Windows PAW Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R2

Published: 2019-05-03

Updated At: 2019-08-08 19:57:27

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-92847r1_rule WPAW-00-000100 CCI-000101 LOW Administrators of high-value IT resources must complete required training. Required training helps to mitigate the risk of administrators not following required procedures. High-value IT resources are the most important and critical IT resources within an organization. They contain the most sensitive data in an organization, per
    SV-92849r1_rule WPAW-00-000200 CCI-000366 MEDIUM Site IT resources designated as high value by the Authorizing Official (AO) must be remotely managed only via a Windows privileged access workstation (PAW). The AO must designate which IT resources are high value. The list must include the following IT resources: - Directory service (including Active Directory) - Cloud service - Identity management service - Privileged access management service - Credential
    SV-92851r1_rule WPAW-00-000400 CCI-000366 MEDIUM Administrative accounts of all high-value IT resources must be assigned to a specific administrative tier in Active Directory to separate highly privileged administrative accounts from less privileged administrative accounts. Note: The Microsoft Tier 0-2 AD administrative tier model (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM) is an example. A key security construct of a PAW is to
    SV-92853r1_rule WPAW-00-000500 CCI-000366 MEDIUM A Windows PAW must only be used to manage high-value IT resources assigned to the same tier. Note: Allowed exception - For sites that are constrained in the number of available workstations, an acceptable approach is to install lower-tier administrative accounts on a separate virtual machine (VM) on the PAW workstation where higher-tier administr
    SV-92855r1_rule WPAW-00-000600 CCI-000366 MEDIUM All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources. Note: The Microsoft Tier 0-2 AD administrative tier model (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM) is an example. A key security construct of a PAW is to
    SV-92857r1_rule WPAW-00-000700 CCI-000366 MEDIUM The Windows PAW must be configured with a vendor-supported version of Windows 10 and applicable security patches that are DoD approved. Older versions of operating systems usually contain vulnerabilities that have been fixed in later released versions. In addition, most operating system patches contain fixes for recently discovered security vulnerabilities. Due to the highly privileged ac
    SV-92859r1_rule WPAW-00-000800 CCI-000366 MEDIUM A Windows update service must be available to provide software updates for the PAW platform. Older versions of operating systems usually contain vulnerabilities that have been fixed in later versions. In addition, most operating system patches contain fixes for recently discovered security vulnerabilities. Due to the highly privileged activities
    SV-92861r1_rule WPAW-00-001000 CCI-000366 MEDIUM The Windows PAW must be configured so that all non-administrative-related applications and functions are blocked or removed from the PAW platform, including but not limited to email, Internet browsing, and line-of-business applications. Note: The intent of this requirement is that a PAW must not be used for any function not related to the management of high-value IT resources. Note: Authorized exception - It is noted that administrators will need access to non-administrative functions,
    SV-92863r2_rule WPAW-00-001050 CCI-000366 MEDIUM Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard Code Integrity Policy). A main security architectural construct of a PAW is to restrict non-administrative applications and functions from the PAW workstation. Many standard user applications and functions, including email processing, Internet browsing, and using business applic
    SV-92865r1_rule WPAW-00-002400 CCI-000366 MEDIUM Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members. A main security architectural construct of a PAW is to restrict access to the PAW from only specific privileged accounts designated for managing the high-value IT resources the PAW has been designated to manage. If unauthorized standard user accounts or u
    SV-92867r1_rule WPAW-00-002500 CCI-000366 MEDIUM Restricted remote administration must be enabled for high-value systems. Restricted remote administration features, RestrictedAdmin mode, and Remote Credential Guard for Remote Desktop Protocol (RDP), are an additional safeguard against "pass the hash" attacks, where hackers attempt to gain higher administrative privileges fro
    SV-92869r2_rule WPAW-00-001060 CCI-000366 MEDIUM Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard User Mode Code Integrity). A main security architectural construct of a PAW is to restrict non-administrative applications and functions from the PAW workstation. Many standard user applications and functions, including email processing, Internet browsing, and using business applic
    SV-92871r1_rule WPAW-00-001100 CCI-000366 MEDIUM Windows PAWs must be restricted to only allow groups used to manage high-value IT resources and members of the local Administrators group to log on locally. A main security architectural construct of a PAW is to limit users of the PAW to only administrators of high-value IT resources. This will mitigate some of the risk of attack on administrators of high-value IT resources.
    SV-92873r1_rule WPAW-00-001200 CCI-000366 MEDIUM The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts. If the domain is not configured to restrict privileged administrator accounts from logging on to lower-tier hosts, it would be impossible to isolate administrative accounts to specific trust zones and protect IT resources from threats from high-risk trust
    SV-92875r1_rule WPAW-00-001300 CCI-000366 HIGH A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource. Domain controllers (DC) are usually the most sensitive, high-value IT resources in a domain. Dedicating a PAW to be used solely for managing domain controllers will aid in protecting privileged domain accounts from being compromised. For Windows, this in
    SV-92877r1_rule WPAW-00-001400 CCI-000366 MEDIUM PAWs used to manage Active Directory must only allow groups specifically designated to manage Active Directory, such as Enterprise and Domain Admins and members of the local Administrators group, to log on locally. PAW platforms are used for highly privileged activities. The accounts that have administrative privileges on domain-level PAW platforms must not be used on or used to manage any non-domain-level PAW platforms. Otherwise, there would be a clear path for pr
    SV-92879r1_rule WPAW-00-001500 CCI-000366 MEDIUM In a Windows PAW, administrator accounts used for maintaining the PAW must be separate from administrative accounts used to manage high-value IT resources. Note: PAW accounts used to manage high-value IT resources have privileged rights on managed systems but no administrative or maintenance rights on the PAW. They only have user rights on the PAW. PAW administrative/maintenance accounts only have administra
    SV-92881r1_rule WPAW-00-001600 CCI-000366 MEDIUM The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management. Due to the highly privileged functions of a PAW, a high level of trust must be implemented for access to the PAW, including non-repudiation of the user session. One-factor authentication, including username and password and shared administrator accounts,
    SV-92883r1_rule WPAW-00-001700 CCI-001135 HIGH The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW. Note: The Common Criteria Security Functional Requirement (SFR) FTP_ITC.1.1(1) defines "trusted channel" as "a channel that uses IPsec, SSH, TLS, or TLS/HTTPS to provide a trusted communications channel between itself and authorized IT entity that is logi
    SV-92885r1_rule WPAW-00-001800 CCI-000366 MEDIUM If several Windows PAWs are set up in virtual machines (VMs) on a host server, the host server must only contain PAW VMs. A main security architectural construct of a PAW is to remove non-administrative functions from the PAW. Many standard user functions, including email processing, Internet browsing, and using business applications, can increase the security risk of the wo
    SV-92887r1_rule WPAW-00-002100 CCI-000366 MEDIUM The Windows PAW must be configured so that all inbound ports and services to a PAW are blocked except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request. A main security architectural construct of a PAW is that the workstation is isolated from most Internet threats, including phishing, impersonation, and credential theft attacks. This isolation is partially implemented by blocking unsolicited inbound traff
    SV-92889r1_rule WPAW-00-002200 CCI-000366 MEDIUM The Windows PAW must be configured so that all outbound connections to the Internet from a PAW are blocked. Note: Internal domain connections from a PAW to communicate with IT resources being managed via the PAW with domain controllers or with a digital credential verification service (for example, Online Certificate Status Protocol [OCSP]) are allowed. A main
    SV-92891r1_rule WPAW-00-002300 CCI-000366 MEDIUM The local Administrators group on the Windows PAW must only include groups with accounts specifically designated to administer the PAW. A main security architectural construct of a PAW is to restrict access to the PAW from only specific privileged accounts designated for managing the high-value IT resources the PAW has been designated to manage. If unauthorized standard user accounts or u
    SV-92893r1_rule WPAW-00-002600 CCI-000366 MEDIUM If several PAWs are set up in virtual machines (VMs) on a host server, domain administrative accounts used to manage high-value IT resources must not have access to the VM host operating system (OS) (only domain administrative accounts designated to manage PAWs should be able to access the VM host OS). The VM host OS should be protected from high-value IT resource administrators accidently or deliberately modifying the security settings of the host OS. Therefore, high-value IT resource administrators must not have the ability to perform maintenance func