Detections
Analytics
WINPK-000003 - The DoD Interoperability Root CA cross-certificates must be installed.
Information
To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Install the DoD Interoperability Root CA cross-certificates on unclassified systems.Issued To - Issued By - Thumbprint
DoD Root CA 2 - DoD Interoperability Root CA 1 - 99C494ECE4FC093EEE13C4D65B1B1E01B9B5D434
DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13
DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4
Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user.
The FBCA Cross-Certificate Remover tool and user guide is available on IASE at http-//iase.disa.mil/pki-pke/Pages/tools.aspx.
See Also
http://iasecontent.disa.mil/stigs/zip/Oct2016/U_Windows_Vista_V6R41_STIG.zip
Item Details
Audit Name: DISA Windows Vista STIG v6r41
Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|IA-5(2)(a), 800-53|SC-23(5), CAT|II, CCI|CCI-000185, CCI|CCI-002470, Rule-ID|SV-42604r5_rule, STIG-ID|WINPK-000003, Vuln-ID|V-32274
Plugin: Windows
Control ID: 1fa1fae141ac0313c917b377c710c189349213cfc079f3352071fc7d5e6ee327