System cryptography: Force strong key protection for user keys stored on the computerID: oval:org.secpod.oval:def:80788 | Date: (C)2022-06-06 (M)2023-12-12 |
Class: COMPLIANCE | Family: windows |
This security setting determines if users private keys require a password to be used.
The options are:
User input is not required when new keys are stored and used
User is prompted when the key is first used
User must enter a password each time they use a key
For more information, see Public key infrastructure.
Default: This policy is not defined.
Counter Measure:
Configure the System cryptography: Force strong key protection for user keys stored on the computer setting to User must enter a password each time they use a key.
Potential Impact:
Users will have to enter their password every time they access a key that is stored on their computer. For example, if users use an S-MIME certificate to digitally sign their e-mail they will be forced to enter the password for that certificate every time they send a signed e-mail message. For some organizations the overhead that is involved using this configuration may be too high.
For end user computers that are used to access sensitive data this setting could be set to User is prompted when the key is first used, but Microsoft does not recommend enforcing this setting on servers due to the significant impact on manageability. For example, if this setting is configured to User is prompted when the key is first used you may not be able to configure Remote Desktop Services to use SSL certificates. More information is available in the Windows PKI blog: http://blogs.technet.com/b/pki/archive/2009/06/17/what-is-a-strong-key-protection-in-windows.aspx.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer
(2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography!ForceKeyProtection
Platform: |
Microsoft Windows Server 2022 |