Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-26683 | DS00.2141_2008_R2 | SV-39016r3_rule | High |
| Description |
|---|
| A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. |
| STIG | Date |
|---|---|
| Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide | 2017-02-27 |
Details
| Check Text ( C-74039r1_chk ) |
|---|
| Open "PowerShell" as Administrator. Enter "Import-Module ActiveDirectory". (This only needs to be run once during a PowerShell session.) Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled -AutoSize". Review the User Principal Name (UPN) of user accounts, including administrators. Exclude the built-in accounts such as Administrator and Guest. If the User Principal Name (UPN) is not in the format of an individual's Electronic Data Interchange - Personnel Identifier (EDI-PI) and the appropriate domain suffix, this is a finding. NIPRNET Example: Name - User Principal Name User1 - 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding. |
| Fix Text (F-80471r1_fix) |
|---|
| Map user accounts, including administrators, to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details. |