Domain member: Require strong (Windows 2000 or later) session key

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Domain member: Require strong (Windows 2000 or later) session key

Description

This security setting determines whether 128-bit key strength is required for encrypted secure channel data.

When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM passthrough authentication, LSA SID\Name Lookup, and so on.

Based on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the following parameters:

  • Domain member: Digitally encrypt or sign secure channel data (always)

  • Domain member: Digitally encrypt secure channel data (when possible)

some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.

If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.

Default: Disabled.

Configuring this security setting

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

For specific instructions about how to configure security policy settings, see Edit security settings on a Group Policy object.

Important

  • In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.

  • In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.

For more information, see: