Windows Server 2019 • Release: 7 Benchmark Date: 05 Jan 2026

CAT II V-271428 WN19-DC-000391

Windows Server 2019 must be configured for certificate-based authentication for domain controllers.

Documentable No
Rule ID SV-271428r1137691_rule
CCI References
CCI-000213

Discussion

Active Directory domain services elevation of privilege vulnerability could allow a user rights to the system, such as administrative and other high-level capabilities.

Check Procedure

This applies to domain controllers. This is not applicable for member servers.

If the following registry value does not exist or is not configured as specified, this is a finding:
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: SYSTEM\CurrentControlSet\Services\Kdc
 
Value Name: StrongCertificateBindingEnforcement
 
Value Type: REG_DWORD
Value: 0x00000001 (1) or 0x00000002 (2)

Fix Action

Configure the registry value.
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: SYSTEM\CurrentControlSet\Services\Kdc
 
Value Name: StrongCertificateBindingEnforcement
 
Value Type: REG_DWORD
Value: 0x00000001 (1) or 0x00000002 (2)