9.2 Recommended Security Configurations for the Remote Loader

If you are using the Remote Loader, the following table lists the recommended security configurations for the driver.

Table 9-2 Recommended Security Configuration for the Remote Loader

Parameter

Description and Recommended Setting

Authentication ID

The account the driver uses to access the domain data. Use the domain logon name, for example Administrator.

Authentication Context

The DNS name of the domain controller.

If you don’t want to run the driver on your Active Directory domain controller, use hostname for the Negotiate method but use hostname or the IP address for the simple method.

Application Password

The password used for the Authentication ID.

Remote Loader Password

The password for the Remote Loader service.

Authentication Method

Select negotiate.

Digitally sign communications

In most environments, we recommend you select No for this option and use SSL to secure communication between the Remote Loader and the domain controller.

However, if the Remote Loader is installed on a member server, and you need to synchronize passwords, select Yes for this option.

Do not use this option with SSL.

Digitally sign and seal communications

In most environments, we recommend you select No for this option and use SSL to secure communication between the Remote Loader and the domain controller.

However, if the Remote Loader is installed on a member server, and you need to synchronize passwords, select Yes for this option.

Do not use this option with SSL.

NOTE:Sealing only works when you use the Negotiate authentication method and the underlying security provider selects NTLM v2 or Kerberos for its protocols.

Use SSL for encryption

Select Yes if Remote Loader is on a member server. If Remote Loader is on a domain controller, select No. SSL is required to perform a Subscriber password check, a Subscriber password set, and a Subscriber password modify operation when the driver shim is not running on the domain controller.

SSL requires that the Microsoft server running the driver shim imports the domain controller’s server certificate. For more information, see Securing Windows 2000 Server or Microsoft Security Compliance Manager, for Windows Server 2003 or later.

By default, the parameter is set to No. If you set this value to Yes, the SSL pipe is encrypted for the entire conversation. An encrypted pipe is preferred because the driver typically synchronizes sensitive information. However, encryption slows the general performance of your servers.