Microsoft Windows Server 2022 STIG Version Comparison
Microsoft Windows Server 2022 Security Technical Implementation Guide
Comparison
There are 4 differences between versions v2 r1 (July 24, 2024) (the "left" version) and v2 r3 (Jan. 15, 2025) (the "right" version).
Check WN22-DC-000405 was added to the benchmark in the "right" version.
This check's original form is available here.
Text Differences
Title
Windows Server 2022 must be configured for certificate-based authentication for domain controllers.
Check Content
This applies to domain controllers. This is not applicable for member servers. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: SYSTEM\CurrentControlSet\Services\Kdc Value Name: StrongCertificateBindingEnforcement Value Type: REG_DWORD Value: 0x00000001 (1) or 0x00000002 (2)
Discussion
Active Directory domain services elevation of privilege vulnerability could allow a user rights to the system, such as administrative and other high-level capabilities.
Fix
Configure the registry value. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: SYSTEM\CurrentControlSet\Services\Kdc Value Name: StrongCertificateBindingEnforcement Value Type: REG_DWORD Value: 0x00000001 (1) or 0x00000002 (2)