Check: AD.0009
Active Directory Domain STIG:
AD.0009
(in versions v3 r5 through v2 r8)
Title
Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts. (Cat II impact)
Discussion
A separate smart card for Enterprise Admin and Domain Admin accounts eliminates the automatic exposure of the private keys for the EA/DA accounts to less secure user platforms when the other accounts are used. Having different certificates on one card does not provide the necessary separation. The same smart card may be used by an administrator for both EA and DA accounts.
Check Content
Verify separate smart cards are used for EA and DA accounts from smart cards used for other accounts. EA and DA accounts may be on the same smart card but must be separate from any other accounts. If separate smart cards for EA and DA accounts from other accounts are not used, this is a finding.
Fix Text
Use separate smart cards for EA and DA accounts from smart cards used for other accounts. EA and DA accounts may be on the same smart card but must be separate from any other accounts.
Additional Identifiers
Rule ID: SV-243472r959010_rule
Vulnerability ID: V-243472
Group Title: SRG-OS-000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |