20.59 Ensure 'Software certificate installation files must be removed'

Information

This policy setting ensures that unauthorized certificate installation files (*.p12 and

.pfx) are not installed on the system. _

.p12 and *.pfx_ files are a binary format used for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file.

The STIG recommended state for this setting is: Remove all *.p12 and *.pfx files.

Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files.

Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Remove any certificate installation files *.p12 and *.pfx found on a system.

Note: The Certificate Store can be loaded by executing the

Microsoft Management Console (MMC)

and loading the

Certificates

snap-in.

Note #2: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.

Impact:

*.p12 and *.pfx

will not be allowed on the system.

Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.

See Also

https://workbench.cisecurity.org/benchmarks/15105

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 3e60d4327b2f710f42bb4269ee4227def9b5bda7c2dce68d1c99bf86dbbc659e