[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

Domain member: Digitally encrypt or sign secure channel data (always)

ID: oval:org.secpod.oval:def:22576Date: (C)2015-01-07   (M)2023-07-14
Class: COMPLIANCEFamily: windows




This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Default: Enabled. Notes: If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options!Domain member: Digitally encrypt or sign secure channel data (always) (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters!requiresignorseal

Platform:
Microsoft Windows 8.1
Reference:
CCE-34892-0
CPE    1
cpe:/o:microsoft:windows_8.1
CCE    1
CCE-34892-0
XCCDF    4
xccdf_org.secpod_benchmark_PCI_Windows_8_1
xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_8_1
xccdf_org.secpod_benchmark_general_Windows_8_1
xccdf_org.secpod_benchmark_SecPod_Windows_8_1
...

© SecPod Technologies