Windows Server 2019 must be configured for certificate-based authentication for domain controllers.

STIG ID: WN19-DC-000391  |  SRG: SRG-OS-000080-GPOS-00048 |  Severity: medium |  CCI: CCI-000213 |  Vulnerability Id: V-271428

Vulnerability Discussion

Active Directory domain services elevation of privilege vulnerability could allow a user rights to the system, such as administrative and other high-level capabilities.

Check

This applies to domain controllers. This is not applicable for member servers.

If the following registry value does not exist or is not configured as specified, this is a finding:
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: SYSTEM\CurrentControlSet\Services\Kdc

Value Name: StrongCertificateBindingEnforcement

Value Type: REG_DWORD
Value: 0x00000001 (1) or 0x00000002 (2)

Fix

Configure the registry value.
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: SYSTEM\CurrentControlSet\Services\Kdc

Value Name: StrongCertificateBindingEnforcement

Value Type: REG_DWORD
Value: 0x00000001 (1) or 0x00000002 (2)
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.