Windows Server running Active Directory Certificate Services (AD CS) must be managed by a PAW tier 0.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269099 | AD.3150_AD | SV-269099r1026184_rule | High |
| Description |
| Verify that a site has set aside one or more PAWs for remote management of AD CS. |
| STIG | Date |
| Active Directory Forest Security Technical Implementation Guide | 2025-05-15 |
Details
| Check Text (C-73129r1026182_chk) |
| Verify that a site has set aside one or more PAWs for remote management of AD CS. A dedicated AD CS/CA Admin account that is only usable on tier 0 PAW or the ADCS server must be used to manage the certificate authority and approve requests. Review any available site documentation. Verify that any PAW used to manage high-value IT resources of a specific tier are used exclusively for managing high-value IT resources assigned to only one tier. If the site has not set aside one or more PAWs for remote management of AD CS, this is a finding. |
| Fix Text (F-73030r1026183_fix) |
| Configure and set aside one or more PAWs for configuration and management of AD CS. For AD, multiple configuration items could enable anonymous access. Set aside one or more PAWs for remote management of high-value IT resources assigned to a specific tier. For example, using the Microsoft Tier 0-2 model, each PAW would be assigned to manage Tier 0, Tier 1, or Tier 2 high-value IT resources. |