WPAW-00-001600 - The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.

Information

Due to the highly privileged functions of a PAW, a high level of trust must be implemented for access to the PAW, including non-repudiation of the user session. One-factor authentication, including username and password and shared administrator accounts, does not provide adequate assurance.

Solution

In Active Directory, configure group policy to enable either smart card or another DoD-approved two-factor authentication method for all PAWs.

- Go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
- Set 'Interactive logon: Require Windows Hello for Business or smart card' to 'Enabled'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_PAW_V2R2_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(3), CAT|II, CCI|CCI-000767, Rule-ID|SV-243457r819679_rule, STIG-ID|WPAW-00-001600, STIG-Legacy|SV-92881, STIG-Legacy|V-78175, Vuln-ID|V-243457

Plugin: Windows

Control ID: f3f374fd6a0f9be6fa40d02e5141bc5daa7317d9686c7c8b86128419e9604321