ASC建议使用可逆加密存储密码 [英] ASC Recommendation for Store Passwords Using Reversible Encryption
问题描述
ASC当前正在报告根据CCE-36286-3,我的Windows Server 2016 IaaS虚拟机不符合此建议.建议在我的GPO中将此设置绝对设置为禁用".此检查正确吗? 在Azure中?目前,它似乎正在寻找一个值"1",我认为在这种情况下意味着启用了该值?在Azure推荐输出中也存在拼写错误.....
ASC is currently reporting under CCE-36286-3 that my Windows Server 2016 IaaS virtual machines are not compliant with this recommendation. This setting is definitely set to disabled in my GPO which is the recommendation. Is this check correct in Azure? Currently it seems to be looking for a value of '1' which I believe means enabled in this instance? There is also a spelling mistake in the Azure recommendation output.....
您可以确认默认Azure安全检查中的值是否不正确吗?
Can you confirm if this is an incorrect value in the default Azure Security check?
确保使用可逆加密存储密码"设置为已禁用"
该检查似乎正在寻找系统访问权限:ClearTextPassword,其预期值为'1',但这是不正确的,因此不建议这样做.
The check seems to be looking for System Access: ClearTextPassword with an expected value of '1', however this is incorrect and not recommended.
ClearTextPassword:指示是否必须使用可逆加密存储密码的标志.该值必须在0到2 ^ 16之间.值为0表示未使用可逆加密存储密码.任何其他有效值表示 密码以可逆加密方式存储.
ClearTextPassword: Flag that indicates whether passwords MUST be stored by using reversible encryption. This value MUST be between 0 and 2^16. A value of 0 indicates that the password is not stored using reversible encryption. Any other valid value indicates that the password is stored with reversible encryption.
不建议使用此标志.
致谢
迈克
推荐答案
Hello Mike,CCE-36286与以下策略有关:计算机配置\策略\ Windows设置\安全设置\帐户策略\密码政策\使用可逆加密存储密码
Hello Mike, CCE-36286 is related to the following policy Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption
您可以使用secpol.msc在帐户策略->密码策略"下查看当前值
You can use secpol.msc to view your current value under Account policies ->Password Policies
如果您在注册表中查看此策略 HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SeCEdit \ Reg值
If you look at this policy in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values
当注册表名称以DisableXXXX开头时,将期望为1.如果不存在注册表项,则Windows将为此条目使用默认值1.
When the registry name start with DisableXXXX is going to expect a 1. If the Registry key is not present windows will use the default value which is 1 for this entry.
希望这有助于弄清混乱之处.
Hope this help clarify the confusion.
恭喜.
古斯塔沃·洛佩兹.
这篇关于ASC建议使用可逆加密存储密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
