WinSecWiki > Security Settings > Local Policies > Security Options > Domain Member > Digitally encrypt or sign secure channel data (always)

Domain Member: Digitally encrypt or sign secure channel data (always)

“Secure channel” refers to the communication between domain controllers for replication and between domain controllers and member computers for certain security operations like NTLM authentication and account lookups by SID. Jan De Clerq’s article does a good job of explaining secure channels.

Up-to-date Windows computers are capable of negotiating signatures and encryption for the secure channel and normally do automatically since the next 2 “when possible” settings are enabled by default. This policy, when enabled, prevents the computer from establishing a secure channel unless it is signed or encrypted. Now, why the terminology MS uses is “encrypt or sign” I don’t know. You’d think you’d want both or a way to require both. I haven’t been able to get a good explanation on that point.

If this setting is enabled Windows ignores the next 2 “when possible” settings.

Enabling this policy can impact the ability for back level clients, pocket PCs and non MS clients to communicate with this computer.

Back to top

 

Upcoming Webinars Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources