← Back to Microsoft Windows Server 2019 Security Technical Implementation Guide

V-271429

CAT II (Medium)

Windows Server 2019 must be configured for named-based strong mappings for certificates.

Rule ID

SV-271429r1137691_rule

STIG

Microsoft Windows Server 2019 Security Technical Implementation Guide

Version

V3R8

CCIs

CCI-000213

Discussion

Weak mappings give rise to security vulnerabilities and demand hardening measures. Certificate names must be correctly mapped to the intended user account in Active Directory. A lack of strong name-based mappings allows certain weak certificate mappings, such as Issuer/Subject AltSecID and User Principal Names (UPN) mappings, to be treated as strong mappings.

Check Content

This applies to domain controllers. This is not applicable for member servers.

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".
Or
Using the registry, check HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters, Key: UseStrongNameMatches.                      
Or
Using GPRESULT, check the applicable GPO for "Allow name-based strong mappings for certificates".

Navigate to Local Computer Policy >> Computer Configuration >> Administrative Template >> System >> KDC >> Allow name-based strong mappings for certificates.

If "Allow name-based strong mappings for certificates" is not "Enabled", this is a finding.

Fix Text

Configure the policy value for Computer Configuration >> Administrative Template >> System >> KDC >> Allow name-based strong mappings for certificates to "Enabled".