STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.

DISA Rule

SV-87467r1_rule

Vulnerability Number

V-72821

Group Title

AD.0016

Rule Version

AD.0016

Severity

CAT II

CCI(s)

• CCI-000199 - The information system enforces maximum password lifetime restrictions.

Weight

10

Fix Recommendation

Windows Server 2016 with domain functional levels of Windows Server 2016:

Open "Active Directory Administrative Center".

Right-click on the domain name and select "Properties".

Select "Enable rolling of expiring NTLM secrets during sign on, for users who are required to use Microsoft Passport or smart card for interactive sign on".

Active Directory domains not at a Windows Server 2016 domain functional level:

Rotate the NT hash for smart card-enforced accounts every 60 days.

This can be accomplished with the use of scripts.

DoD PKI-PKE has provided a script under PKI and PKE Tools at http://iase.disa.mil/pki-pke/Pages/tools.aspx. See the User Guide for additional information.

NSA has also provided a PowerShell script with Pass-the-Hash guidance at https://github.com/iadgov/Pass-the-Hash-Guidance. Running the "Invoke-SmartcardHashRefresh" cmdlet in the "PtHTools" module will trigger a change of the underlying NT hash. See the site for additional information.

Manually rolling the NT hash requires disabling and re-enabling the "Smart Card required for interactive logon" option for each smart card-enforced account, which is not practical for large groups of users.

Check Contents

Windows Server 2016 with a domain functional level of Windows Server 2016:

Open "Active Directory Administrative Center".

Right-click on the domain name and select "Properties".

If the "Domain functional level:" is not "Windows Server 2016", another method must be used to reset the NT hashes. See below for other options.

If the "Domain functional level:" is "Windows Server 2016" and "Enable rolling of expiring NTLM secrets during sign on, for users who are required to use Microsoft Passport or smart card for interactive sign on" is not checked, this is a finding.

Active Directory domains with a domain functional level below Windows Server 2016:

Verify the organization rotates the NT hash for smart card-enforced accounts every 60 days.

This can be accomplished with the use of scripts.

DoD PKI-PKE has provided a script under PKI and PKE Tools at http://iase.disa.mil/pki-pke/Pages/tools.aspx. See the User Guide for additional information.

NSA has also provided a PowerShell script with Pass-the-Hash guidance at https://github.com/iadgov/Pass-the-Hash-Guidance. Running the "Invoke-SmartcardHashRefresh" cmdlet in the "PtHTools" module will trigger a change of the underlying NT hash. See the site for additional information.

Manually rolling the NT hash requires disabling and re-enabling the "Smart Card required for interactive logon" option for each smart card-enforced account, which is not practical for large groups of users.

If NT hashes for smart card-enforced accounts are not rotated every 60 days, this is a finding.

Vulnerability Number

V-72821

Documentable

False

Rule Version

AD.0016

Severity Override Guidance

Windows Server 2016 with a domain functional level of Windows Server 2016:

Open "Active Directory Administrative Center".

Right-click on the domain name and select "Properties".

If the "Domain functional level:" is not "Windows Server 2016", another method must be used to reset the NT hashes. See below for other options.

If the "Domain functional level:" is "Windows Server 2016" and "Enable rolling of expiring NTLM secrets during sign on, for users who are required to use Microsoft Passport or smart card for interactive sign on" is not checked, this is a finding.

Active Directory domains with a domain functional level below Windows Server 2016:

Verify the organization rotates the NT hash for smart card-enforced accounts every 60 days.

This can be accomplished with the use of scripts.

DoD PKI-PKE has provided a script under PKI and PKE Tools at http://iase.disa.mil/pki-pke/Pages/tools.aspx. See the User Guide for additional information.

NSA has also provided a PowerShell script with Pass-the-Hash guidance at https://github.com/iadgov/Pass-the-Hash-Guidance. Running the "Invoke-SmartcardHashRefresh" cmdlet in the "PtHTools" module will trigger a change of the underlying NT hash. See the site for additional information.

Manually rolling the NT hash requires disabling and re-enabling the "Smart Card required for interactive logon" option for each smart card-enforced account, which is not practical for large groups of users.

If NT hashes for smart card-enforced accounts are not rotated every 60 days, this is a finding.

Check Content Reference

M

Target Key

870

Comments