An error occurred:

Check: WINPK-000004

Windows XP STIG: WINPK-000004 (in versions v6 r1.32 through v1 r0)

Title

The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store. (Cat II impact)

Discussion

To ensure users do not experience denial of service on NIPRNet when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CA 2, the US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed in the Untrusted Certificate Store. This requirement only applies to NIPRNet systems.

Check Content

Verify the DoD Root CA 2 certificate issued by US DoD CCEB Interoperability Root CA 1 is installed on NIPRNet systems as an Untrusted Certificate using the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Click "Add". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "Close". Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates\Certificates". Search in the right pane for "DoD Root CA 2" under "Issued To" with "US DoD CCEB Interoperability Root CA 1" as "Issued By". If there is no entry for this certificate, this is a finding. Select the certificate. Right click and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint Algorithm". Verify the Value is "sha1". If the value for "Thumbprint Algorithm" is not "sha1", this is a finding. Next select "Thumbprint". If the value for the "Thumbprint" field is not "7d:a8:e8:42:96:ee:23:88:18:ee:42:72:87:77:45:08:b2:6d:09:4a", this is a finding.

Fix Text

Install the US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate on NIPRNet systems only. Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user. The FBCA Cross-Certificate Remover tool and user guide is available on IASE at http://iase.disa.mil/pki-pke/function_pages/tools.html.

Additional Identifiers

Rule ID: SV-52391r2_rule

Vulnerability ID: V-40237

Group Title: WNPK-000004

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check