the already sorry state of NTLMv2 and hash-based attacks, but it does increase risk somewhat. It would be nice if Buffalo spent some money addressing the need to downgrade security to support their devices.

To your second question: Anything you might do to create different security policy for different Domain Controllers (DCs) would result in an unsupported configuration and I'd advise against trying it. It might be possible to work something out but you'd be on your own re: support if it created oddball behavior.





Comments (1)

  • +0 – We are further planning to introduce more NAS devices into our environment, do you know of any such devices simmilar to Terastation Pro which have very good AD Integration options? — Nov 15, 2012 at 17:04