An error occurred:

Check: WN12-PK-000004

Microsoft Windows Server 2012/2012 R2 Member Server STIG: WN12-PK-000004 (in versions v3 r5 through v3 r1)

Title

The US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems. (Cat II impact)

Discussion

To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.

Check Content

Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 NotAfter: 8/26/2022 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": Right-click on the certificate and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint". If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. Issued To: DoD Root CA 3 Issuer by: US DoD CCEB Interoperability Root CA 2 Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 Valid: Friday, August 26, 2022

Fix Text

Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. Issued To - Issued By - Thumbprint DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.

Additional Identifiers

Rule ID: SV-225443r852241_rule

Vulnerability ID: V-225443

Group Title: SRG-OS-000066-GPOS-00034

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000185

For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.
CCI-002470

Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-5(2)

Pki-based Authentication
SC-23(5)

Allowed Certificate Authorities