WinSecWiki
Windows Security Settings
Articles
WinSecWiki
»
Windows Security Settings
»
Local Policies
»
Security Options
»
Domain Member: Digitally encrypt secure channel data (when...
Domain Member: Digitally encrypt secure channel data (when...
Domain Member: Digitally encrypt secure channel data (when possible)
“Secure channel” refers to the communication between domain controllers for replication and between domain controllers and member computers for certain security operations like NTLM authentication and account lookups by SID. Jan De Clerq’s article does a good job of explaining secure channels.
Up-to-date Windows computers are capable of negotiating signatures and encryption for the secure channel and normally do automatically since this and the next “when possible” setting are enabled by default. This policy, when enabled, prevents the computer from establishing a secure channel unless it is signed or encrypted. Now, why the terminology MS uses is “encrypt OR sign” I don’t know. You’d think you’d want both or a way to require both. I haven’t been able to get a good explanation on that point.
If “Domain Member: Digitally encrypt or sign secure channel data (always)” is enabled Windows ignores this “when possible” setting.
Enabling this policy can impact the ability for back level clients, pocket PCs and non MS clients to communicate with this computer.
Bottom line
Enable this setting; it won’t break anything and it will make secure channel communications more secure for this computer.
Add Your Comments
Name:
*
Email Address:
Web Address:
Verification Code:
*
Details
Article not rated yet.
Article has been viewed 762 times.
Options
Bookmark Article
Social Bookmarks
Comments RSS
Upcoming Webinars
Additional Resources
Security Log Quick Reference Chart
Security Log Resource Kit
Learn about the SharePoint Audit Log
Patch Tuesday Analysis
Workstation Configuration Management
Home
>
Windows
>
WinSecWiki
User name:
Password:
/
Forgot?
Register
Home