2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User must enter a password each time they use a key' (STIG only)

Information

This policy setting determines whether users can use private keys, such as their Secure/Multipurpose Internet Mail Extensions (S/MIME) key, without a password.

The STIG recommended state for this setting is: User must enter a password each time they use a key

If a private key is compromised, an attacker can use the keys that are stored to gain access to the network. If users must provide a password each time they use the key, it will make it more difficult for an attacker to access locally stored keys.

Solution

To establish the recommended configuration via GP, set the following UI path to User must enter a password each time they use a key :

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System Cryptography: Force strong key protection for user keys stored on the computer

Impact:

A user must provide a password each time they use a key. This is in addition to their domain password.

See Also

https://workbench.cisecurity.org/benchmarks/18857

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Windows

Control ID: 21675082b31a8f73042f1c8ad98f4604d261ab87f689bad502cd7361d455c083