WinSecWiki > Security Settings > Local Policies > Security Options > Domain Member > Require strong (Windows 2000 or later) session key
Domain Member: Require strong (Windows 2000 or later) session key
When a member computer needs to communicate with the domain controller for certain security operations like NTLM authentication and account lookups by SID, the computer establishes a “secure channel” to the domain controller with its computer account password as the basis.
Depending on the versions of computers involved and the value of “Domain Member: Digitally encrypt secure channel data (when possible)” and “Domain Member: Digitally encrypt or sign secure channel data (always)” this computer may negotiate encryption for some or all of the traffic between other computers over the secure channel. Normally the computers negotiate a mutually supported key length which can be less than 128 bits. This setting prevents this computer from negotiating less than 128 bit encryption.
Bottom line
Enabling this setting should be OK unless you still have any back-level NT domain controllers; if you suddenly start having connection problems with non MS computers or Windows mobile devices after enabling this setting you may have a client that is not 128 bit capable for secure channel encryption.
Back to top