V-269097
CAT IIWindows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS).
- Ships Affected
- 1
- Total Findings
- 1
- Open
- 1
- Closed
- 0
Check Text
This applies to domain controllers only. It is not applicable for other systems. Verify the following is configured on the domain controller.
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon.
If "Audit Kerberos Authentication Service" and "Audit Kerberos Ticket Operations" are not set to "Success and Failure", this is a finding.
Fix Text
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon.
Configure "Audit Kerberos Authentication Service" and the "Audit Kerberos Service Ticket Operations" to be set to "Success and Failure".
STIG Reference
- STIG
- Active Directory Domain Security Technical Implementation Guide
- Version
- 3
- Release
- 7
- Rule ID
- SV-269097r1026170_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl | Unassigned | 2026-01-14T12:57:36.435963 | View in Context |