Windows PAW V3R1

a

Administrators of high-value IT resources must complete required training.

AT-1 - Low - CCI-000101 - V-243442 - SV-243442r991589_rule

RMF Control

AT-1

Severity

L

CCI

CCI-000101

Version

WPAW-00-000100

Vuln IDs

V-243442
V-78141

Rule IDs

SV-243442r991589_rule
SV-92847

Required training helps to mitigate the risk of administrators not following required procedures. High-value IT resources are the most important and critical IT resources within an organization. They contain the most sensitive data in an organization, perform the most critical tasks of an organization, or have access to and can control all or nearly all IT resources within an organization. Requiring a PAW used exclusively for remote administrative management of designated high-value IT resources, including servers, workstations, directory services, applications, databases, and network components, will provide a separate "channel" for the performance of administrative tasks on high-value IT resources and isolate these functions from the majority of threats and attack vectors found on higher-risk standard client systems. A main security architectural construct of a PAW is to remove non-administrative applications and functions from the PAW. Technical controls for securing high-value IT resources will be ineffective if administrators are not aware of key security requirements.

Checks: C-46717r722895_chk

Review site training records and verify the organization's system administrators of high-value IT resources have received the following initial and annual training: - Remotely manage high-value IT resources only via a PAW. - Administrative accounts will not be used for non-administrative functions (for example, read email, browse Internet). If required training has not been completed by the organization's system administrators of high-value IT resources, this is a finding.

Fix: F-46674r722896_fix

Add the following topics to initial and annual update training modules for system administrators of high-value IT resources: - Remotely manage high-value IT resources only via a PAW. - Administrative accounts will not be used for non-administrative functions (for example, read email, browse Internet).

b

Site IT resources designated as high value by the Authorizing Official (AO) must be remotely managed only via a Windows privileged access workstation (PAW).

CM-6 - Medium - CCI-000366 - V-243443 - SV-243443r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-000200

Vuln IDs

V-243443
V-78143

Rule IDs

SV-243443r991589_rule
SV-92849

The AO must designate which IT resources are high value. The list must include the following IT resources: - Directory service (including Active Directory) - Cloud service - Identity management service - Privileged access management service - Credential management service - Security management service (anti-virus, network monitoring/scanning, IDS/IPS, etc.) - Any sensitive business/mission service - Any other IT resource designated as high value by the AO Note: A high-value IT resource is defined as any IT resource whose purpose is considered critical to the organization or whose loss or compromise would cause a significant impact on the organization. Note: Sensitive business/mission service is any business or mission service that needs additional protection from higher-risk IT services based on the nature of the function it provides; sensitivity of the data it consumes, processes, or stores; or criticality to the operation of the organization. High-value IT resources are the most important and critical IT resources within an organization. They contain the most sensitive data in an organization, perform the most critical tasks of an organization, or have access to and can control all or nearly all IT resources within an organization. Administrator accounts for high-value IT resources must be protected against various threats and attacks because threats to sensitive privileged accounts are high and risk of compromise is increasing. Requiring a PAW used exclusively for remote administrative management of designated high-value IT resources, including servers, workstations, directory services, applications, databases, and network components, will provide a separate "channel" for the performance of administrative tasks on high-value IT resources and isolate these functions from the majority of threats and attack vectors found on higher-risk standard client systems. Some IT resources, by the nature of the function they perform, should always be considered high value and should be remotely administered only via a PAW. The IT resources listed above are in this category. Note: The term "manage" in the Requirement statement includes any remote connection to a high-value IT resource (for example, to view resource status and current configuration or to make changes to any resource configuration).

Checks: C-46718r722898_chk

Review site documentation to confirm required high-value IT resources are remotely managed only via a PAW. Verify the site maintains a list of designated high-value IT resources and the list contains the following IT resources (if deployed at the site): - Active Directory - Cloud service - Identity management service - Privileged access management service - Credential management service - Security management service (anti-virus, network monitoring/scanning, IDS/IPS, etc.) - Any sensitive business/mission service - Any other IT resource designated as high value by the Authorizing Official (AO) Identify the PAWs set up to manage these high-value IT resources. If the organization does not maintain a list of designated high-value IT resources or has not set up PAWs to remotely manage its high-value IT resources, this is a finding.

Fix: F-46675r722899_fix

The Information System Security Manager (ISSM) or other site personnel will assist the Authorizing Official (AO) in designating and documenting which IT resources in the organization are high value. The organization's list of high-value IT resources will include the following: - Active Directory - Cloud service - Identity management service - Privileged access management service - Credential management service - Security management service (anti-virus, network monitoring/scanning, IDS/IPS, etc.) - Any sensitive business service - Any other IT resource designated as high value by the AO Set up procedures to ensure a Windows PAW is used to remotely manage each of these types of IT resources.

b

Administrative accounts of all high-value IT resources must be assigned to a specific administrative tier in Active Directory to separate highly privileged administrative accounts from less privileged administrative accounts.

CM-6 - Medium - CCI-000366 - V-243444 - SV-243444r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-000400

Vuln IDs

V-243444
V-78145

Rule IDs

SV-243444r991589_rule
SV-92851

Note: The Microsoft Tier 0-2 AD administrative tier model (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM) is an example. A key security construct of a PAW is to separate administrative accounts into specific trust levels so that an administrator account used to manage an IT resource at one trust level cannot be used to manage IT resources at another trust level. This architecture protects IT resources in a tier from threats from higher-risk tiers. Isolating administrative accounts by forcing them to operate only within their assigned trust zone implements the concept of containment of security risks and adversaries within a specific zone. The Tier model prevents escalation of privilege by restricting what administrators can control and where they can log on.

Checks: C-46719r722901_chk

In Active Directory, verify an Organizational Unit (OU) and Group hierarchy have been set up to segregate administrative accounts used to manage both high-value IT resources and PAWs into assigned tiers. Verify each administrative account and each PAW has been assigned to one and only one tier. If the site has not set up a tier structure on Active Directory for administrative accounts used to manage either high-value IT resources or PAWs, this is a finding. If any administrative account used to manage either high-value IT resources or PAWs is assigned to more than one tier, this is a finding. If each administrative account and each PAW has not been assigned to one and only one tier, this is a finding.

Fix: F-46676r722902_fix

Set up an administrative tier model for the domain (for example, the Microsoft recommended Tier 0-2 AD administrative tier model). Note: Details of the Tier model are found at https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM. Set up an Admin Organizational Unit (OU) Framework to host site PAWs. (Recommend the Microsoft PAW scripts be used to set up the PAW OU and group framework. They can be downloaded at http://aka.ms/PAWmedia.) For example: - Admin\Tier 0\Accounts - Admin\Tier 1\Accounts - Admin\Tier 2\Accounts - Admin\Tier 0\Groups - Admin\Tier 1\Groups - Admin\Tier 2\Groups - Admin\Tier 0\Devices - Admin\Tier 1\Devices - Admin\Tier 2\Devices Note: If using the Microsoft scripts, after running the scripts, PAW Users Tier 0, PAW Users Tier 1, and PAW Users Tier 2 groups may need to be created under Admin/Tier 0/Groups, Admin/Tier 1/Groups, and Admin/Tier 2/Groups, respectively. Set up administrative accounts for each assigned administrator for high-value IT resources. Based on the list of high-value IT resources with assigned administrative tier level, move Tier 0-2 administrative accounts to the appropriate Organizational Units and add the appropriate members to the relevant groups. Make sure each account and group has been assigned to one and only one tier. (Reference-defined groups in the Active Directory Domain STIG)

b

A Windows PAW must only be used to manage high-value IT resources assigned to the same tier.

CM-6 - Medium - CCI-000366 - V-243445 - SV-243445r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-000500

Vuln IDs

V-243445
V-78147

Rule IDs

SV-243445r991589_rule
SV-92853

Note: Allowed exception - For sites that are constrained in the number of available workstations, an acceptable approach is to install lower-tier administrative accounts on a separate virtual machine (VM) on the PAW workstation where higher-tier administrative accounts are installed on the host OS and lower-tier administrative accounts are installed in a VM. The VM will provide acceptable isolation between administrative accounts of different tiers. Note: Relationship between the exception in WPAW-00-000500 and WPAW-00-001000 and requirement WPAW-00-001800: WPAW-00-000500 and WPAW-00-001000 allow an exception to the requirement for sites constrained in the number of available workstations. Lower-tier, high-value admin accounts can operate in a VM if the higher-tier, high-value admin accounts operate in the VM host-OS, but WPAW-00-001800 is more appropriate for a multiple PAW VM environment. If administrative accounts assigned to different tiers were installed on the same PAW, it would be impossible to isolate administrative accounts to specific trust zones and protect IT resources from one trust zone (tier) from threats from high-risk trust zones.

Checks: C-46720r722904_chk

Verify that a site has set aside one or more PAWs for remote management of high-value IT resources assigned to a specific tier. Review any available site documentation. Verify that any PAW used to manage high-value IT resources of a specific tier are used exclusively for managing high-value IT resources assigned to one and only one tier. If the site has not set aside one or more PAWs for remote management of high-value IT resources assigned to a specific tier, this is a finding. If PAWs used for managing high-value IT resources are used for additional functions, this is a finding.

Fix: F-46677r722905_fix

Set aside one or more PAWs for remote management of high-value IT resources assigned to a specific tier. For example, using the Microsoft Tier 0-2 model, each PAW would be assigned to manage either Tier 0, Tier 1, or Tier 2 high-value IT resources.

b

All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources.

CM-6 - Medium - CCI-000366 - V-243446 - SV-243446r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-000600

Vuln IDs

V-243446
V-78149

Rule IDs

SV-243446r991589_rule
SV-92855

Note: The Microsoft Tier 0-2 AD administrative tier model (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM) is an example. A key security construct of a PAW is to separate high-value IT resources into specific trust levels so that if a device at one trust level is compromised the risk of compromise of more critical IT resources at a different tier is reduced. This architecture protects IT resources in a tier from threats from higher-risk tiers. Isolating administrative accounts by forcing them to operate only within their assigned trust zone implements the concept of containment of security risks and adversaries within a specific zone.

Checks: C-46721r722907_chk

Verify the site has assigned each high-value IT resource to an administrative tier level by reviewing the site's list of high-value IT resources. In Active Directory verify each high-value IT resource has been assigned to the Organizational Unit (OU) corresponding to the administrative tier the resource is assigned to. If the site has not assigned an administrative tier level to each high-value IT resource or any high-value IT resource is not assigned to the appropriate OU in Active Directory, this is a finding.

Fix: F-46678r722908_fix

Set up an administrative tier model for the domain (for example, the Microsoft-recommended Tier 0-2 AD administrative tier model). (Details of the Tier model are found at https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM.) Using the list of site designated high-value IT resources (see check WPAW-00-000200), indicate on the list the administrative Tier level the resource is assigned to. (Note: The updated list will be used in check WPAW-00-000400.) In Active Directory, assign all high-value IT resources to the appropriate Organizational Units (for example): - Admin\Tier 0\Devices - Admin\Tier 1\Devices - Admin\Tier 2\Devices

b

The Windows PAW must be configured with a vendor-supported version of Windows 11 and applicable security patches that are DOD approved.

CM-6 - Medium - CCI-000366 - V-243447 - SV-243447r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-000700

Vuln IDs

V-243447
V-78151

Rule IDs

SV-243447r991589_rule
SV-92857

Older versions of operating systems usually contain vulnerabilities that have been fixed in later released versions. In addition, most operating system patches contain fixes for recently discovered security vulnerabilities. Due to the highly privileged activities of a PAW, it must be maintained at the highest security posture possible and therefore must have one of the current vendor-supported operating system versions installed.

Checks: C-46722r921971_chk

Determine the current approved versions of Windows 11. Talk to the authorizing official (AO) staff, information system security manager (ISSM), or PAW system administrator to determine the approved versions of Windows 11. Review the configuration of the PAW and determine which version of Windows is installed on the PAW. Verify the installed Windows 11 version is an approved version. If the installed Windows 11 version on the PAW is not the same as an approved version, this is a finding.

Fix: F-46679r921972_fix

Install one of the current vendor-supported versions of Windows 11 on site PAWs, including the most recently released patches. Note: There is no central list in the DOD of "approved" operating system versions. The Microsoft website will list supported versions of Windows 11 and patches. If a STIG is available for one or more of the vendor-supported versions of Windows 11, the version can be considered to be DOD approved. Local AOs usually have implemented a procedure for testing Windows updates before they are deployed. Check with the local AO's staff to determine the latest approved version of Windows 11.

b

A Windows update service must be available to provide software updates for the PAW platform.

CM-6 - Medium - CCI-000366 - V-243448 - SV-243448r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-000800

Vuln IDs

V-243448
V-78153

Rule IDs

SV-243448r991589_rule
SV-92859

Older versions of operating systems usually contain vulnerabilities that have been fixed in later versions. In addition, most operating system patches contain fixes for recently discovered security vulnerabilities. Due to the highly privileged activities of a PAW, it must be maintained at the highest security posture possible and therefore must have the latest operating system updates installed. Because a PAW is isolated from online operating system update services, a software update service must be available on the intranet to manage operating system and other software updates for site PAWs. A separate software update service is not required at each tier.

Checks: C-46723r722913_chk

Verify an automated software update service is being used at the site to update the operating system of site PAWs. If an automated software update service is not set up and configured to provide updates to site PAWs, this is a finding.

Fix: F-46680r722914_fix

Install a Windows update service (for example, Microsoft WSUS or System Center Configuration Manager [SCCM]) to provide software updates to all Windows-based PAWs in the organization. Configure the Windows update service to download available operating system updates and install them when approved. Based on site policy, configure the Windows update service to either automatically approve new updates for installation or to not install updates until installation is initiated by an authorized PAW maintenance administrator. If WSUS is being used, configure Windows Update for WSUS on each PAW (use appropriate configuration procedures if an alternate Windows update service is used). Go to Computer Configuration\Administrative Templates\Windows Components\Windows Updates and follow the steps below: 1. Enable the Configure Automatic Updates policy. 2. Select option 4 - Auto download and schedule the install. 3. Change the option "Scheduled install day" to "0 - Every Day" and the option "Scheduled install time" to your organizational preference. 4. Enable option "Specify intranet Microsoft update service location" policy, and specify in both options the URL of the WSUS server.

b

The Windows PAW must be configured so that all non-administrative-related applications and functions are blocked or removed from the PAW platform, including but not limited to email, Internet browsing, and line-of-business applications.

CM-6 - Medium - CCI-000366 - V-243449 - SV-243449r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-001000

Vuln IDs

V-243449
V-78155

Rule IDs

SV-243449r991589_rule
SV-92861

Note: The intent of this requirement is that a PAW must not be used for any function not related to the management of high-value IT resources. Note: Authorized exception - It is noted that administrators will need access to non-administrative functions, such as email and the Internet, but a PAW must not be used for these activities. For sites that are constrained in the number of available workstations, an acceptable approach is to install the non-administrative services on a separate virtual machine (VM) on the workstation where the PAW service is installed. The VM will provide acceptable isolation between high-value administrative management accounts and non-administrative services. Note: Relationship between the exception in WPAW-00-000500 and WPAW-00-001000 and requirement WPAW-00-001800: WPAW-00-000500 and WPAW-00-001000 allow an exception to the requirement for sites constrained in the number of available workstations. Lower-tier, high-value admin accounts can operate in a VM if the higher-tier, high-value admin accounts operate in the VM host-OS, but WPAW-00-001800 is more appropriate for a multiple PAW VM environment. A main security architectural construct of a PAW is to remove non-administrative applications and functions from the PAW workstation. Many standard user applications and functions, including email processing, Internet browsing, and using business applications, can increase the security risk to the workstation. These apps and functions are susceptible to many security vulnerabilities, including phishing attacks and embedded malware. This increased risk is not acceptable for the highly privileged activities of a PAW.

Checks: C-46724r722916_chk

Note: Internet browsing is blocked using the PAW host-based firewall or by configuring a proxy address with a loopback address on the PAW. (See STIG check WPAW-00-002200.) Blocking Internet browsing does not need to be verified in this procedure. Review the services and applications installed on the PAW. Verify there are no email applications/clients and line-of-business applications installed on the PAW. If email applications/clients or line-of-business applications are installed on the PAW, this is a finding.

Fix: F-46681r722917_fix

Remove email applications and all line-of business applications from the PAW. Note: Internet browsing is blocked using the PAW host-based firewall or by configuring a proxy address with a loopback address on the PAW. (See STIG check WPAW-00-002200.)

b

Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard Code Integrity Policy).

CM-6 - Medium - CCI-000366 - V-243450 - SV-243450r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-001050

Vuln IDs

V-243450
V-78157

Rule IDs

SV-243450r991589_rule
SV-92863

A main security architectural construct of a PAW is to restrict non-administrative applications and functions from the PAW workstation. Many standard user applications and functions, including email processing, Internet browsing, and using business applications, can increase the security risk to the workstation. These apps and functions are susceptible to many security vulnerabilities, including phishing attacks and embedded malware. This increased risk is not acceptable for the highly privileged activities of a PAW.

Checks: C-46725r804959_chk

Note: This requirement is Not Applicable (NA) if the Endpoint Security Solution (ESS) managed system is used on the PAW and application white listing is enforced. Verify Device Guard is enforcing a code integrity policy to restrict authorized applications. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | FL *codeintegrity*" If "CodeIntegrityPolicyEnforcementStatus" does not have a value of "2" indicating "Enforced", this is a finding. (For reference: 0 - Not Configured; 1 - Audit; 2 - Enforced) Alternately: - Run "System Information". - Under "System Summary", verify the following: If "Device Guard Code Integrity Policy" does not display "Enforced", this is finding.

Fix: F-46682r722920_fix

Implement a whitelist of authorized PAW applications using Device Guard. See the Device Guard Deployment Guide (https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide) for deployment information and hardware requirements and the IAD Device Guard document "Implementing a Secure Administrative Workstation using Device Guard" at https://github.com/iadgov/Secure-Host-Baseline/tree/master/Device%20Guard.

b

Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard User Mode Code Integrity).

CM-6 - Medium - CCI-000366 - V-243451 - SV-243451r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-001060

Vuln IDs

V-243451
V-78163

Rule IDs

SV-243451r991589_rule
SV-92869

A main security architectural construct of a PAW is to restrict non-administrative applications and functions from the PAW workstation. Many standard user applications and functions, including email processing, Internet browsing, and using business applications, can increase the security risk to the workstation. These apps and functions are susceptible to many security vulnerabilities, including phishing attacks and embedded malware. This increased risk is not acceptable for the highly privileged activities of a PAW.

Checks: C-46726r804961_chk

Note: This requirement is Not Applicable (NA) if the Endpoint Security Solution (ESS) managed system is used on the PAW and application white listing is enforced. Verify Device Guard is enforcing a code integrity policy to restrict authorized applications. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | FL *codeintegrity*" If "UserModeCodeIntegrityPolicyEnforcementStatus" does not have a value of "2" indicating "Enforced", this is a finding. (For reference: 0 - Not Configured; 1 - Audit; 2 - Enforced) Alternately: - Run "System Information". - Under "System Summary", verify the following: If "Device Guard user mode Code Integrity" does not display "Enforced", this is finding.

Fix: F-46683r722923_fix

Implement a whitelist of authorized PAW applications using Device Guard. See the Device Guard Deployment Guide (https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide) for deployment information and hardware requirements and the IAD Device Guard document "Implementing a Secure Administrative Workstation using Device Guard" at https://github.com/iadgov/Secure-Host-Baseline/tree/master/Device%20Guard.

b

Windows PAWs must be restricted to only allow groups used to manage high-value IT resources and members of the local Administrators group to log on locally.

CM-6 - Medium - CCI-000366 - V-243452 - SV-243452r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-001100

Vuln IDs

V-243452
V-78165

Rule IDs

SV-243452r991589_rule
SV-92871

A main security architectural construct of a PAW is to limit users of the PAW to only administrators of high-value IT resources. This will mitigate some of the risk of attack on administrators of high-value IT resources.

Checks: C-46727r722925_chk

Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Allow log on locally" user right, this is a finding: - Administrators - Groups specifically designated to manage high-value IT resources

Fix: F-46684r722926_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to only include the following groups or accounts: - Administrators - Groups specifically designated to manage high-value IT resources

b

The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts.

CM-6 - Medium - CCI-000366 - V-243453 - SV-243453r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-001200

Vuln IDs

V-243453
V-78167

Rule IDs

SV-243453r991589_rule
SV-92873

If the domain is not configured to restrict privileged administrator accounts from logging on to lower-tier hosts, it would be impossible to isolate administrative accounts to specific trust zones and protect IT resources from threats from high-risk trust zones. Blocking logon to lower-tier assets helps protect IT resources in a tier from being attacked from a lower tier.

Checks: C-46728r722928_chk

Verify domain systems are configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts. This can be accomplished by adding the higher-tier administrative groups to the Deny log on user rights of the lower-tier system. These include the following user rights: Deny log on as a batch job Deny log on as a service Deny log on locally If domain systems are not configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts, this is a finding. Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations. Note: Severity category exception - Upgrade to a CAT I finding if any Tier 0 administrative account used to manage high-value IT resources is able to log on to a lower-tier host.

Fix: F-46685r722929_fix

Configure domain systems to prevent higher-tier administrative accounts from logging on to lower-tier hosts. Assign higher-tier administrative groups to the Deny log on user rights of lower-tier hosts. This includes the following user rights: Deny log on as a batch job Deny log on as a service Deny log on locally Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations.

c

A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource.

SC-2 - High - CCI-001082 - V-243454 - SV-243454r958514_rule

RMF Control

SC-2

Severity

H

CCI

CCI-001082

Version

WPAW-00-001300

Vuln IDs

V-243454
V-78169

Rule IDs

SV-243454r958514_rule
SV-92875

Domain controllers (DC) are usually the most sensitive, high-value IT resources in a domain. Dedicating a PAW to be used solely for managing domain controllers will aid in protecting privileged domain accounts from being compromised. For Windows, this includes the management of Active Directory itself and the DCs that run Active Directory, including such activities as domain-level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backup and restore operations.

Checks: C-46729r722931_chk

If domain controllers and directory services are only managed with local logons to domain controllers, not remotely, this requirement is not applicable. Discuss with the Information System Security Manager (ISSM) or PAW system administrators and review any available site documentation. Verify that a site has designated specific PAWs for the sole purpose of remote management of domain controllers and directory service servers. Review any available site documentation. Verify that any PAW used to manage domain controllers and directory services remotely are used exclusively for managing domain controllers and directory services. If the site has not designated specific PAWs for the sole purpose of remote management of domain controllers and directory service servers, this is a finding. If PAWs used for managing domain controllers and directory services are used for additional functions, this is a finding.

Fix: F-46686r722932_fix

Set aside one or more PAWs for remote management of Active Directory. Ensure they are used only for the purpose of managing directory services. Otherwise, use the local domain controller console to manage Active Directory.

b

PAWs used to manage Active Directory must only allow groups specifically designated to manage Active Directory, such as Enterprise and Domain Admins and members of the local Administrators group, to log on locally.

CM-6 - Medium - CCI-000366 - V-243455 - SV-243455r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-001400

Vuln IDs

V-243455
V-78171

Rule IDs

SV-243455r991589_rule
SV-92877

PAW platforms are used for highly privileged activities. The accounts that have administrative privileges on domain-level PAW platforms must not be used on or used to manage any non-domain-level PAW platforms. Otherwise, there would be a clear path for privilege escalation to Enterprise Admin (EA)/Domain Admin (DA) privileges.

Checks: C-46730r722934_chk

Verify on the PAW the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Allow log on locally" user right, this is a finding: - Administrators - Groups specifically designated to manage domain controllers and Active Directory

Fix: F-46687r722935_fix

Configure the group policy that applies to the PAW. Install only administrative accounts designated to be used to manage domain controllers and Active Directory remotely in the PAW User group on PAWs designated for the management of domain controllers and Active Directory. Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to only include the following groups or accounts: - Administrators - Groups specifically designated to manage domain controllers and Active Directory

b

In a Windows PAW, administrator accounts used for maintaining the PAW must be separate from administrative accounts used to manage high-value IT resources.

SC-2 - Medium - CCI-001082 - V-243456 - SV-243456r958514_rule

RMF Control

SC-2

Severity

M

CCI

CCI-001082

Version

WPAW-00-001500

Vuln IDs

V-243456
V-78173

Rule IDs

SV-243456r958514_rule
SV-92879

Note: PAW accounts used to manage high-value IT resources have privileged rights on managed systems but no administrative or maintenance rights on the PAW. They only have user rights on the PAW. PAW administrative/maintenance accounts only have administrative rights on a PAW and are used only to perform administrative functions on the PAW. PAW administrative/maintenance accounts are the only admin accounts that have admin rights on a PAW. It is not required that PAW administrative/maintenance accounts be organized by tier. The PAW platform should be protected from high-value IT resource administrators accidently or deliberately modifying the security settings of the PAW. Therefore, high-value IT resource administrators must not have the ability to perform maintenance functions on the PAW platform. Separate PAW admin accounts must be set up that only have rights to manage PAW platforms. PAW administrators have the capability to compromise Domain Admin accounts; therefore, personnel assigned as PAW administrators must be the most trusted and experienced administrators within an organization, at least equal to personnel assigned as domain administrators.

Checks: C-46731r722937_chk

Verify at least one group has been set up in Active Directory (usually Tier 0) for administrators responsible for maintaining PAW workstations (for example, PAW Maintenance group). Verify no administrator account or administrator account group has been assigned to both the group of PAW workstation administrators and any group for administrators of high-value IT resources. If separate PAW administrator groups and administrators of high-value IT resources have not been set up, this is a finding. If a member of any group of PAW maintenance administrators is also a member of any group of administrators of high-value IT resources, this is a finding.

Fix: F-46688r722938_fix

Set up separate domain administrative accounts to manage PAWs from domain administrative accounts used to manage high-value IT resources. Each of these accounts is not to be used for any other purpose. Note: Personnel assigned as PAW administrators should be the most trusted and experienced administrators within an organization.

b

The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.

IA-2 - Medium - CCI-000765 - V-243457 - SV-243457r997927_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000765

Version

WPAW-00-001600

Vuln IDs

V-243457
V-78175

Rule IDs

SV-243457r997927_rule
SV-92881

Due to the highly privileged functions of a PAW, a high level of trust must be implemented for access to the PAW, including nonrepudiation of the user session. One-factor authentication, including username and password and shared administrator accounts, does not provide adequate assurance.

Checks: C-46732r997925_chk

Review the configuration on the PAW. Verify group policy is configured to enable either smart card or another DOD-approved two-factor authentication method for site PAWs. - In Active Directory, go to Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. - Verify "Interactive logon: Require Windows Hello for Business or smart card" is set to "Enabled". If group policy is not configured to enable either smart card or another DOD-approved two-factor authentication method, this is a finding.

Fix: F-46689r997926_fix

In Active Directory, configure group policy to enable either smart card or another DOD-approved two-factor authentication method for all PAWs. - Go to Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. - Set "Interactive logon: Require Windows Hello for Business or smart card" to "Enabled".

c

The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW.

CM-6 - High - CCI-000366 - V-243458 - SV-243458r991589_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

WPAW-00-001700

Vuln IDs

V-243458
V-78177

Rule IDs

SV-243458r991589_rule
SV-92883

Note: The Common Criteria Security Functional Requirement (SFR) FTP_ITC.1.1(1) defines "trusted channel" as "a channel that uses IPsec, SSH, TLS, or TLS/HTTPS to provide a trusted communications channel between itself and authorized IT entity that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure." The trusted channel uses IPsec, TLS, DTLS, or HTTPS as the protocol that preserves the confidentiality and integrity of PAW communications. The confidentiality and integrity of the communications between the PAW and high-value IT resources being managed from the PAW must be protected due to the highly sensitive nature of the administrative functions being performed. A trusted channel provides the requisite assured identification of its end points and protection of the channel data from modification or disclosure.

Checks: C-46733r722943_chk

On the PAW workstation, verify IPsec, SSH, TLS, or TLS/HTTPS is configured for all connections between the PAW and managed IT resources on the intranet. Verify the following registry setting: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value Type: REG_DWORD Value: 1 Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise, the browser will not be able to connect to a secure site. If on the PAW workstation the registry value for HKEY_LOCAL_MACHINE does not exist or is not configured as specified, this is a finding.

Fix: F-46690r852042_fix

Configure the PAWs to use IPsec, SSH, TLS, or TLS/HTTPS for all connections between the PAW and managed IT resources on the intranet. Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".

b

If several Windows PAWs are set up in virtual machines (VMs) on a host server, the host server must only contain PAW VMs.

CM-6 - Medium - CCI-000366 - V-243459 - SV-243459r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-001800

Vuln IDs

V-243459
V-78179

Rule IDs

SV-243459r991589_rule
SV-92885

A main security architectural construct of a PAW is to remove non-administrative functions from the PAW. Many standard user functions, including email processing, Internet browsing, and using business applications, can increase the security risk of the workstation. These apps and functions are susceptible to many security vulnerabilities, including phishing attacks and embedded malware. This increased risk is not acceptable for the highly privileged activities of a PAW. This requirement enforces this security concept in an environment where multiple PAW VMs are installed on a host server. Note: Relationship between the exception in WPAW-00-000500 and WPAW-00-001000 and requirement WPAW-00-001800: WPAW-00-000500 and WPAW-00-001000 allow an exception to the requirement for sites constrained in the number of available workstations. Lower-tier, high-value admin accounts can operate in a VM if the higher-tier, high-value admin accounts operate in the VM host-OS, but WPAW-00-001800 is more appropriate for a multiple PAW VM environment.

Checks: C-46734r722946_chk

Review the configuration of all host servers where PAW VMs are installed. Verify the only VMs installed on the host server are PAW VMs. If a host server where PAW VMs are installed contains non-PAW VMs, this is a finding.

Fix: F-46691r722947_fix

Install only PAW VMs on a host server designated for PAWs.

b

The Windows PAW must be configured so that all inbound ports and services to a PAW are blocked except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.

CM-6 - Medium - CCI-000366 - V-243460 - SV-243460r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-002100

Vuln IDs

V-243460
V-78181

Rule IDs

SV-243460r991589_rule
SV-92887

A main security architectural construct of a PAW is that the workstation is isolated from most Internet threats, including phishing, impersonation, and credential theft attacks. This isolation is partially implemented by blocking unsolicited inbound traffic to the PAW.

Checks: C-46735r852044_chk

Obtain a list of all ports and services required for site monitoring, scanning, and management tools. Review the configuration setting of the PAW host-based firewall. Verify the firewall is configured to block all inbound ports and services from a PAW except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request. Note: The exact procedure for verifying the configuration will depend on which host-based firewall (for example, Endpoint Security Solution [ESS]) is used on the PAW. DoD sites should refer to DoD policies and firewall STIGs to determine acceptable firewalls products. If the PAW host-based firewall is not configured to block all inbound ports and services from a PAW except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request, this is a finding.

Fix: F-46692r852045_fix

Determine which inbound ports, services, addresses, or subnets are needed on the PAW for the organization's monitoring, scanning, and management tools. Configure the host-based firewall on the PAW to block all inbound connection requests except for organizational monitoring, scanning, and management tools or for inbound connections that are responses to outbound connection requests. Configure the host-based firewall on the PAW to block users with local administrative access from creating or modifying local firewall rules. Note: The exact configuration procedure will depend on which host-based firewall (for example, ESS) is used on the PAW. DoD sites should refer to DoD policies and firewall STIGs to determine acceptable firewalls products.

b

The Windows PAW must be configured so that all outbound connections to the Internet from a PAW are blocked.

CM-6 - Medium - CCI-000366 - V-243461 - SV-243461r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-002200

Vuln IDs

V-243461
V-78183

Rule IDs

SV-243461r991589_rule
SV-92889

Note: Internal domain connections from a PAW to communicate with IT resources being managed via the PAW with domain controllers or with a digital credential verification service (for example, Online Certificate Status Protocol [OCSP]) are allowed. A main security architectural construct of a PAW is that the workstation is isolated from most internet threats, including phishing, impersonation, and credential theft attacks. This isolation is partially implemented by blocking all outbound connections to the internet.

Checks: C-46736r852047_chk

Review the PAW configuration to verify all outbound connections to the internet from the PAW are blocked except to communicate with IT resources being managed via the PAW, including the management console of authorized public cloud services, with domain controllers, or with a digital credential verification service (for example, OCSP). Ask site personnel how outbound connections from the PAW to the internet have been blocked. Two common methods are to either configure the host-based firewall to block all outbound connection requests to the internet gateway or to configure the PAW with an internet proxy address with a loopback address. Based on the method used at the site, review either the configuration of the host-based firewall or the PAW configuration and verify the configuration blocks all outbound internet connections except to communicate with IT resources being managed via the PAW, with domain controllers, or with a digital credential verification service (for example, OCSP). If the site has configured the PAW with a loopback address, verify a proxy server group policy has been set up with a loopback address (127.0.0.1) and assigned to the PAW Users group. If the PAW system has not been configured to block all outbound connections to the internet from a PAW except to communicate with IT resources being managed via the PAW, with domain controllers, or with a digital credential verification service, this is a finding.

Fix: F-46693r852048_fix

Configure the PAW host-based firewall to block outbound connection requests to the internet gateway or configure the PAW with an internet proxy address with a loopback address. Allowed exceptions include connections to communicate with IT resources being managed via the PAW, including the management console of authorized public cloud services, with domain controllers, or with a digital credential verification service (for example, OCSP). If the PAW host-based firewall method is used, configure the firewall to block outbound connection requests to the internet gateway. The exact configuration procedure will depend on which host-based firewall (for example, Endpoint Security Solution [ESS]) is used on the PAW. DoD sites should refer to DoD policies and firewall STIGs to determine acceptable firewalls products. If the internet proxy address with a loopback address method is used, consider using the configuration instructions listed in the Microsoft Privileged Access Workstation paper. In addition, disable the capability of the administrator to manually override the proxy settings on each PAW.

b

The local Administrators group on the Windows PAW must only include groups with accounts specifically designated to administer the PAW.

CM-6 - Medium - CCI-000366 - V-243462 - SV-243462r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-002300

Vuln IDs

V-243462
V-78185

Rule IDs

SV-243462r991589_rule
SV-92891

A main security architectural construct of a PAW is to restrict access to the PAW from only specific privileged accounts designated for managing the high-value IT resources the PAW has been designated to manage. If unauthorized standard user accounts or unauthorized high-value administrative accounts are able to access a specific PAW, high-value IT resources and critical DoD information could be compromised.

Checks: C-46737r722955_chk

Verify the PAW is configured to restrict access to privileged accounts specifically designated to administer the PAW: - On the Windows PAW, verify the membership of the local Administrators group. - Verify the only members in the local Administrators group are the group specifically designated for managing the PAW and local administrator(s). If the local Administrators group includes any members not members of the specifically designated group for managing the PAW and local administrator(s), this is a finding.

Fix: F-46694r722956_fix

Restrict membership of the local Administrators group to only include members of the group specifically designated to manage the PAW and local administrator(s). See the Microsoft PAW paper (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information (go to PAW Installation instructions).

b

Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members.

CM-6 - Medium - CCI-000366 - V-243463 - SV-243463r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-002400

Vuln IDs

V-243463
V-78159

Rule IDs

SV-243463r991589_rule
SV-92865

A main security architectural construct of a PAW is to restrict access to the PAW from only specific privileged accounts designated for managing the high-value IT resources the PAW has been designated to manage. If unauthorized standard user accounts or unauthorized high-value administrative accounts are able to access a specific PAW, high-value IT resources and critical DoD information could be compromised.

Checks: C-46738r722958_chk

Verify membership of local admin groups on the PAW are empty: On the Windows PAW, verify there are no members in the following local privileged groups (excluding Administrators)*: - Backup Operators (built-in) - Cryptographic Operators - Hyper-V Administrators - Network Configuration Operators - Power Users - Remote Desktop Users - Replicator If the membership of the following admin groups is not empty, this is a finding: Backup Operators (built-in), Cryptographic Operators, Hyper-V Administrators, Network Configuration Operators, Power Users, Remote Desktop Users, and Replicator. *Allowed exception: If a Hyper-V environment is used, the Hyper-V Administrators group may include members.

Fix: F-46695r722959_fix

Complete the following configuration procedures to restrict access to privileged accounts on the PAW (see the instructions for use of group policy to define membership, PAW Installation instructions in the Microsoft PAW paper). Configure membership of all local privileged groups (except for "Administrators (built-in)" group) so it is empty*. This procedure applies to the following local privileged groups: - Backup Operators (built-in) - Hyper-V Administrators - Network Configuration Operators - Power Users - Remote Desktop Users - Replicator Link the PAW group policy object (GPO) to the appropriate Tier devices Organizational Unit (OU). *Allowed exception: If a Hyper-V environment is used, the Hyper-V Administrators group may include members.

b

Restricted remote administration must be enabled for high-value systems.

CM-6 - Medium - CCI-000366 - V-243464 - SV-243464r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-002500

Vuln IDs

V-243464
V-78161

Rule IDs

SV-243464r991589_rule
SV-92867

Restricted remote administration features, RestrictedAdmin mode, and Remote Credential Guard for Remote Desktop Protocol (RDP), are an additional safeguard against "pass the hash" attacks, where hackers attempt to gain higher administrative privileges from a single compromised machine. Restricted remote administration protects administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. When restricted remote administration is implemented, the local RDP service tries to log on to the remote device using a network logon, so the user's credentials are not sent across the network. Therefore, if the high-value IT resource is compromised, the credentials of the administrator connecting to the IT resource from the PAW are not compromised.

Checks: C-46739r722961_chk

In the Registry Editor of the remote target system (high-value assets), verify the following registry key has a value of "0": - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa - Name: DisableRestrictedAdmin - Type: REG_DWORD - Value: 0 If restricted remote administration has not been enabled on the target system, this is a finding. In the Registry Editor of the PAW system, verify the following registry key has a value of "1": HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation Name: RestrictedRemoteAdministration Type: REG_DWORD Value: 1 If restricted remote administration has not been enabled on the PAW and is not enforced by policy, this is a finding.

Fix: F-46696r921974_fix

Enable RestrictedAdmin mode or Remote Credential Guard on high-value systems. On target systems (high-value assets), configure the following registry value: - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa - Name: DisableRestrictedAdmin - Type: REG_DWORD - Value: 0 On PAW systems: Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation "Restrict delegation of credentials to remote servers" to "Enabled". Require Remote Credential Guard Require Restricted Admin Restrict Credential Delegation

b

If several PAWs are set up in virtual machines (VMs) on a host server, domain administrative accounts used to manage high-value IT resources must not have access to the VM host operating system (OS) (only domain administrative accounts designated to manage PAWs should be able to access the VM host OS).

CM-6 - Medium - CCI-000366 - V-243465 - SV-243465r991589_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

WPAW-00-002600

Vuln IDs

V-243465
V-78187

Rule IDs

SV-243465r991589_rule
SV-92893

The VM host OS should be protected from high-value IT resource administrators accidently or deliberately modifying the security settings of the host OS. Therefore, high-value IT resource administrators must not have the ability to perform maintenance functions on the VM host OS platform.

Checks: C-46740r722964_chk

Verify at least one group has been set up in Active Directory (usually Tier 0) for administrators responsible for maintaining VM host OSs (usually the same as the PAW workstation administrator's group). Verify no administrator account or administrator account group has been assigned to both the group of VM host OS administrators and any group for administrators of high-value IT resources. If separate VM host OS administrator groups and administrators of high-value IT resources have not been set up, this is a finding.

Fix: F-46697r722965_fix

Configure the VM host OS so only domain administrative accounts designated to manage PAWs have administrative rights on the VM host OS.

Content changes 1

Checks: C-46717r722895_chk

Fix: F-46674r722896_fix

Generate Mitigation Statement:

Checks: C-46718r722898_chk

Fix: F-46675r722899_fix

Generate Mitigation Statement:

Checks: C-46719r722901_chk

Fix: F-46676r722902_fix

Generate Mitigation Statement:

Checks: C-46720r722904_chk

Fix: F-46677r722905_fix

Generate Mitigation Statement:

Checks: C-46721r722907_chk

Fix: F-46678r722908_fix

Generate Mitigation Statement:

Checks: C-46722r921971_chk

Fix: F-46679r921972_fix

Generate Mitigation Statement:

Checks: C-46723r722913_chk

Fix: F-46680r722914_fix

Generate Mitigation Statement:

Checks: C-46724r722916_chk

Fix: F-46681r722917_fix

Generate Mitigation Statement:

Checks: C-46725r804959_chk

Fix: F-46682r722920_fix

Generate Mitigation Statement:

Checks: C-46726r804961_chk

Fix: F-46683r722923_fix

Generate Mitigation Statement:

Checks: C-46727r722925_chk

Fix: F-46684r722926_fix

Generate Mitigation Statement:

Checks: C-46728r722928_chk

Fix: F-46685r722929_fix

Generate Mitigation Statement:

Checks: C-46729r722931_chk

Fix: F-46686r722932_fix

Generate Mitigation Statement:

Checks: C-46730r722934_chk

Fix: F-46687r722935_fix

Generate Mitigation Statement:

Checks: C-46731r722937_chk

Fix: F-46688r722938_fix

Generate Mitigation Statement:

Checks: C-46732r997925_chk

Fix: F-46689r997926_fix

Generate Mitigation Statement:

Checks: C-46733r722943_chk

Fix: F-46690r852042_fix

Generate Mitigation Statement:

Checks: C-46734r722946_chk

Fix: F-46691r722947_fix

Generate Mitigation Statement:

Checks: C-46735r852044_chk

Fix: F-46692r852045_fix

Generate Mitigation Statement:

Checks: C-46736r852047_chk

Fix: F-46693r852048_fix

Generate Mitigation Statement:

Checks: C-46737r722955_chk

Fix: F-46694r722956_fix

Generate Mitigation Statement:

Checks: C-46738r722958_chk

Fix: F-46695r722959_fix

Generate Mitigation Statement:

Checks: C-46739r722961_chk

Fix: F-46696r921974_fix

Generate Mitigation Statement:

Checks: C-46740r722964_chk

Fix: F-46697r722965_fix

Generate Mitigation Statement: