Title

PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA). (Cat I impact)

Discussion

A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.

Check Content

Verify the source of PKI certificates associated with user accounts in active directory. Ask the administrator to identify one or more account entries in the directory for which a PKI certificate has been imported. Open Active Directory Users and Computers. (Available from various menus or run "dsa.msc".) Select the Users container or the OU in which user accounts have been identified. For each User account sampled, right click and select Properties. Select the Published Certificates tab. Examine the Issued By field for the certificates to determine the issuing CA. If the Issued By field of any PKI certificate being stored with an account does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding.

Fix Text

Replace unauthorized certificates associated with user accounts with ones issued by the DoD PKI or an approved External Certificate Authority.

Additional Identifiers

Rule ID: SV-54957r1_rule

Vulnerability ID: V-26683

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.