UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).


Overview

Finding ID Version Rule ID IA Controls Severity
V-73615 WN16-DC-000300 SV-88279r1_rule High
Description
A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.
STIG Date
Windows Server 2016 Security Technical Implementation Guide 2017-05-18

Details

Check Text ( C-73697r2_chk )
This applies to domain controllers. It is NA for other systems.

Review user account mappings to PKI certificates.

Open "PowerShell".

Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled".

Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account.

If the User Principal Name (UPN) is not in the format of an individual's Electronic Data Interchange - Personnel Identifier (EDI-PI) and the appropriate domain suffix, this is a finding.

NIPRNet Example: User1 1234567890@mil

See PKE documentation for other network domain suffixes.

If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.
Fix Text (F-80065r1_fix)
Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.