Windows Server 2016 must be configured for name-based strong mappings for certificates.

STIG ID: WN16-DC-000401  |  SRG: SRG-OS-000080-GPOS-00048 |  Severity: high |  CCI: CCI-000213 |  Vulnerability Id: V-271430

Vulnerability Discussion

Weak mappings give rise to security vulnerabilities and demand hardening measures. Certificate names must be correctly mapped to the intended user account in Active Directory. A lack of strong name-based mappings allows certain weak certificate mappings, such as Issuer/Subject AltSecID and User Principal Names (UPN) mappings, to be treated as strong mappings.

Check

This requirement is not applicable for Member Servers.

Note: This requirement is a permanent finding for server 2016 domain controllers per DOD CIO Memo Upgrading of MS Domain Controller OS to MS Server 2019 or Later (CIO000911-23).

If the server is acting as a domain controller, this is a finding.

Fix

For servers acting as a domain controller, upgrade the operating system to Microsoft Server 2019 or greater.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.