Navigate

Check: WN12-PK-000005-DC

Microsoft Windows Server 2012/2012 R2 Domain Controller STIG: WN12-PK-000005-DC (in versions v3 r7 through v2 r7)

Title

Domain controllers must have a PKI server certificate. (Cat II impact)

Discussion

Domain controller must have a server certificate to establish authenticity as part of PKI authentications in the domain.

Check Content

Verify the domain controller has a PKI server certificate. Run "mmc". Select "Add/Remove Snap-in" from the File menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account", click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. If no certificate for the domain controller exists in the right pane, this is a finding.

Fix Text

Obtain a server certificate for the domain controller.

Additional Identifiers

Rule ID: SV-226264r794523_rule

Vulnerability ID: V-226264

Group Title: SRG-OS-000066-GPOS-00034

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000185	The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5 (2)	Pki-Based Authentication