Windows Server 2025 must be configured for certificate-based authentication for domain controllers.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-278172 | SRG-OS-000080-GPOS-00048 | WN25-DC-000405 | SV-278172r1182145_rule | 2026-02-20 | 1 |
Description
Active Directory domain services elevation of privilege vulnerability could allow a user rights to the system, such as administrative and other high-level capabilities.
ℹ️ Check
This applies to domain controllers. This is not applicable for member servers.
If the following registry value does not exist or is not configured as specified, this is a finding:
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: SYSTEM\CurrentControlSet\Services\Kdc
Value Name: StrongCertificateBindingEnforcement
Value Type: REG_DWORD
Value: 0x00000001 (1) or 0x00000002 (2)
✔️ Fix
Configure the registry value.
Registry Hive:
HKEY_LOCAL_MACHINE
Registry Path: SYSTEM\CurrentControlSet\Services\Kdc
Value Name: StrongCertificateBindingEnforcement
Value Type: REG_DWORD
Value: 0x00000001 (1) or 0x00000002 (2)