CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Remediation:

To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark):

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer

Impact:

Users will have to enter their password the first time they access a key that is stored on their computer. For example, if users use an S-MIME certificate to digitally sign their e-mail they will be forced to enter the password for that certificate the first time that they send a signed e-mail message. For even stronger security, the value User must enter a password each time they use a key can be set, but the overhead that is involved using this configuration may be too high for some organizations. Microsoft does not recommend enforcing this setting on servers due to the significant impact on manageability. For example, you may not be able to configure Remote Desktop Services to use SSL certificates. More information is available in the Windows PKI TechNet Blog here: What is a strong key protection in Windows?.

Default Value:

User input is not required when new keys are stored and used.

References:

1. CCE-35007-4

CIS Controls:

Version 6

16.14 Encrypt/Hash All Authentication Files And Monitor Their Access Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.

Version 7

16.4 Encrypt or Hash all Authentication Credentials Encrypt or hash with a salt all authentication credentials when stored.

274 | P a g e