Domain member: Digitally sign secure channel data (when possible)

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Domain member: Digitally sign secure channel data (when possible)

Description

This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.

When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID\Name Lookup etc.

This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic (Windows NT 4.0 Service Pack 6 or higher), then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.

Default: Enabled.

Configuring this security setting

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

For specific instructions about how to configure security policy settings, see Edit security settings on a Group Policy object.

Notes

  • If the policy Domain member: Digitally encrypt or sign secure channel data (always) is enabled, then this policy is assumed to be enabled regardless of its current setting.

  • Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.

For more information, see: