[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

Always send compound authentication first

ID: oval:org.secpod.oval:def:35310Date: (C)2016-06-10   (M)2023-12-13
Class: COMPLIANCEFamily: windows




This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. Note: For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication. Counter Measure: Enable and configure this setting. Potential Impact: Compound authentication can impact connectivity and file access and make both processes slower. It can also increase the size and complexity of the data in the message, which results in more processing time and greater Kerberos service ticket size. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Kerberos\Always send compound authentication first (2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!AlwaysSendCompoundId

Platform:
Microsoft Windows 10
Reference:
CCE-43784-8
CCE    1
CCE-43784-8
XCCDF    1
xccdf_org.secpod_benchmark_general_Windows_10

© SecPod Technologies