51
their 3
rd
party applications within their NAS box, as well as other server systems within the network,
and verify that they are still functioning properly.
The
Network access: Shares that can be accessed anonymously
security option setting determines
which network shares can be accessed by anonymous users. The default for this setting has little
impact as all users have to be authenticated before they can access shared resources on the server.
Therefore, ensure that this setting is configured to
None
in the three environments defined in this
guide.
Network access: Sharing and security model for local accounts
Member Server Default
Legacy Client
Enterprise Client
High Security Client
Classic-local users
authenticate as
themselves
Classic-local users
authenticate as
themselves
Classic-local users
authenticate as
themselves
Classic-local users
authenticate as
themselves
The
Network access: Sharing and security model for local accounts
security option setting determines
how network logons using local accounts are authenticated. The
Classic
setting allows fine control
over access to resources. Using the
Classic
setting allows administrators to grant different types of
access to different users for the same resource. Using the
Guest only
setting allows administrators to
treat all users equally. In this context, all users authenticate as
Guest only
to receive the same access
level to a given resource. Therefore, the
Classic
default setting option is used for the three
environments defined in this guide.
Network security: Do not store LAN Manager hash value on next password change
Table
Legacy Client
Enterprise Client
High Security Client
Disabled Enabled
Enabled Enabled
Important:
Very old legacy operating systems and some third-party applications may fail when this
setting is enabled. Also administrators will need to change the password on all accounts after
enabling this setting. Administrators within multi-protocol heterogeneous environments may want to
verify all applications and protocol communications are working properly within their environment
once this setting is set. This setting must be set to
Disabled
for HP NAS server systems within multi-
protocol network environments involving NFS, AFTP, or NCP.
The
Network security: Do not store LAN Manager hash value on next password change
security
option setting determines whether the LAN Manager (LM) hash value for the new password is stored
when the password is changed. The LM hash is relatively weak and prone to attack, as compared
with the cryptographically stronger Windows NT hash. For this reason, this setting is configured to
Enabled
in the security environments defined in this guide.
Network security: LAN Manager authentication level
Member Server Default
Legacy Client
Enterprise Client
High Security Client
Send NTLM response
only
Send NTLM response
only
Send NTLM response
only
Send NTLMv2 response
only\ refuse LM &
NTLM
Important:
Administrators within multi-protocol heterogeneous environments may want to verify all
applications and protocol communications are working properly within their NAS box, and other
servers within their network, once this setting is set. If administrators find applications that break
when this setting is enabled, roll it back one step at a time to discover what breaks. At a minimum,
this setting should be set to
Send LM & NTLM-use NTLMv2 session security if negotiated
on all
computers and can typically be set to
Send NTLMv2 responses only
on all computers in the
