STIGQter STIGQter: STIG Summary: Windows 2008 Member Server Security Technical Implementation Guide Version: 6 Release: 43 Benchmark Date: 26 Jul 2019: Outgoing secure channel traffic is not signed when possible.

DISA Rule

SV-29518r1_rule

Vulnerability Number

V-1164

Group Title

Signing of Secure Channel Traffic

Rule Version

3.042

Severity

CAT II

CCI(s)

Weight

10

False Positives

If the value for “Domain Member: Digitally encrypt
or sign secure channel data (always)” is set to “Enabled”, then
this would not be a finding.

Fix Recommendation

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Domain Member: Digitally sign secure channel data (when possible)” to “Enabled”.

Check Contents

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for “Domain Member: Digitally sign secure channel data (when possible)” is not set to “Enabled”, then this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\

Value Name: SignSecureChannel

Value Type: REG_DWORD
Value: 1

Note: If the value for “Domain Member: Digitally encrypt or sign secure channel data (always)” is set to “Enabled”, then this would not be a finding.

Vulnerability Number

V-1164

Documentable

False

Rule Version

3.042

Severity Override Guidance

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for “Domain Member: Digitally sign secure channel data (when possible)” is not set to “Enabled”, then this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\

Value Name: SignSecureChannel

Value Type: REG_DWORD
Value: 1

Note: If the value for “Domain Member: Digitally encrypt or sign secure channel data (always)” is set to “Enabled”, then this would not be a finding.

Check Content Reference

M

Third-Party Tools

HK

Responsibility

System Administrator

Target Key

1340

Comments