Enterprise Admin (EA) and Domain Admin (DA) accounts that require smart cards must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-43649 | AD.0010 | SV-56470r2_rule | IAIA-1 | Medium |
| Description |
|---|
| When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and re-enabling the "Smart card is required for interactive logon" replaces the NT hash of the account with a newly randomized hash. Otherwise, the existing NT hash could be re-used for Pass-the-Hash in the future. |
| STIG | Date |
|---|---|
| Active Directory Domain Security Technical Implementation Guide (STIG) | 2014-12-18 |
Details
| Check Text ( C-49395r3_chk ) |
|---|
| Verify "Smart card is required for interactive logon" is disabled and re-enabled for all smart card required EA and DA accounts at least every 60 days. If the setting "Smart card is required for interactive logon" is not disabled then re-enabled for all EA and DA accounts that require smart card logons at least every 60 days, this is a finding. |
| Fix Text (F-49249r3_fix) |
|---|
| Disable then re-enable "Smart card is required for interactive logon" for all smart card required EA and DA accounts at least every 60 days. |