S 5.89 Configuration of the Secure Channel under Windows

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Administrative data has to be exchanged between computers in a Windows domain. For example, domain controllers in a domain exchange administrative data. In general, this includes the transmission of sensitive data that needs to be protected during transmission. The Secure Channel feature in Windows NT was also provided for this purpose. This mechanism was also used in Windows 2000 and higher versions and must be configured according to the security requirements and the local conditions. The security mechanisms in these versions use authentication for both communication partners, encryption to maintain confidentiality, and signatures to ensure integrity.

The Secure Channel is configured using group policies. When configuring the group policies, the following must be taken into account:

• Mutual authentication is always guaranteed, but encryption and signatures can be requested independently. If the communication partner does not support the security mechanism requested, then it is not used. Communication is then implemented in an insecure manner.
• Encryption or signatures can be specified as a prerequisite for establishing communication. If the communication partner does not support the security mechanism, then the communication request is denied. As a result, it may not be possible for clients to log on to a domain, for example. This option should only be enabled when all IT systems in a domain and all IT systems in all trusted domains support encryption and signatures.
• The strength of the session key generated for encryption can be increased from the level available in Windows NT to the level available in Windows 2000 or higher versions. However, this option may only be used when all IT systems in a domain and all IT systems in all trusted domains run Windows 2000 or higher versions only. If this option is enabled, IT systems running older versions of the Windows operating systems will not be able to log on to the domain.

The following group policy parameters are relevant to the configuration:

• Secure channel: Digitally sign secure channel data (when possible)
• Secure channel: Digitally encrypt secure channel data (when possible)
• Secure channel: Digitally encrypt or sign secure channel data (always)
• Secure channel: Require strong session key (128-bit encryption, always for Windows 2000 or later)

These parameters can be found in Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.

In Windows XP, Windows Vista, and Windows 7, the corresponding settings are the following:

• Domain member: Digitally sign secure channel data (when possible)
• Domain member: Digitally encrypt secure channel data (when possible)
• Domain member: Digitally encrypt or sign secure channel data (always)
• Domain member: Require strong session key (128-bit encryption, always for Windows 2000 or later)
• Domain member: Disable machine account password changes (always)
• Domain member: Maximum machine account password age (default: 30 days, should not be changed to a higher value in typical cases)

These parameters can be found in Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.

If the network contains IT systems running operating systems other than Windows 2000 or higher, then only the first two options should be enabled. However, if Windows 2000 or higher is installed on all IT systems in the network, then all options should be enabled.

Review questions:

• Was the Secure Channel under Windows configured according to the security requirements and the local conditions?
• Did the configuration of the Secure Channel under Windows take into consideration all relevant group policy parameters?