Navigate

Check: WN10-PK-000010

Microsoft Windows 10 STIG: WN10-PK-000010 (in versions v2 r9 through v2 r6)

Title

The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems. (Cat II impact)

Discussion

To ensure secure websites protected with External Certificate Authority (ECA) server certificates are properly validated, the system must trust the ECA Root CAs. The ECA root certificates will ensure the trust chain is established for server certificates issued from the External CAs. This requirement only applies to unclassified systems.

Check Content

Verify the ECA Root CA certificates are installed on unclassified systems as Trusted Root Certification Authorities. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*ECA*" | FL Subject, Thumbprint, NotAfter If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582 NotAfter: 12/30/2029 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". For each of the ECA Root CA certificates noted below: Right-click on the certificate and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint". If the ECA Root CA certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. ECA Root CA 4 Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582 Valid to: Sunday, December 30, 2029

Fix Text

Install the ECA Root CA certificate on unclassified systems. ECA Root CA 4 The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. Certificate bundles published by the PKI can be found at https://crl.gds.disa.mil/.

Additional Identifiers

Rule ID: SV-220904r894652_rule

Vulnerability ID: V-220904

Group Title: SRG-OS-000066-GPOS-00034

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000185	The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5 (2)	Pki-Based Authentication