acceptedMicrosoft Windows PAW Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 31 May 20223.3.0.273751.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-000100Administrators of high-value IT resources must complete required training.<VulnDiscussion>Required training helps to mitigate the risk of administrators not following required procedures. High-value IT resources are the most important and critical IT resources within an organization. They contain the most sensitive data in an organization, perform the most critical tasks of an organization, or have access to and can control all or nearly all IT resources within an organization. Requiring a PAW used exclusively for remote administrative management of designated high-value IT resources, including servers, workstations, directory services, applications, databases, and network components, will provide a separate "channel" for the performance of administrative tasks on high-value IT resources and isolate these functions from the majority of threats and attack vectors found on higher-risk standard client systems. A main security architectural construct of a PAW is to remove non-administrative applications and functions from the PAW. Technical controls for securing high-value IT resources will be ineffective if administrators are not aware of key security requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78141SV-92847CCI-000101CCI-000366Add the following topics to initial and annual update training modules for system administrators of high-value IT resources:
- Remotely manage high-value IT resources only via a PAW.
- Administrative accounts will not be used for non-administrative functions (for example, read email, browse Internet).Review site training records and verify the organization's system administrators of high-value IT resources have received the following initial and annual training:
- Remotely manage high-value IT resources only via a PAW.
- Administrative accounts will not be used for non-administrative functions (for example, read email, browse Internet).
If required training has not been completed by the organization's system administrators of high-value IT resources, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-000200Site IT resources designated as high value by the Authorizing Official (AO) must be remotely managed only via a Windows privileged access workstation (PAW).<VulnDiscussion>The AO must designate which IT resources are high value. The list must include the following IT resources:
- Directory service (including Active Directory)
- Cloud service
- Identity management service
- Privileged access management service
- Credential management service
- Security management service (anti-virus, network monitoring/scanning, IDS/IPS, etc.)
- Any sensitive business/mission service
- Any other IT resource designated as high value by the AO
Note: A high-value IT resource is defined as any IT resource whose purpose is considered critical to the organization or whose loss or compromise would cause a significant impact on the organization.
Note: Sensitive business/mission service is any business or mission service that needs additional protection from higher-risk IT services based on the nature of the function it provides; sensitivity of the data it consumes, processes, or stores; or criticality to the operation of the organization.
High-value IT resources are the most important and critical IT resources within an organization. They contain the most sensitive data in an organization, perform the most critical tasks of an organization, or have access to and can control all or nearly all IT resources within an organization. Administrator accounts for high-value IT resources must be protected against various threats and attacks because threats to sensitive privileged accounts are high and risk of compromise is increasing. Requiring a PAW used exclusively for remote administrative management of designated high-value IT resources, including servers, workstations, directory services, applications, databases, and network components, will provide a separate "channel" for the performance of administrative tasks on high-value IT resources and isolate these functions from the majority of threats and attack vectors found on higher-risk standard client systems.
Some IT resources, by the nature of the function they perform, should always be considered high value and should be remotely administered only via a PAW. The IT resources listed above are in this category.
Note: The term "manage" in the Requirement statement includes any remote connection to a high-value IT resource (for example, to view resource status and current configuration or to make changes to any resource configuration).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78143SV-92849CCI-000366The Information System Security Manager (ISSM) or other site personnel will assist the Authorizing Official (AO) in designating and documenting which IT resources in the organization are high value. The organization's list of high-value IT resources will include the following:
- Active Directory
- Cloud service
- Identity management service
- Privileged access management service
- Credential management service
- Security management service (anti-virus, network monitoring/scanning, IDS/IPS, etc.)
- Any sensitive business service
- Any other IT resource designated as high value by the AO
Set up procedures to ensure a Windows PAW is used to remotely manage each of these types of IT resources.Review site documentation to confirm required high-value IT resources are remotely managed only via a PAW.
Verify the site maintains a list of designated high-value IT resources and the list contains the following IT resources (if deployed at the site):
- Active Directory
- Cloud service
- Identity management service
- Privileged access management service
- Credential management service
- Security management service (anti-virus, network monitoring/scanning, IDS/IPS, etc.)
- Any sensitive business/mission service
- Any other IT resource designated as high value by the Authorizing Official (AO)
Identify the PAWs set up to manage these high-value IT resources.
If the organization does not maintain a list of designated high-value IT resources or has not set up PAWs to remotely manage its high-value IT resources, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-000400Administrative accounts of all high-value IT resources must be assigned to a specific administrative tier in Active Directory to separate highly privileged administrative accounts from less privileged administrative accounts.<VulnDiscussion>Note: The Microsoft Tier 0-2 AD administrative tier model (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM) is an example.
A key security construct of a PAW is to separate administrative accounts into specific trust levels so that an administrator account used to manage an IT resource at one trust level cannot be used to manage IT resources at another trust level. This architecture protects IT resources in a tier from threats from higher-risk tiers. Isolating administrative accounts by forcing them to operate only within their assigned trust zone implements the concept of containment of security risks and adversaries within a specific zone. The Tier model prevents escalation of privilege by restricting what administrators can control and where they can log on.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78145SV-92851CCI-000366CCI-002227Set up an administrative tier model for the domain (for example, the Microsoft recommended Tier 0-2 AD administrative tier model).
Note: Details of the Tier model are found at https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM.
Set up an Admin Organizational Unit (OU) Framework to host site PAWs. (Recommend the Microsoft PAW scripts be used to set up the PAW OU and group framework. They can be downloaded at http://aka.ms/PAWmedia.)
For example:
- Admin\Tier 0\Accounts
- Admin\Tier 1\Accounts
- Admin\Tier 2\Accounts
- Admin\Tier 0\Groups
- Admin\Tier 1\Groups
- Admin\Tier 2\Groups
- Admin\Tier 0\Devices
- Admin\Tier 1\Devices
- Admin\Tier 2\Devices
Note: If using the Microsoft scripts, after running the scripts, PAW Users Tier 0, PAW Users Tier 1, and PAW Users Tier 2 groups may need to be created under Admin/Tier 0/Groups, Admin/Tier 1/Groups, and Admin/Tier 2/Groups, respectively.
Set up administrative accounts for each assigned administrator for high-value IT resources.
Based on the list of high-value IT resources with assigned administrative tier level, move Tier 0-2 administrative accounts to the appropriate Organizational Units and add the appropriate members to the relevant groups. Make sure each account and group has been assigned to one and only one tier.
(Reference-defined groups in the Active Directory Domain STIG)In Active Directory, verify an Organizational Unit (OU) and Group hierarchy have been set up to segregate administrative accounts used to manage both high-value IT resources and PAWs into assigned tiers.
Verify each administrative account and each PAW has been assigned to one and only one tier.
If the site has not set up a tier structure on Active Directory for administrative accounts used to manage either high-value IT resources or PAWs, this is a finding.
If any administrative account used to manage either high-value IT resources or PAWs is assigned to more than one tier, this is a finding.
If each administrative account and each PAW has not been assigned to one and only one tier, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-000500A Windows PAW must only be used to manage high-value IT resources assigned to the same tier.<VulnDiscussion>Note: Allowed exception - For sites that are constrained in the number of available workstations, an acceptable approach is to install lower-tier administrative accounts on a separate virtual machine (VM) on the PAW workstation where higher-tier administrative accounts are installed on the host OS and lower-tier administrative accounts are installed in a VM. The VM will provide acceptable isolation between administrative accounts of different tiers.
Note: Relationship between the exception in WPAW-00-000500 and WPAW-00-001000 and requirement WPAW-00-001800: WPAW-00-000500 and WPAW-00-001000 allow an exception to the requirement for sites constrained in the number of available workstations. Lower-tier, high-value admin accounts can operate in a VM if the higher-tier, high-value admin accounts operate in the VM host-OS, but WPAW-00-001800 is more appropriate for a multiple PAW VM environment.
If administrative accounts assigned to different tiers were installed on the same PAW, it would be impossible to isolate administrative accounts to specific trust zones and protect IT resources from one trust zone (tier) from threats from high-risk trust zones.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78147SV-92853CCI-000366Set aside one or more PAWs for remote management of high-value IT resources assigned to a specific tier. For example, using the Microsoft Tier 0-2 model, each PAW would be assigned to manage either Tier 0, Tier 1, or Tier 2 high-value IT resources.Verify that a site has set aside one or more PAWs for remote management of high-value IT resources assigned to a specific tier.
Review any available site documentation.
Verify that any PAW used to manage high-value IT resources of a specific tier are used exclusively for managing high-value IT resources assigned to one and only one tier.
If the site has not set aside one or more PAWs for remote management of high-value IT resources assigned to a specific tier, this is a finding.
If PAWs used for managing high-value IT resources are used for additional functions, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-000600All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources.<VulnDiscussion>Note: The Microsoft Tier 0-2 AD administrative tier model (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM) is an example.
A key security construct of a PAW is to separate high-value IT resources into specific trust levels so that if a device at one trust level is compromised the risk of compromise of more critical IT resources at a different tier is reduced. This architecture protects IT resources in a tier from threats from higher-risk tiers. Isolating administrative accounts by forcing them to operate only within their assigned trust zone implements the concept of containment of security risks and adversaries within a specific zone.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78149SV-92855CCI-000366Set up an administrative tier model for the domain (for example, the Microsoft-recommended Tier 0-2 AD administrative tier model). (Details of the Tier model are found at https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM.)
Using the list of site designated high-value IT resources (see check WPAW-00-000200), indicate on the list the administrative Tier level the resource is assigned to. (Note: The updated list will be used in check WPAW-00-000400.)
In Active Directory, assign all high-value IT resources to the appropriate Organizational Units (for example):
- Admin\Tier 0\Devices
- Admin\Tier 1\Devices
- Admin\Tier 2\DevicesVerify the site has assigned each high-value IT resource to an administrative tier level by reviewing the site's list of high-value IT resources.
In Active Directory verify each high-value IT resource has been assigned to the Organizational Unit (OU) corresponding to the administrative tier the resource is assigned to.
If the site has not assigned an administrative tier level to each high-value IT resource or any high-value IT resource is not assigned to the appropriate OU in Active Directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-000700The Windows PAW must be configured with a vendor-supported version of Windows 10 and applicable security patches that are DoD approved.<VulnDiscussion>Older versions of operating systems usually contain vulnerabilities that have been fixed in later released versions. In addition, most operating system patches contain fixes for recently discovered security vulnerabilities. Due to the highly privileged activities of a PAW, it must be maintained at the highest security posture possible and therefore must have one of the current vendor-supported operating system versions installed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78151SV-92857CCI-000366Install one of the current vendor-supported versions of Windows 10 on site PAWs, including the most recently released patches.
Note: There is no central list in the DoD of "approved" operating system versions. The Microsoft website will list supported versions of Windows 10 and patches. If a STIG is available for one or more of the vendor-supported versions of Windows 10, the version can be considered to be DoD approved. Local AOs usually have implemented a procedure for testing Windows updates before they are deployed. Check with the local AO's staff to determine the latest approved version of Windows 10.Determine the current approved versions of Windows 10.
Talk to the Authorizing Official (AO) staff, Information System Security Manager (ISSM), or PAW system administrator to determine the approved versions of Windows 10.
Review the configuration of the PAW and determine which version of Windows is installed on the PAW.
Verify the installed Windows 10 version is an approved version.
If the installed Windows 10 version on the PAW is not the same as an approved version, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-000800A Windows update service must be available to provide software updates for the PAW platform.<VulnDiscussion>Older versions of operating systems usually contain vulnerabilities that have been fixed in later versions. In addition, most operating system patches contain fixes for recently discovered security vulnerabilities. Due to the highly privileged activities of a PAW, it must be maintained at the highest security posture possible and therefore must have the latest operating system updates installed.
Because a PAW is isolated from online operating system update services, a software update service must be available on the intranet to manage operating system and other software updates for site PAWs. A separate software update service is not required at each tier.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78153SV-92859CCI-000366Install a Windows update service (for example, Microsoft WSUS or System Center Configuration Manager [SCCM]) to provide software updates to all Windows-based PAWs in the organization.
Configure the Windows update service to download available operating system updates and install them when approved.
Based on site policy, configure the Windows update service to either automatically approve new updates for installation or to not install updates until installation is initiated by an authorized PAW maintenance administrator.
If WSUS is being used, configure Windows Update for WSUS on each PAW (use appropriate configuration procedures if an alternate Windows update service is used).
Go to Computer Configuration\Administrative Templates\Windows Components\Windows Updates and follow the steps below:
1. Enable the Configure Automatic Updates policy.
2. Select option 4 - Auto download and schedule the install.
3. Change the option "Scheduled install day" to "0 - Every Day" and the option "Scheduled install time" to your organizational preference.
4. Enable option "Specify intranet Microsoft update service location" policy, and specify in both options the URL of the WSUS server.Verify an automated software update service is being used at the site to update the operating system of site PAWs.
If an automated software update service is not set up and configured to provide updates to site PAWs, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-001000The Windows PAW must be configured so that all non-administrative-related applications and functions are blocked or removed from the PAW platform, including but not limited to email, Internet browsing, and line-of-business applications.<VulnDiscussion>Note: The intent of this requirement is that a PAW must not be used for any function not related to the management of high-value IT resources.
Note: Authorized exception - It is noted that administrators will need access to non-administrative functions, such as email and the Internet, but a PAW must not be used for these activities. For sites that are constrained in the number of available workstations, an acceptable approach is to install the non-administrative services on a separate virtual machine (VM) on the workstation where the PAW service is installed. The VM will provide acceptable isolation between high-value administrative management accounts and non-administrative services.
Note: Relationship between the exception in WPAW-00-000500 and WPAW-00-001000 and requirement WPAW-00-001800: WPAW-00-000500 and WPAW-00-001000 allow an exception to the requirement for sites constrained in the number of available workstations. Lower-tier, high-value admin accounts can operate in a VM if the higher-tier, high-value admin accounts operate in the VM host-OS, but WPAW-00-001800 is more appropriate for a multiple PAW VM environment.
A main security architectural construct of a PAW is to remove non-administrative applications and functions from the PAW workstation. Many standard user applications and functions, including email processing, Internet browsing, and using business applications, can increase the security risk to the workstation. These apps and functions are susceptible to many security vulnerabilities, including phishing attacks and embedded malware. This increased risk is not acceptable for the highly privileged activities of a PAW.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78155SV-92861CCI-000366Remove email applications and all line-of business applications from the PAW.
Note: Internet browsing is blocked using the PAW host-based firewall or by configuring a proxy address with a loopback address on the PAW. (See STIG check WPAW-00-002200.)Note: Internet browsing is blocked using the PAW host-based firewall or by configuring a proxy address with a loopback address on the PAW. (See STIG check WPAW-00-002200.) Blocking Internet browsing does not need to be verified in this procedure.
Review the services and applications installed on the PAW.
Verify there are no email applications/clients and line-of-business applications installed on the PAW.
If email applications/clients or line-of-business applications are installed on the PAW, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-001050Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard Code Integrity Policy).<VulnDiscussion>A main security architectural construct of a PAW is to restrict non-administrative applications and functions from the PAW workstation. Many standard user applications and functions, including email processing, Internet browsing, and using business applications, can increase the security risk to the workstation. These apps and functions are susceptible to many security vulnerabilities, including phishing attacks and embedded malware. This increased risk is not acceptable for the highly privileged activities of a PAW.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78157SV-92863CCI-000366Implement a whitelist of authorized PAW applications using Device Guard. See the Device Guard Deployment Guide (https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide) for deployment information and hardware requirements and the IAD Device Guard document "Implementing a Secure Administrative Workstation using Device Guard" at https://github.com/iadgov/Secure-Host-Baseline/tree/master/Device%20Guard.Note: This requirement is Not Applicable (NA) if the Endpoint Security Solution (ESS) managed system is used on the PAW and application white listing is enforced.
Verify Device Guard is enforcing a code integrity policy to restrict authorized applications.
Run "PowerShell" with elevated privileges (run as administrator).
Enter the following:
"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | FL *codeintegrity*"
If "CodeIntegrityPolicyEnforcementStatus" does not have a value of "2" indicating "Enforced", this is a finding.
(For reference: 0 - Not Configured; 1 - Audit; 2 - Enforced)
Alternately:
- Run "System Information".
- Under "System Summary", verify the following:
If "Device Guard Code Integrity Policy" does not display "Enforced", this is finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-001060Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard User Mode Code Integrity).<VulnDiscussion>A main security architectural construct of a PAW is to restrict non-administrative applications and functions from the PAW workstation. Many standard user applications and functions, including email processing, Internet browsing, and using business applications, can increase the security risk to the workstation. These apps and functions are susceptible to many security vulnerabilities, including phishing attacks and embedded malware. This increased risk is not acceptable for the highly privileged activities of a PAW.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78163SV-92869CCI-000366Implement a whitelist of authorized PAW applications using Device Guard. See the Device Guard Deployment Guide (https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide) for deployment information and hardware requirements and the IAD Device Guard document "Implementing a Secure Administrative Workstation using Device Guard" at https://github.com/iadgov/Secure-Host-Baseline/tree/master/Device%20Guard.Note: This requirement is Not Applicable (NA) if the Endpoint Security Solution (ESS) managed system is used on the PAW and application white listing is enforced.
Verify Device Guard is enforcing a code integrity policy to restrict authorized applications.
Run "PowerShell" with elevated privileges (run as administrator).
Enter the following:
"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | FL *codeintegrity*"
If "UserModeCodeIntegrityPolicyEnforcementStatus" does not have a value of "2" indicating "Enforced", this is a finding.
(For reference: 0 - Not Configured; 1 - Audit; 2 - Enforced)
Alternately:
- Run "System Information".
- Under "System Summary", verify the following:
If "Device Guard user mode Code Integrity" does not display "Enforced", this is finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-001100Windows PAWs must be restricted to only allow groups used to manage high-value IT resources and members of the local Administrators group to log on locally.<VulnDiscussion>A main security architectural construct of a PAW is to limit users of the PAW to only administrators of high-value IT resources. This will mitigate some of the risk of attack on administrators of high-value IT resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78165SV-92871CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to only include the following groups or accounts:
- Administrators
- Groups specifically designated to manage high-value IT resourcesVerify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.
If any groups or accounts other than the following are granted the "Allow log on locally" user right, this is a finding:
- Administrators
- Groups specifically designated to manage high-value IT resourcesSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-001200The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts.<VulnDiscussion>If the domain is not configured to restrict privileged administrator accounts from logging on to lower-tier hosts, it would be impossible to isolate administrative accounts to specific trust zones and protect IT resources from threats from high-risk trust zones. Blocking logon to lower-tier assets helps protect IT resources in a tier from being attacked from a lower tier.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78167SV-92873CCI-000366Configure domain systems to prevent higher-tier administrative accounts from logging on to lower-tier hosts.
Assign higher-tier administrative groups to the Deny log on user rights of lower-tier hosts. This includes the following user rights:
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations.Verify domain systems are configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts.
This can be accomplished by adding the higher-tier administrative groups to the Deny log on user rights of the lower-tier system. These include the following user rights:
Deny log on as a batch job
Deny log on as a service
Deny log on locally
If domain systems are not configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts, this is a finding.
Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations.
Note: Severity category exception - Upgrade to a CAT I finding if any Tier 0 administrative account used to manage high-value IT resources is able to log on to a lower-tier host.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>WPAW-00-001300A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource.<VulnDiscussion>Domain controllers (DC) are usually the most sensitive, high-value IT resources in a domain. Dedicating a PAW to be used solely for managing domain controllers will aid in protecting privileged domain accounts from being compromised.
For Windows, this includes the management of Active Directory itself and the DCs that run Active Directory, including such activities as domain-level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backup and restore operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78169SV-92875CCI-001082Set aside one or more PAWs for remote management of Active Directory.
Ensure they are used only for the purpose of managing directory services. Otherwise, use the local domain controller console to manage Active Directory.If domain controllers and directory services are only managed with local logons to domain controllers, not remotely, this requirement is not applicable.
Discuss with the Information System Security Manager (ISSM) or PAW system administrators and review any available site documentation.
Verify that a site has designated specific PAWs for the sole purpose of remote management of domain controllers and directory service servers.
Review any available site documentation.
Verify that any PAW used to manage domain controllers and directory services remotely are used exclusively for managing domain controllers and directory services.
If the site has not designated specific PAWs for the sole purpose of remote management of domain controllers and directory service servers, this is a finding.
If PAWs used for managing domain controllers and directory services are used for additional functions, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-001400PAWs used to manage Active Directory must only allow groups specifically designated to manage Active Directory, such as Enterprise and Domain Admins and members of the local Administrators group, to log on locally.<VulnDiscussion>PAW platforms are used for highly privileged activities. The accounts that have administrative privileges on domain-level PAW platforms must not be used on or used to manage any non-domain-level PAW platforms. Otherwise, there would be a clear path for privilege escalation to Enterprise Admin (EA)/Domain Admin (DA) privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78171SV-92877CCI-000366Configure the group policy that applies to the PAW.
Install only administrative accounts designated to be used to manage domain controllers and Active Directory remotely in the PAW User group on PAWs designated for the management of domain controllers and Active Directory.
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to only include the following groups or accounts:
- Administrators
- Groups specifically designated to manage domain controllers and Active DirectoryVerify on the PAW the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.
If any groups or accounts other than the following are granted the "Allow log on locally" user right, this is a finding:
- Administrators
- Groups specifically designated to manage domain controllers and Active DirectorySRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>WPAW-00-001500In a Windows PAW, administrator accounts used for maintaining the PAW must be separate from administrative accounts used to manage high-value IT resources.<VulnDiscussion>Note: PAW accounts used to manage high-value IT resources have privileged rights on managed systems but no administrative or maintenance rights on the PAW. They only have user rights on the PAW. PAW administrative/maintenance accounts only have administrative rights on a PAW and are used only to perform administrative functions on the PAW. PAW administrative/maintenance accounts are the only admin accounts that have admin rights on a PAW. It is not required that PAW administrative/maintenance accounts be organized by tier.
The PAW platform should be protected from high-value IT resource administrators accidently or deliberately modifying the security settings of the PAW. Therefore, high-value IT resource administrators must not have the ability to perform maintenance functions on the PAW platform. Separate PAW admin accounts must be set up that only have rights to manage PAW platforms.
PAW administrators have the capability to compromise Domain Admin accounts; therefore, personnel assigned as PAW administrators must be the most trusted and experienced administrators within an organization, at least equal to personnel assigned as domain administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78173SV-92879CCI-001082Set up separate domain administrative accounts to manage PAWs from domain administrative accounts used to manage high-value IT resources. Each of these accounts is not to be used for any other purpose.
Note: Personnel assigned as PAW administrators should be the most trusted and experienced administrators within an organization.Verify at least one group has been set up in Active Directory (usually Tier 0) for administrators responsible for maintaining PAW workstations (for example, PAW Maintenance group).
Verify no administrator account or administrator account group has been assigned to both the group of PAW workstation administrators and any group for administrators of high-value IT resources.
If separate PAW administrator groups and administrators of high-value IT resources have not been set up, this is a finding.
If a member of any group of PAW maintenance administrators is also a member of any group of administrators of high-value IT resources, this is a finding.SRG-OS-000107-GPOS-00054<GroupDescription></GroupDescription>WPAW-00-001600The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.<VulnDiscussion>Due to the highly privileged functions of a PAW, a high level of trust must be implemented for access to the PAW, including non-repudiation of the user session. One-factor authentication, including username and password and shared administrator accounts, does not provide adequate assurance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78175SV-92881CCI-000767In Active Directory, configure group policy to enable either smart card or another DoD-approved two-factor authentication method for all PAWs.
- Go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
- Set "Interactive logon: Require Windows Hello for Business or smart card" to "Enabled".Review the configuration on the PAW.
Verify group policy is configured to enable either smart card or another DoD-approved two-factor authentication method for site PAWs.
- In Active Directory, go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
- Verify "Interactive logon: Require Windows Hello for Business or smart card" is set to "Enabled".
If group policy is not configured to enable either smart card or another DoD-approved two-factor authentication method, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-001700The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW.<VulnDiscussion>Note: The Common Criteria Security Functional Requirement (SFR) FTP_ITC.1.1(1) defines "trusted channel" as "a channel that uses IPsec, SSH, TLS, or TLS/HTTPS to provide a trusted communications channel between itself and authorized IT entity that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure." The trusted channel uses IPsec, TLS, DTLS, or HTTPS as the protocol that preserves the confidentiality and integrity of PAW communications.
The confidentiality and integrity of the communications between the PAW and high-value IT resources being managed from the PAW must be protected due to the highly sensitive nature of the administrative functions being performed. A trusted channel provides the requisite assured identification of its end points and protection of the channel data from modification or disclosure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405SV-92883V-78177CCI-000366CCI-001135CCI-002426Configure the PAWs to use IPsec, SSH, TLS, or TLS/HTTPS for all connections between the PAW and managed IT resources on the intranet.
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".On the PAW workstation, verify IPsec, SSH, TLS, or TLS/HTTPS is configured for all connections between the PAW and managed IT resources on the intranet.
Verify the following registry setting:
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\
Value Name: Enabled
Value Type: REG_DWORD
Value: 1
Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise, the browser will not be able to connect to a secure site.
If on the PAW workstation the registry value for HKEY_LOCAL_MACHINE does not exist or is not configured as specified, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-001800If several Windows PAWs are set up in virtual machines (VMs) on a host server, the host server must only contain PAW VMs.<VulnDiscussion>A main security architectural construct of a PAW is to remove non-administrative functions from the PAW. Many standard user functions, including email processing, Internet browsing, and using business applications, can increase the security risk of the workstation. These apps and functions are susceptible to many security vulnerabilities, including phishing attacks and embedded malware. This increased risk is not acceptable for the highly privileged activities of a PAW. This requirement enforces this security concept in an environment where multiple PAW VMs are installed on a host server.
Note: Relationship between the exception in WPAW-00-000500 and WPAW-00-001000 and requirement WPAW-00-001800: WPAW-00-000500 and WPAW-00-001000 allow an exception to the requirement for sites constrained in the number of available workstations. Lower-tier, high-value admin accounts can operate in a VM if the higher-tier, high-value admin accounts operate in the VM host-OS, but WPAW-00-001800 is more appropriate for a multiple PAW VM environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78179SV-92885CCI-000366Install only PAW VMs on a host server designated for PAWs.Review the configuration of all host servers where PAW VMs are installed.
Verify the only VMs installed on the host server are PAW VMs.
If a host server where PAW VMs are installed contains non-PAW VMs, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-002100The Windows PAW must be configured so that all inbound ports and services to a PAW are blocked except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.<VulnDiscussion>A main security architectural construct of a PAW is that the workstation is isolated from most Internet threats, including phishing, impersonation, and credential theft attacks. This isolation is partially implemented by blocking unsolicited inbound traffic to the PAW.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78181SV-92887CCI-000366CCI-002403Determine which inbound ports, services, addresses, or subnets are needed on the PAW for the organization's monitoring, scanning, and management tools.
Configure the host-based firewall on the PAW to block all inbound connection requests except for organizational monitoring, scanning, and management tools or for inbound connections that are responses to outbound connection requests.
Configure the host-based firewall on the PAW to block users with local administrative access from creating or modifying local firewall rules.
Note: The exact configuration procedure will depend on which host-based firewall (for example, ESS) is used on the PAW. DoD sites should refer to DoD policies and firewall STIGs to determine acceptable firewalls products.Obtain a list of all ports and services required for site monitoring, scanning, and management tools.
Review the configuration setting of the PAW host-based firewall.
Verify the firewall is configured to block all inbound ports and services from a PAW except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.
Note: The exact procedure for verifying the configuration will depend on which host-based firewall (for example, Endpoint Security Solution [ESS]) is used on the PAW. DoD sites should refer to DoD policies and firewall STIGs to determine acceptable firewalls products.
If the PAW host-based firewall is not configured to block all inbound ports and services from a PAW except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-002200The Windows PAW must be configured so that all outbound connections to the Internet from a PAW are blocked.<VulnDiscussion>Note: Internal domain connections from a PAW to communicate with IT resources being managed via the PAW with domain controllers or with a digital credential verification service (for example, Online Certificate Status Protocol [OCSP]) are allowed.
A main security architectural construct of a PAW is that the workstation is isolated from most internet threats, including phishing, impersonation, and credential theft attacks. This isolation is partially implemented by blocking all outbound connections to the internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78183SV-92889CCI-000366CCI-002399Configure the PAW host-based firewall to block outbound connection requests to the internet gateway or configure the PAW with an internet proxy address with a loopback address. Allowed exceptions include connections to communicate with IT resources being managed via the PAW, including the management console of authorized public cloud services, with domain controllers, or with a digital credential verification service (for example, OCSP).
If the PAW host-based firewall method is used, configure the firewall to block outbound connection requests to the internet gateway. The exact configuration procedure will depend on which host-based firewall (for example, Endpoint Security Solution [ESS]) is used on the PAW. DoD sites should refer to DoD policies and firewall STIGs to determine acceptable firewalls products.
If the internet proxy address with a loopback address method is used, consider using the configuration instructions listed in the Microsoft Privileged Access Workstation paper.
In addition, disable the capability of the administrator to manually override the proxy settings on each PAW.Review the PAW configuration to verify all outbound connections to the internet from the PAW are blocked except to communicate with IT resources being managed via the PAW, including the management console of authorized public cloud services, with domain controllers, or with a digital credential verification service (for example, OCSP).
Ask site personnel how outbound connections from the PAW to the internet have been blocked. Two common methods are to either configure the host-based firewall to block all outbound connection requests to the internet gateway or to configure the PAW with an internet proxy address with a loopback address. Based on the method used at the site, review either the configuration of the host-based firewall or the PAW configuration and verify the configuration blocks all outbound internet connections except to communicate with IT resources being managed via the PAW, with domain controllers, or with a digital credential verification service (for example, OCSP).
If the site has configured the PAW with a loopback address, verify a proxy server group policy has been set up with a loopback address (127.0.0.1) and assigned to the PAW Users group.
If the PAW system has not been configured to block all outbound connections to the internet from a PAW except to communicate with IT resources being managed via the PAW, with domain controllers, or with a digital credential verification service, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-002300The local Administrators group on the Windows PAW must only include groups with accounts specifically designated to administer the PAW.<VulnDiscussion>A main security architectural construct of a PAW is to restrict access to the PAW from only specific privileged accounts designated for managing the high-value IT resources the PAW has been designated to manage. If unauthorized standard user accounts or unauthorized high-value administrative accounts are able to access a specific PAW, high-value IT resources and critical DoD information could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78185SV-92891CCI-000366Restrict membership of the local Administrators group to only include members of the group specifically designated to manage the PAW and local administrator(s).
See the Microsoft PAW paper (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information (go to PAW Installation instructions).Verify the PAW is configured to restrict access to privileged accounts specifically designated to administer the PAW:
- On the Windows PAW, verify the membership of the local Administrators group.
- Verify the only members in the local Administrators group are the group specifically designated for managing the PAW and local administrator(s).
If the local Administrators group includes any members not members of the specifically designated group for managing the PAW and local administrator(s), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-002400Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members.<VulnDiscussion>A main security architectural construct of a PAW is to restrict access to the PAW from only specific privileged accounts designated for managing the high-value IT resources the PAW has been designated to manage. If unauthorized standard user accounts or unauthorized high-value administrative accounts are able to access a specific PAW, high-value IT resources and critical DoD information could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78159SV-92865CCI-000366Complete the following configuration procedures to restrict access to privileged accounts on the PAW (see the instructions for use of group policy to define membership, PAW Installation instructions in the Microsoft PAW paper).
Configure membership of all local privileged groups (except for "Administrators (built-in)" group) so it is empty*. This procedure applies to the following local privileged groups:
- Backup Operators (built-in)
- Hyper-V Administrators
- Network Configuration Operators
- Power Users
- Remote Desktop Users
- Replicator
Link the PAW group policy object (GPO) to the appropriate Tier devices Organizational Unit (OU).
*Allowed exception: If a Hyper-V environment is used, the Hyper-V Administrators group may include members.Verify membership of local admin groups on the PAW are empty:
On the Windows PAW, verify there are no members in the following local privileged groups (excluding Administrators)*:
- Backup Operators (built-in)
- Cryptographic Operators
- Hyper-V Administrators
- Network Configuration Operators
- Power Users
- Remote Desktop Users
- Replicator
If the membership of the following admin groups is not empty, this is a finding: Backup Operators (built-in), Cryptographic Operators, Hyper-V Administrators, Network Configuration Operators, Power Users, Remote Desktop Users, and Replicator.
*Allowed exception: If a Hyper-V environment is used, the Hyper-V Administrators group may include members.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-002500Restricted remote administration must be enabled for high-value systems.<VulnDiscussion>Restricted remote administration features, RestrictedAdmin mode, and Remote Credential Guard for Remote Desktop Protocol (RDP), are an additional safeguard against "pass the hash" attacks, where hackers attempt to gain higher administrative privileges from a single compromised machine. Restricted remote administration protects administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. When restricted remote administration is implemented, the local RDP service tries to log on to the remote device using a network logon, so the user's credentials are not sent across the network. Therefore, if the high-value IT resource is compromised, the credentials of the administrator connecting to the IT resource from the PAW are not compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78161SV-92867CCI-000366Enable RestrictedAdmin mode or Remote Credential Guard on high-value systems.
On target systems (high-value assets), configure the following registry value:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- Name: DisableRestrictedAdmin
- Type: REG_DWORD
- Value: 0
On PAW systems:
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation "Restrict delegation of credentials to remote servers" to "Enabled".
Starting with v1607 of Windows 10, this setting also requires selection of an option for "Use the following restricted mode:" which includes the following:
Prefer Remote Credential Guard (v1703 - Restrict Credential Delegation)
Require Remote Credential Guard
Require Restricted AdminIn the Registry Editor of the remote target system (high-value assets), verify the following registry key has a value of "0":
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- Name: DisableRestrictedAdmin
- Type: REG_DWORD
- Value: 0
If restricted remote administration has not been enabled on the target system, this is a finding.
In the Registry Editor of the PAW system, verify the following registry key has a value of "1":
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation
Name: RestrictedRemoteAdministration
Type: REG_DWORD
Value: 1
If restricted remote administration has not been enabled on the PAW and is not enforced by policy, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WPAW-00-002600If several PAWs are set up in virtual machines (VMs) on a host server, domain administrative accounts used to manage high-value IT resources must not have access to the VM host operating system (OS) (only domain administrative accounts designated to manage PAWs should be able to access the VM host OS).<VulnDiscussion>The VM host OS should be protected from high-value IT resource administrators accidently or deliberately modifying the security settings of the host OS. Therefore, high-value IT resource administrators must not have the ability to perform maintenance functions on the VM host OS platform.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows PAWDISADPMS TargetMicrosoft Windows PAW5405V-78187SV-92893CCI-000366Configure the VM host OS so only domain administrative accounts designated to manage PAWs have administrative rights on the VM host OS.Verify at least one group has been set up in Active Directory (usually Tier 0) for administrators responsible for maintaining VM host OSs (usually the same as the PAW workstation administrator's group).
Verify no administrator account or administrator account group has been assigned to both the group of VM host OS administrators and any group for administrators of high-value IT resources.
If separate VM host OS administrator groups and administrators of high-value IT resources have not been set up, this is a finding.