Skip to main content
CUI

STIG Rule - V-278161

Back to STIG Browser

V-278161

SV-278161r1182128_rule

CAT I

Windows Server 2025 PKI certificates associated with user accounts must be issued by a DOD PKI or an approved External Certificate Authority (ECA).

From: Microsoft Windows Server 2025 Security Technical Implementation Guide (V1R1)

Description

<VulnDiscussion>A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

This applies to domain controllers. It is not applicable for other systems. Review user account mappings to PKI certificates. Open PowerShell. Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. For standard NIPRNet certificates, the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). Alt Tokens and other certificates may use a different UPN format than the EDI-PI, which vary by organization. Verified these with the organization. NIPRNet example: Name - User Principal Name User1 - 1234567890@mil Refer to the PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.

Fix Text

Map user accounts to PKI certificates using the appropriate UPN for the network. Refer to the PKE documentation for details.

CCI Reference

CCI-000185
Created
2026-04-07 20:08:26
Last Updated
2026-04-07 20:08:26
Back to Browse
CUI