[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

Require strict KDC validation

ID: oval:org.secpod.oval:def:19475Date: (C)2014-05-29   (M)2023-07-04
Class: COMPLIANCEFamily: windows




The Require strict KDC validation machine setting should be configured correctly. This policy setting controls the Kerberos client's behavior in validating the KDC certificate. If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAUTH store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. If you disable or do not configure this policy setting, the Kerberos client will require only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Kerberos\Require strict KDC validation (2) KEY: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\KdcValidation

Platform:
Microsoft Windows Server 2008 R2
Reference:
CCE-11919-8
CPE    1
cpe:/o:microsoft:windows_server_2008:r2
CCE    1
CCE-11919-8
XCCDF    1
xccdf_org.secpod_benchmark_general_Windows_Server_2008_R2

© SecPod Technologies