PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-26683 | DS00.2141_2008 | SV-33885r3_rule | High |
| Description |
|---|
| A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. |
| STIG | Date |
|---|---|
| Windows 2008 Domain Controller Security Technical Implementation Guide | 2017-03-02 |
Details
| Check Text ( C-74041r1_chk ) |
|---|
| Open a command prompt (CMD.exe). Enter "DSQuery User - Name * | DSGet User -DN -UPN -Display DSQuery can be more focused by adding domain and/or organizational unit names such as "OU=[OU Name], DC=[Domain], DC=[Top Level Domain]" Review the User Principal Name (UPN) of user accounts, including administrators. Exclude built-in accounts such as Administrator and Guest. If the User Principal Name (UPN) is not in the format of an individual's Electronic Data Interchange - Personnel Identifier (EDI-PI) and the appropriate domain suffix, this is a finding. NIPRNET Example: dn - upn - display CN=User1, CN=Users, DC=Test, DC=Mil - 1234567890@mil - User1 See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding. |
| Fix Text (F-80491r1_fix) |
|---|
| Map user accounts, including administrators, to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details. |