Information
This policy setting determines whether users can use private keys, such as their Secure/Multipurpose Internet Mail Extensions (S/MIME) key, without a password.
The STIG recommended state for this setting is: User must enter a password each time they use a key.
Rationale:
If a private key is compromised, an attacker can use the keys that are stored to gain access to the network. If users must provide a password each time they use the key, it will make it more difficult for an attacker to access locally stored keys.
Impact:
A user must provide a password each time they use a key. This is in addition to their domain password.
Solution
To establish the recommended configuration via GP, set the following UI path to User must enter a password each time they use a key:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System Cryptography: Force strong key protection for user keys stored on the computer
Default Value:
Not Configured
Additional Information:
Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 2, Release 2, Benchmark Date: May 04, 2021
Vul ID: V-225059
Rule ID: SV-225059r569186_rule
STIG ID: WN16-SO-000430
Severity: CAT II