Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-73615 | WN16-DC-000300 | SV-88279r1_rule | High |
Description |
---|
A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. |
STIG | Date |
---|---|
Windows Server 2016 Security Technical Implementation Guide | 2017-05-18 |
Check Text ( C-73697r2_chk ) |
---|
This applies to domain controllers. It is NA for other systems. Review user account mappings to PKI certificates. Open "PowerShell". Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If the User Principal Name (UPN) is not in the format of an individual's Electronic Data Interchange - Personnel Identifier (EDI-PI) and the appropriate domain suffix, this is a finding. NIPRNet Example: User1 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding. |
Fix Text (F-80065r1_fix) |
---|
Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details. |