UCF STIG Viewer Logo

Other important accounts (VIPS and other administrators) that require smart cards must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days.


Overview

Finding ID Version Rule ID IA Controls Severity
V-43651 AD.0012 SV-56472r1_rule IAIA-1 Medium
Description
When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and re-enabling the "Smart card is required for interactive logon" replaces the NT hash of the account with a newly randomized hash. Otherwise, the existing NT hash could be re-used for Pass-the-Hash in the future.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2014-04-01

Details

Check Text ( C-49397r3_chk )
Verify "Smart card is required for interactive logon" is disabled and re-enabled for all smart card required other important accounts (VIPS and other administrators) at least every 60 days. If the setting "Smart card is required for interactive logon" is not disabled then re-enabled for other important accounts (VIPS and other administrators) that require smart card logons at least every 60 days, this is a finding.
Fix Text (F-49251r3_fix)
Disable then re-enable "Smart card is required for interactive logon" for all smart card required other important accounts (VIPS and other administrators) at least every 60 days.