| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-224992 | CAT I | MONT-VSF-004 | Microsoft Windows Server 2016 Security T... | Domain Controller PKI certificates must be issued ... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account" and click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: http://iase.disa.mil/pki-pke/function_pages/tools.html Fix TextObtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl
Scan Date: 2026-01-14T12:57:30.046447
Technology Area: Windows Operating System
|
||||||||
| V-224992 | CAT I | MONT-VSF-003 | Microsoft Windows Server 2016 Security T... | Domain Controller PKI certificates must be issued ... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account" and click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: http://iase.disa.mil/pki-pke/function_pages/tools.html Fix TextObtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl
Scan Date: 2026-01-14T12:57:31.534241
Technology Area: Windows Operating System
|
||||||||
| V-224992 | CAT I | MONT-MB-002 | Microsoft Windows Server 2016 Security T... | Domain Controller PKI certificates must be issued ... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account" and click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: http://iase.disa.mil/pki-pke/function_pages/tools.html Fix TextObtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl
Scan Date: 2026-01-14T12:57:33.842838
Technology Area: Windows Operating System
|
||||||||
| V-224992 | CAT I | MONT-DP-001 | Microsoft Windows Server 2016 Security T... | Domain Controller PKI certificates must be issued ... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account" and click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: http://iase.disa.mil/pki-pke/function_pages/tools.html Fix TextObtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl
Scan Date: 2026-01-14T12:57:35.637816
Technology Area: Windows Operating System
|
||||||||
| V-224992 | CAT I | MONT-DC-003 | Microsoft Windows Server 2016 Security T... | Domain Controller PKI certificates must be issued ... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account" and click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: http://iase.disa.mil/pki-pke/function_pages/tools.html Fix TextObtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7115114BC716F19307736882EE1C307D4B1D4754 ~~~~~ Compliant Certificates: --------------------------- Subject: CN=MONT-DC-003.MONTFORD-POINT.navy.mil, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US CertStore: LocalMachine\My Issuer: CN=DOD SW CA-67, OU=PKI, OU=DoD, O=U.S. Government, C=US FriendlyName: MONT-DC-003.MONTFORD-POINT.navy.mil NotAfter: 06/08/2026 17:58:05 Thumbprint: 09D2721B5061A5BD0B8E3C771D94CCF915BA291C KDCAuthKey: KDC Authentication (1.3.6.1.5.2.3.5) ApprovedChain: True CertificationPath... (0) - DoD Root CA 3 (1) - DOD SW CA-67 (2) - MONT-DC-003.MONTFORD-POINT.navy.mil
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl
Scan Date: 2026-01-14T12:57:37.248886
Technology Area: Windows Operating System
|
||||||||
| V-224992 | CAT I | MONT-DB-002 | Microsoft Windows Server 2016 Security T... | Domain Controller PKI certificates must be issued ... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account" and click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: http://iase.disa.mil/pki-pke/function_pages/tools.html Fix TextObtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl
Scan Date: 2026-01-14T12:57:39.082634
Technology Area: Windows Operating System
|
||||||||
| V-224992 | CAT I | MONT-BE-002 | Microsoft Windows Server 2016 Security T... | Domain Controller PKI certificates must be issued ... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account" and click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: http://iase.disa.mil/pki-pke/function_pages/tools.html Fix TextObtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl
Scan Date: 2026-01-14T12:57:41.363810
Technology Area: Windows Operating System
|
||||||||
| V-224992 | CAT I | MONT-AP-002 | Microsoft Windows Server 2016 Security T... | Domain Controller PKI certificates must be issued ... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account" and click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: http://iase.disa.mil/pki-pke/function_pages/tools.html Fix TextObtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl
Scan Date: 2026-01-14T12:57:42.721079
Technology Area: Windows Operating System
|
||||||||