PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| WN12-PK-000006-DC | WN12-PK-000006-DC | WN12-PK-000006-DC_rule | High |
| Description |
|---|
| A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. |
| STIG | Date |
|---|---|
| Microsoft Windows Server 2012 Domain Controller Security Technical Implementation Guide | 2013-07-25 |
Details
| Check Text ( C-WN12-PK-000006-DC_chk ) |
|---|
| Verify the source of PKI certificates associated with user accounts in active directory. Open Active Directory Users and Computers. (Available from various menus or run "dsa.msc".) Select the Users container or the OU in which user accounts have been identified. For each User account sampled, right click and select Properties. Select the Published Certificates tab. Examine the Issued By field for the certificates to determine the issuing CA. If the Issued By field of any PKI certificate being stored with an account does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding. Severity Override: If the certificates in use are issued by a CA authorized by the Component's CIO, this is a Category II finding. |
| Fix Text (F-WN12-PK-000006-DC_fix) |
|---|
| Replace unauthorized certificates associated with user accounts with ones issued by the DoD PKI or an approved External Certificate Authority. |