UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Active directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15488 AD.1033_2008_R2 SV-36196r3_rule Medium
Description
Smart cards such as the Common Access Card (CAC) support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication.
STIG Date
Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide 2017-02-27

Details

Check Text ( C-66221r2_chk )
Verify active directory user accounts, including administrators, have "Smart card is required for interactive logon" selected.

Run "Active Directory Module for Windows PowerShell".
Enter the following:
"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name"
("DistinguishedName" may be substituted for "Name" for more detailed output.)
If any user accounts are listed, this is a finding.

Alternately:
To view sample accounts in "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"):
Select the Organizational Unit (OU) where the User accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.)
Right click the sample User account and select "Properties".
Select the "Account" tab.
If any User accounts do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding.
Fix Text (F-71585r2_fix)
Configure all user accounts, including administrator accounts, in Active Directory to enable the option "Smart card is required for interactive logon".

Run "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"):
Select the Organizational Unit (OU) where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.)
Right click the user account and select "Properties".
Select the "Account" tab.
Check "Smart card is required for interactive logon" in the "Account Options" area.