Information
This policy setting ensures that all Active Directory user accounts, including administrators, are configured to use a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
Rationale:
Requiring two-factor authentication provides a higher level of security, and therefore credentials are less likely to be compromised.
Impact:
Users will have to carry a form of two-factor authentication.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To configure all user accounts, including administrator accounts in Active Directory to enable the option Smart card is required for interactive logon, do the following:
Open Active Directory Users and Computer
Right click the user account and select properties
Select the account tab
Ensure Smart card is required for interactive logon is checked
Default Value:
N/A
Additional Information:
Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020
Vul ID: V-205701
Rule ID: SV-205701r569188_rule
STIG ID: WN19-DC-000310
Severity: CAT II