Microsoft Windows Server 2019 STIG Version Comparison
Microsoft Windows Server 2019 Security Technical Implementation Guide
Comparison
There are 3 differences between versions v3 r2 (Nov. 15, 2024) (the "left" version) and v3 r4 (April 2, 2025) (the "right" version).
Check WN19-DC-000391 was added to the benchmark in the "right" version.
This check's original form is available here.
Text Differences
Title
Windows Server 2019 must be configured for certificate-based authentication for domain controllers.
Check Content
This applies to domain controllers. This is not applicable for member servers. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: SYSTEM\CurrentControlSet\Services\Kdc Value Name: StrongCertificateBindingEnforcement Value Type: REG_DWORD Value: 0x00000001 (1) or 0x00000002 (2)
Discussion
Active Directory domain services elevation of privilege vulnerability could allow a user rights to the system, such as administrative and other high-level capabilities.
Fix
Configure the registry value. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: SYSTEM\CurrentControlSet\Services\Kdc Value Name: StrongCertificateBindingEnforcement Value Type: REG_DWORD Value: 0x00000001 (1) or 0x00000002 (2)