Information
This policy setting ensures that all Active Directory user accounts, including administrators, are configured to use a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
Rationale:
Requiring two-factor authentication provides a higher level of security, and therefore credentials are less likely to be compromised.
Impact:
Users will have to carry a form of two-factor authentication.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To configure all user accounts, including administrator accounts in Active Directory to enable the option Smart card is required for interactive logon, do the following:
Open Active Directory Users and Computer
Right click the user account and select properties
Select the account tab
Ensure Smart card is required for interactive logon is checked
Default Value:
N/A
Additional Information:
Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 2, Release 2, Benchmark Date: May 04, 2021
Vul ID: V-224994
Rule ID: SV-224994r569186_rule
STIG ID: WN16-DC-000310
Severity: CAT II