3.10.23.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'

Information

This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain.

Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts.

The recommended state for this setting is: Enabled: Automatic

Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Automatic

Administrative Templates\System\Kerberos\Support device authentication using certificate

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/16853

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-8, 800-53|IA-3, CSCv7|1.6, CSCv7|1.8

Plugin: Windows

Control ID: 30546194aa87790952511ece11d94774f675abe7e28ed6d82ee6a45dd8b2972b