STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:

PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).

DISA Rule

SV-226266r569184_rule

Vulnerability Number

V-226266

Group Title

SRG-OS-000066-GPOS-00034

Rule Version

WN12-PK-000007-DC

Severity

CAT I

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

10

Fix Recommendation

Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.

Check Contents

Open "PowerShell" as Administrator.

Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled -AutoSize".

Review the User Principal Name (UPN) of user accounts, including administrators.

Exclude the built-in accounts such as Administrator and Guest.

If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding.

For standard NIPRNET certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI).

Alt Tokens and other certificates may use a different UPN format than the EDI-PI, which vary by organization. Verify these with the organization.

NIPRNET Example:
Name - User Principal Name
User1 - 1234567890@mil

See PKE documentation for other network domain suffixes.

If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.

Vulnerability Number

V-226266

Documentable

False

Rule Version

WN12-PK-000007-DC

Severity Override Guidance

Open "PowerShell" as Administrator.

Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled -AutoSize".

Review the User Principal Name (UPN) of user accounts, including administrators.

Exclude the built-in accounts such as Administrator and Guest.

If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding.

For standard NIPRNET certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI).

Alt Tokens and other certificates may use a different UPN format than the EDI-PI, which vary by organization. Verify these with the organization.

NIPRNET Example:
Name - User Principal Name
User1 - 1234567890@mil

See PKE documentation for other network domain suffixes.

If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.

Check Content Reference

M

Target Key

4217

Comments