Check: AD.1033_2003
Windows 2003 DC STIG:
AD.1033_2003
(in version v6 r37)
Title
For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. (Cat II impact)
Discussion
CTO 07-015 requires PKI authentication. PKI is a two-factor authentication technique, thus it provides a higher level of trust in the asserted identity than use of the username/password authentication technique.
Check Content
Use the following procedure to check a sample of accounts. 1. Open Active Directory Users and Computers. 2. Select the Users node. 3. For each user account sampled, right-click and select Properties. 4. Select the Account tab. 5. View the setting in Account Options area. 6. Verify that the option “Smart card is required for interactive logon” is checked.
Fix Text
Configure all user accounts including administrator accounts in Active Directory to enable the option “Smart card is required for interactive logon”.
Additional Identifiers
Rule ID: SV-28511r2_rule
Vulnerability ID: V-15488
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000765 |
Implement multifactor authentication for access to privileged accounts. |
| CCI-000766 |
Implement multifactor authentication for access to non-privileged accounts. |
| CCI-000767 |
The information system implements multifactor authentication for local access to privileged accounts. |
| CCI-000768 |
The information system implements multifactor authentication for local access to non-privileged accounts. |
| CCI-001948 |
The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |