The directory server must be configured to use the CAC, PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15488	WN12-PK-000008-DC	SV-51192r3_rule	IAIA-1 IAIA-2	Medium

Description
PKI is a two-factor authentication technique, thus it provides a higher level of trust in the asserted identity than use of the username/password authentication technique.

STIG	Date
Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide	2015-09-02

Details

Check Text ( C-46618r3_chk )
Use the following procedure to check a sample of accounts. Open Active Directory Users and Computers. (Available from various menus or run "dsa.msc".) Select the Users container or the OU in which user accounts have been identified. For each User account sampled, right click and select Properties. Select the Account tab. View the setting in Account Options area. Verify the option "Smart card is required for interactive logon" is checked. If accounts do not have "Smart card is required for interactive logon" selected, this is a finding.

Check Text ( C-46618r3_chk )

Use the following procedure to check a sample of accounts.

Open Active Directory Users and Computers. (Available from various menus or run "dsa.msc".)

Select the Users container or the OU in which user accounts have been identified.
For each User account sampled, right click and select Properties.
Select the Account tab.
View the setting in Account Options area.
Verify the option "Smart card is required for interactive logon" is checked.

If accounts do not have "Smart card is required for interactive logon" selected, this is a finding.

Fix Text (F-44349r2_fix)
Configure all user accounts, including administrator accounts, in Active Directory to enable the option "Smart card is required for interactive logon".