Windows Server hosting Active Directory Certificate Services (AD CS) must enforce Certificate Authority (CA) certificate management approval for certificate requests.

An XCCDF Rule

Description

<VulnDiscussion>When users are requesting new certificates through AD CS, there must be management approval and awareness for these requests. Without this, a user or bad actor could request certificates they should not have or should not have access to.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-269098r1028085_rule
Severity: High
References: CCI-000366
Updated: 17 days ago

In the AD CS web server properties, select "VulnerableCertTemplate" properties and then select "Subject Name" and "Supply in the request".

Certificate templates with the following extended key usages must require manual approval in all cases:
  i. Smart Card Logon (1.3.6.1.4.1.311.20.2.2).
 ii. Any Purpose EKU (2.5.29.37.0).
iii. No EKU set. i.e., this is a (subordinate) CA certificate.
Certificate templates with the following extended key usages AND that allow a requestor to supply the subject name in the request must require manual approval:
  i. Client Authentication (1.3.6.1.5.5.7.3.2).
 ii. PKINIT Client Authentication (1.3.6.1.5.2.3.4).
iii. Supply in request" setting:  VulnerableCertTemplate Properties.

Windows Server hosting Active Directory Certificate Services (AD CS) must enforce Certificate Authority (CA) certificate management approval for certificate requests.

Description

Remediation - Manual Procedure