Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-26683 | WN12-PK-000007-DC | SV-51191r3_rule | IAKM-1 IAKM-2 IATS-1 IATS-2 | High |
Description |
---|
A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. |
STIG | Date |
---|---|
Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide | 2014-12-18 |
Check Text ( C-46617r3_chk ) |
---|
Verify the source of PKI certificates associated with user accounts in active directory. Ask the administrator to identify one or more account entries in the directory for which a PKI certificate has been imported. Open Active Directory Users and Computers. (Available from various menus or run "dsa.msc".) Select the Users container or the OU in which user accounts have been identified. For each User account sampled, right click and select Properties. Select the Published Certificates tab. Examine the Issued By field for the certificates to determine the issuing CA. If the Issued By field of any PKI certificate being stored with an account does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding. |
Fix Text (F-44348r2_fix) |
---|
Replace unauthorized certificates associated with user accounts with ones issued by the DoD PKI or an approved External Certificate Authority. |