Title

Windows Server 2016 must be configured for name-based strong mappings for certificates. (Cat I impact)

Discussion

Weak mappings give rise to security vulnerabilities and demand hardening measures. Certificate names must be correctly mapped to the intended user account in Active Directory. A lack of strong name-based mappings allows certain weak certificate mappings, such as Issuer/Subject AltSecID and User Principal Names (UPN) mappings, to be treated as strong mappings.

Check Content

This requirement is not applicable for Member Servers. Note: This requirement is a permanent finding for server 2016 domain controllers per DOD CIO Memo Upgrading of MS Domain Controller OS to MS Server 2019 or Later (CIO000911-23). If the server is acting as a domain controller, this is a finding.

Fix Text

For servers acting as a domain controller, upgrade the operating system to Microsoft Server 2019 or greater.

Additional Identifiers

Rule ID: SV-271430r1059573_rule

Vulnerability ID: V-271430

Group Title: SRG-OS-000080-GPOS-00048

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.