PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-73615 | WN16-DC-000300 | SV-88279r1_rule | High |
| Description |
|---|
| A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. |
| STIG | Date |
|---|---|
| Windows Server 2016 Security Technical Implementation Guide | 2017-05-18 |
Details
| Check Text ( C-73697r2_chk ) |
|---|
| This applies to domain controllers. It is NA for other systems. Review user account mappings to PKI certificates. Open "PowerShell". Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If the User Principal Name (UPN) is not in the format of an individual's Electronic Data Interchange - Personnel Identifier (EDI-PI) and the appropriate domain suffix, this is a finding. NIPRNet Example: User1 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding. |
| Fix Text (F-80065r1_fix) |
|---|
| Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details. |