Domain member: Digitally encrypt secure channel data (when possible)

Information

Domain member: Digitally encrypt secure channel data (when possible)

This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.

When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM passthrough authentication, LSA SID/name Lookup etc.

This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.

Default: Enabled.

Important

There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.

Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.

Solution

Policy Path: Security Options
Policy Setting Name: Domain member: Digitally encrypt secure channel data (when possible)

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3(1)

Plugin: Windows

Control ID: 8744b0b3bbeb2cdaac6f5da873fd3e91a56c5a4d1119859a001e946c9644f95c