SV-224993r569186_rule
V-224993
SRG-OS-000066-GPOS-00034
WN16-DC-000300
CAT I
10
Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.
This applies to domain controllers. It is NA for other systems.
Review user account mappings to PKI certificates.
Open "Windows PowerShell".
Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled".
Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.
If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding.
For standard NIPRNet certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI).
Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization.
NIPRNet Example:
Name - User Principal Name
User1 - 1234567890@mil
See PKE documentation for other network domain suffixes.
If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.
V-224993
False
WN16-DC-000300
This applies to domain controllers. It is NA for other systems.
Review user account mappings to PKI certificates.
Open "Windows PowerShell".
Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled".
Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.
If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding.
For standard NIPRNet certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI).
Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization.
NIPRNet Example:
Name - User Principal Name
User1 - 1234567890@mil
See PKE documentation for other network domain suffixes.
If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.
M
4205