Administrative accounts for critical servers, that require smart cards, must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-43650 | AD.0011 | SV-56471r2_rule | IAIA-1 | Medium |
| Description |
|---|
| When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and re-enabling the "Smart card is required for interactive logon" replaces the NT hash of the account with a newly randomized hash. Otherwise, the existing NT hash could be re-used for Pass-the-Hash in the future. Critical servers are any servers that provide functions that would significantly degrade mission effectiveness if disrupted, altered, or leaked. Examples include email, collaboration (e.g., SharePoint), virtualization, configuration management, file sharing, and backup servers. |
| STIG | Date |
|---|---|
| Active Directory Domain Security Technical Implementation Guide (STIG) | 2014-12-18 |
Details
| Check Text ( C-49396r3_chk ) |
|---|
| Verify "Smart card is required for interactive logon" is disabled and re-enabled for all smart card required administrative accounts associated with critical servers at least every 60 days. If the setting "Smart card is required for interactive logon" is not disabled then re-enabled for all critical server administrative accounts that require smart card logons at least every 60 days, this is a finding. |
| Fix Text (F-49250r3_fix) |
|---|
| Disable then re-enable "Smart card is required for interactive logon" for all smart card required critical server administrative accounts at least every 60 days. |