Detections
Analytics

1.1.1.2.1.43 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'

Information

This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain member will be prevented from negotiating secure channel encryption. Microsoft recommends to configure the Domain member: Digitally encrypt secure channel data (when possible) setting to Enabled. When a computer running Windows NT, Windows 2000, or later versions of Windows joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the domain controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated and sensitive information such as passwords are encrypted but the channel is not integrity-checked, and not all information is encrypted. If a computer is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.

Solution

To implement the recommended configuration state, set the following Group Policy setting to 1.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member- Digitally encrypt secure channel data (when possible)

Impact- Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the domain controller. However, only Windows NT 4.0 Service Pack 6a (SP6a) and subsequent versions of the Windows operating system support digital encryption and signing of the secure channel. Windows 98 Second Edition clients do not support it unless they have the Dsclient installed. Therefore, you cannot enable the Domain member- Digitally encrypt or sign secure channel data (always) setting on domain controllers that support Windows 98 clients as members of the domain. Potential impacts can include the following-

See Also

https://workbench.cisecurity.org/files/42 https://workbench.cisecurity.org/files/42

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3(1), CCE|CCE-3796-0

Plugin: Windows

Control ID: 74ab9e71a0362991b74091809c0940f7da51e1fd5f8603cc22bbb37a6783587a