UCF STIG Viewer Logo

Enterprise Admin (EA) and Domain Admin (DA) accounts that require smart cards must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days.


Overview

Finding ID Version Rule ID IA Controls Severity
V-43649 AD.0010 SV-56470r1_rule IAIA-1 Medium
Description
When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and re-enabling the "Smart card is required for interactive logon" replaces the NT hash of the account with a newly randomized hash. Otherwise, the existing NT hash could be re-used for Pass-the-Hash in the future.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2014-04-01

Details

Check Text ( C-49395r3_chk )
Verify "Smart card is required for interactive logon" is disabled and re-enabled for all smart card required EA and DA accounts at least every 60 days. If the setting "Smart card is required for interactive logon" is not disabled then re-enabled for all EA and DA accounts that require smart card logons at least every 60 days, this is a finding.
Fix Text (F-49249r3_fix)
Disable then re-enable "Smart card is required for interactive logon" for all smart card required EA and DA accounts at least every 60 days.