CCE-47720-8Platform: cpe:/o:microsoft:windows_server_2016 | Date: (C)2022-09-02 (M)2023-07-04 |
Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain.If you enable this policy setting, the devices credentials will be selected based on the following options:Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted.Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail.If you disable this policy setting, certificates will never be used.If you do not configure this policy setting, Automatic will be used.Fix:(1) GPO: Computer ConfigurationAdministrative TemplatesSystemKerberosSupport device authentication using certificate(2) REG: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemKerberosParameters!DevicePKInitEnabled(2) REG: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemKerberosParameters!DevicePKInitBehavior
Parameter:
[enabled/disabled, Automatic/Force]
Technical Mechanism:
(1) GPO: Computer Configuration\Administrative Templates\System\Kerberos\Support device authentication using certificate
(2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!DevicePKInitEnabled
(2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!DevicePKInitBehavior
CCSS Severity: | CCSS Metrics: |
CCSS Score : 9.8 | Attack Vector: NETWORK |
Exploit Score: 3.9 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: CRITICAL | User Interaction: NONE |
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:83655 |