Check: WINPK-000004
Windows 2003 DC STIG:
WINPK-000004
(in version v6 r40)
Title
The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store. (Cat II impact)
Discussion
To ensure users do not experience denial of service on NIPRNet when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CA 2, the US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed in the Untrusted Certificate Store. This requirement only applies to NIPRNet systems.
Check Content
Fix Text
Install the US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate on NIPRNet systems only. Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user. The FBCA Cross-Certificate Remover tool and user guide is available on IASE at http://iase.disa.mil/pki-pke/function_pages/tools.html.
Additional Identifiers
Rule ID: SV-52392r2_rule
Vulnerability ID: V-40237
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000185 |
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
| CCI-002470 |
Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions. |