UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.


Overview

Finding ID Version Rule ID IA Controls Severity
V-243457 WPAW-00-001600 SV-243457r722942_rule Medium
Description
Due to the highly privileged functions of a PAW, a high level of trust must be implemented for access to the PAW, including non-repudiation of the user session. One-factor authentication, including username and password and shared administrator accounts, does not provide adequate assurance.
STIG Date
Windows PAW Security Technical Implementation Guide 2021-10-06

Details

Check Text ( C-46732r722940_chk )
Review the configuration on the PAW.

Verify group policy is configured to enable either smart card or another DoD-approved two-factor authentication method for site PAWs.

- In Active Directory, go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
- Verify "Interactive logon: Require smart card" is set to "Enabled".

If group policy is not configured to enable either smart card or another DoD-approved two-factor authentication method, this is a finding.
Fix Text (F-46689r722941_fix)
In Active Directory, configure group policy to enable either smart card or another DoD-approved two-factor authentication method for all PAWs.

- Go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
- Set "Interactive logon: Require smart card" to "Enabled".