[Forgot Password]
Login  Register Subscribe

23631

 
 

122183

 
 

98060

 
 

909

 
 

79198

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-45958-6

Platform: win2016Date: (C)2017-08-03   (M)2017-10-16



"Domain member: Require strong (Windows 2000 or later) session key" When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all domain controllers in the domain must be able to encrypt secure channel data with a strong key, which means all domain controllers must be running Microsoft Windows 2000 or later. If communication to non-Windows 2000 -based domains is required, Microsoft recommends that you disable this policy setting. Vulnerability: Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.) Counter Measure: Enable the Domain member: Require strong (Windows 2000 or later) session key setting. If you enable this policy setting, all outgoing secure channel traffic will require a strong, Windows 2000 or later encryption key. If you disable this policy setting, the key strength is negotiated. You should only enable this policy setting if the domain controllers in all trusted domains support strong keys. By default, this policy setting is disabled. Potential Impact: Computers that have this policy setting enabled will not be able to join Windows NT 4.0 domains, and trusts between Active Directory domains and Windows NT-style domains may not work properly. Also, computers that do not support this policy setting will not be able to join domains in which the domain controllers have this policy setting enabled.


Parameter: requirestrongkey


Technical Mechanism: Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters!requirestrongkey

References:

Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:40289


OVAL    1
oval:org.secpod.oval:def:40289
XCCDF    3
xccdf_org.secpod_benchmark_general_Windows_Server_2016
xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_Server_2016
xccdf_org.secpod_benchmark_PCI_3_2_Windows_Server_2016

© 2013 SecPod Technologies