1.1.1.2.1.55 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'

Information

This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. If you configure this policy setting so that users must provide a password distinct from their domain password every time that they use a key, then it will be more difficult for an attacker to access locally stored keys, even an attacker who discovers logon passwords. If a users account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user s computer and determines their logon password.

Solution

Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization-

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography- Force strong key protection for user keys stored on the computer

Impact- Users will have to enter their password every time they access a key that is stored on their computer. For example, if users use an S-MIME certificate to digitally sign their e-mail they will be forced to enter the password for that certificate every time they send a signed e-mail message. For some organizations the overhead that is involved using this configuration may be too high. For end user computers that are used to access sensitive data this setting could be set to 'User is prompted when the key is first used,' but Microsoft does not recommend enforcing this setting on servers due to the significant impact on manageability. For example, if this setting is configured to 'User is prompted when the key is first used' you may not be able to configure Remote Desktop Services to use SSL certificates. More information is available in the Windows PKI blog- http-//blogs.technet.com/b/pki/archive/2009/06/17/what-is-a-strong-key-protection-in-windows.aspx.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2), CCE|CCE-8462-4

Plugin: Windows

Control ID: 9b83d5bf12fb1566e81c4de456b1dea23c1fb55dd043132632e92373678c2fca