STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:

Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).

DISA Rule

SV-226265r569184_rule

Vulnerability Number

V-226265

Group Title

SRG-OS-000066-GPOS-00034

Rule Version

WN12-PK-000006-DC

Severity

CAT I

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

10

Fix Recommendation

Obtain PKI certificates issued by the DoD PKI or an approved External Certificate Authority (ECA).

Severity Override Guidance: If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding.

IA Controls: IAKM-1, IAKM-2, IATS-1, IATS-2

Check Contents

Verify the source of the domain controller's server certificate.

Run "mmc".
Select "Add/Remove Snap-in" from the File menu.
Select "Certificates" in the left pane and click the "Add >" button.
Select "Computer Account", click "Next".
Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish".
Click "OK".
Select and expand the Certificates (Local Computer) entry in the left pane.
Select and expand the Personal entry in the left pane.
Select the Certificates entry in the left pane.
In the right pane, examine the Issued By field for the certificate to determine the issuing CA.

If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding.


There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained:

The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil.

DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE.
http://iase.disa.mil/pki-pke/function_pages/tools.html

Vulnerability Number

V-226265

Documentable

False

Rule Version

WN12-PK-000006-DC

Severity Override Guidance

Verify the source of the domain controller's server certificate.

Run "mmc".
Select "Add/Remove Snap-in" from the File menu.
Select "Certificates" in the left pane and click the "Add >" button.
Select "Computer Account", click "Next".
Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish".
Click "OK".
Select and expand the Certificates (Local Computer) entry in the left pane.
Select and expand the Personal entry in the left pane.
Select the Certificates entry in the left pane.
In the right pane, examine the Issued By field for the certificate to determine the issuing CA.

If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding.


There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained:

The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil.

DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE.
http://iase.disa.mil/pki-pke/function_pages/tools.html

Check Content Reference

M

Target Key

4217

Comments