Microsoft Windows Server 2016 STIG Version Comparison

There are 2 differences between versions v2 r8 (May 15, 2024) (the "left" version) and v2 r10 (Jan. 15, 2025) (the "right" version).

Check WN16-DC-000401 was added to the benchmark in the "right" version.

This check's original form is available here.

Title

Windows Server 2016 must be configured for name-based strong mappings for certificates.

Check Content

This requirement is not applicable for Member Servers. Note: This requirement is a permanent finding for server 2016 domain controllers per DOD CIO Memo Upgrading of MS Domain Controller OS to MS Server 2019 or Later (CIO000911-23). If the server is acting as a domain controller, this is a finding.

Discussion

Weak mappings give rise to security vulnerabilities and demand hardening measures. Certificate names must be correctly mapped to the intended user account in Active Directory. A lack of strong name-based mappings allows certain weak certificate mappings, such as Issuer/Subject AltSecID and User Principal Names (UPN) mappings, to be treated as strong mappings.

Fix

For servers acting as a domain controller, upgrade the operating system to Microsoft Server 2019 or greater.