CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.8.25 Kerberos

This section contains recommendations for Kerberos settings.

This Group Policy section is provided by the Group Policy template Kerberos.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

18.8.25.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (Scored)

ProfileApplicability:

 Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:

This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain.

Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts.

The recommended state for this setting is: Enabled: Automatic .

Rationale:

Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ kerberos\parameters:DevicePKInitBehavior HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ kerberos\parameters:DevicePKInitEnabled

696 | P a g e