For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15488	AD.1033_2008_R2	SV-36196r2_rule	IAIA-1 IAIA-2	Medium

Description
CTO 07-015 requires PKI authentication. PKI is a two-factor authentication technique, thus it provides a higher level of trust in the asserted identity than use of the username/password authentication technique.

STIG	Date
Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide	2012-09-05

Details

Check Text ( C-14510r1_chk )
Use the following procedure to check a sample of accounts. 1. Open Active Directory Users and Computers 2. Select the Users node 3. For each User account sampled, right click and select Properties 4. Select the Account tab 5. View the setting in Account Options area. 6. Verify that the option “Smart card is required for interactive logon” is checked.

Fix Text (F-28436r2_fix)
Configure all user accounts including administrator accounts in Active Directory to enable the option “Smart card is required for interactive logon”.