20.11 Ensure 'Active Directory user accounts are configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT)' (STIG DC only)

Information

This policy setting ensures that all Active Directory user accounts, including administrators, are configured to use a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.

Requiring two-factor authentication provides a higher level of security, and therefore credentials are less likely to be compromised.

Solution

To configure all user accounts, including administrator accounts in Active Directory to enable the option

Smart card is required for interactive logon

, do the following:

- Open

Active Directory Users and Computer

- Right click the

user account

and select

properties

- Select the

account tab

- Ensure

Smart card is required for interactive logon

is checked

Impact:

Users will have to carry a form of two-factor authentication.

See Also

https://workbench.cisecurity.org/benchmarks/18857

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|16.3

Plugin: Windows

Control ID: 64802b12e745b3b01c89dccb34447c11953e0f70db933c640b71ec949197dafd