For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15488 | AD.1033_2008 | SV-28512r2_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| CTO 07-015 requires PKI authentication. PKI is a two-factor authentication technique, thus it provides a higher level of trust in the asserted identity than use of the username/password authentication technique. |
| STIG | Date |
|---|---|
| Active Directory Service 2008 Security Technical Implementation Guide (STIG) | 2011-05-23 |
Details
| Check Text ( C-32057r1_chk ) |
|---|
| Use the following procedure to check a sample of accounts. 1. Open Active Directory Users and Computers. 2. Select the Users node. 3. For each User account sampled, right-click and select Properties. 4. Select the Account tab. 5. View the setting in Account Options area. 6. Verify that the option “Smart card is required for interactive logon” is checked. |
| Fix Text (F-28436r1_fix) |
|---|
| Configure user accounts in Active Directory to enable the option “Smart card is required for interactive logon”. |