| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-269098 | CAT I | MONT-DC-003 | Active Directory Forest Security Technic... | Windows Server hosting Active Directory Certificat... | - | |||
Check TextCertificate templates with the following extended key usages AND that allow a requestor to supply the subject name in the request require manual approval. In the AD CS web server properties, select "VulnerableCertTemplate" properties. Verify that "Subject Name" and "Supply in the request" are selected. If "Subject Name" AND "Supply in the request" are selected and if manual approval is not required, this is a finding. If the "Supply in Request" is NOT selected, and the Enroll Permissions for the template have been limited to a select group of users/administrators, this is not a finding. Fix TextIn the AD CS web server properties, select "VulnerableCertTemplate" properties and then select "Subject Name" and "Supply in the request". Certificate templates with the following extended key usages must require manual approval in all cases: i. Smart Card Logon (1.3.6.1.4.1.311.20.2.2). ii. Any Purpose EKU (2.5.29.37.0). iii. No EKU set. i.e., this is a (subordinate) CA certificate. Certificate templates with the following extended key usages AND that allow a requestor to supply the subject name in the request must require manual approval: i. Client Authentication (1.3.6.1.5.5.7.3.2). ii. PKINIT Client Authentication (1.3.6.1.5.2.3.4). iii. Supply in request" setting: VulnerableCertTemplate Properties.
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADForest_V3R2_20251023-171845.ckl
Scan Date: 2026-01-14T12:57:36.607366
Technology Area: Domain Name System
|
||||||||