UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).


Overview

Finding ID Version Rule ID IA Controls Severity
V-26683 DS00.2141_2008_R2 SV-39016r2_rule IAKM-1 IAKM-2 IATS-1 IATS-2 High
Description
A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.
STIG Date
Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide 2015-09-02

Details

Check Text ( C-38013r2_chk )
Verify the source of PKI certificates associated with user accounts in active directory.

Ask the administrator to identify one or more account entries in the directory for which a PKI certificate has been imported.

Open Active Directory Users and Computers. (Available from various menus or run "dsa.msc".)

Select the Users container or the OU in which user accounts have been identified.
For each User account sampled, right click and select Properties.
Select the Published Certificates tab.
Examine the Issued By field for the certificates to determine the issuing CA.

If the Issued By field of any PKI certificate being stored with an account does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding.
Fix Text (F-33252r2_fix)
Replace unauthorized certificates associated with user accounts with ones issued by the DoD PKI or an approved External Certificate Authority.