Detections
Analytics

1.1.1.2.1.51 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'

Information

This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, it cannot establish a secure channel with a domain controller that is not capable of signing or encrypting all secure channel traffic, because all secure channel data must be signed and encrypted. Microsoft recommends to configure the Domain member: Digitally encrypt or sign secure channel data (always) setting to Enabled. When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the domain controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated and sensitive information such as passwords are encrypted but the channel is not integrity-checked, and not all information is encrypted. If a computer is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.

Solution

To implement the recommended configuration state, set the following Group Policy setting to 1.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member- Digitally encrypt or sign secure channel data (always)

Impact- Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the domain controller. However, only Windows NT 4.0 with Service Pack 6a (SP6a) and subsequent versions of the Windows operating system support digital encryption and signing of the secure channel. Windows 98 Second Edition clients do not support it unless they have the Dsclient installed. Therefore, you cannot enable the Domain member- Digitally encrypt or sign secure channel data (always) setting on domain controllers that support Windows 98 clients as members of the domain. Potential impacts can include the following- . The ability to create or delete trust relationships with clients running versions of Windows earlier than Windows NT 4.0 with SP6a will be disabled. . Logons from clients running versions of Windows earlier than Windows NT 4.0 with SP6a will be disabled. . The ability to authenticate other domains' users from a domain controller running a version of Windows earlier than Windows NT 4.0 with SP6a in a trusted domain will be disabled. You can enable this policy setting after you eliminate all Windows 9x clients from the domain and upgrade all Windows NT 4.0 servers and domain controllers from trusted/trusting domains to Windows NT 4.0 with SP6a. You can enable the other two policy settings, Domain member- Digitally encrypt secure channel data (when possible) and Domain member- Digitally encrypt sign channel data (when possible), on all computers in the domain that support them and clients running versions of Windows earlier than Windows NT 4.0 with SP6a and applications that run on these versions of Windows will not be affected.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3(1), CCE|CCE-3731-7

Plugin: Windows

Control ID: 47816171c9d93782f499be927ea55b6131f2b83a94d02f442d3af3f4db845548