WinSecWiki > Security Settings > Local Policies > Security Options > Domain Member > Digitally encrypt secure channel data (when possible)

Domain Member: Digitally encrypt secure channel data (when possible)

“Secure channel” refers to the communication between domain controllers for replication and between domain controllers and member computers for certain security operations like NTLM authentication and account lookups by SID. Jan De Clerq’s article does a good job of explaining secure channels.

Up-to-date Windows computers are capable of negotiating signatures and encryption for the secure channel and normally do automatically since this and the next “when possible” setting are enabled by default. This policy, when enabled, prevents the computer from establishing a secure channel unless it is signed or encrypted. Now, why the terminology MS uses is “encrypt OR sign” I don’t know. You’d think you’d want both or a way to require both. I haven’t been able to get a good explanation on that point.

If “Domain Member: Digitally encrypt or sign secure channel data (always)” is enabled Windows ignores this “when possible” setting.

Enabling this policy can impact the ability for back level clients, pocket PCs and non MS clients to communicate with this computer. 

Bottom line

Enable this setting; it won’t break anything and it will make secure channel communications more secure for this computer.

Back to top

 

Upcoming Webinars
    Additional Resources