PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-26683 | WN12-PK-000007-DC | SV-51191r4_rule | High |
| Description |
|---|
| A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. |
| STIG | Date |
|---|---|
| Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide | 2017-02-27 |
Details
| Check Text ( C-74037r1_chk ) |
|---|
| Open "PowerShell" as Administrator. Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled" -AutoSize. Review the User Principal Name (UPN) of user accounts, including administrators. Exclude the built-in accounts such as Administrator and Guest. If the User Principal Name (UPN) is not in the format of an individual's Electronic Data Interchange - Personnel Identifier (EDI-PI) and the appropriate domain suffix, this is a finding. NIPRNET Example: Name - User Principal Name User1 - 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding. |
| Fix Text (F-80469r1_fix) |
|---|
| Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details. |