WinSecWiki > Security Settings > Local Policies > Security Options > System Cryptography > Force strong key protection for user keys stored on the computer

System cryptography: Force strong key protection for user keys stored on the computer

The Windows PKI includes support for storing user certificates and the corresponding private key in the profile of the user. You can then use these certificates for signing documents, logging onto secure websites that require client certificates and other uses. Windows can protect these private keys with three levels of security as defined by this policy.

Setting Meaning
User input is not required when new keys are stored and used Protected by Windows logon. Once the user successfully logs on, his private keys can be accessed without further user intervention.
User is prompted when the key is first used User confirmation required when key is first accessed by a given program. If the user doesn’t expect his current activities to request the key, he can decline, assuming malware tried to access the key.
User must enter a password each time they use a key User is required to protect the key with a password and enter that password each time the key is accessed

Bottom line

Except for extremely high security situations or, you have no control over the quality of user’s Windows account passwords, or where multiple people (each with their own certificate) but all logged on with the same Windows account, I recommend “User input is not required when new keys are stored and used”. Just make sure you have a password protected screen saver enforced through group policy.

Back to top

 

Additional Resources
    Force strong key protection for user keys stored on the computer
    Use FIPS compliant algorithms for encryption, hashing, and signing