20.11 Ensure 'Active Directory user accounts are configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.' (STIG DC only)

Information

This policy setting ensures that all Active Directory user accounts, including administrators, are configured to use a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.

Rationale:

Requiring two-factor authentication provides a higher level of security, and therefore credentials are less likely to be compromised.

Impact:

Users will have to carry a form of two-factor authentication.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To configure all user accounts, including administrator accounts in Active Directory to enable the option Smart card is required for interactive logon, do the following:

Open Active Directory Users and Computer

Right click the user account and select properties

Select the account tab

Ensure Smart card is required for interactive logon is checked

Default Value:

N/A

Additional Information:

Microsoft Windows Server 2016 Security Technical Implementation Guide:

Version 2, Release 2, Benchmark Date: May 04, 2021



Vul ID: V-224994

Rule ID: SV-224994r569186_rule

STIG ID: WN16-DC-000310

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3476

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|16.3

Plugin: Windows

Control ID: 61e357df4154b5fc27bc83a6ce5f99c591b531e1f12a793161461d9ddfa499cf