Detections
Analytics
WPAW-00-001600 - The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Due to the highly privileged functions of a PAW, a high level of trust must be implemented for access to the PAW, including nonrepudiation of the user session. One-factor authentication, including username and password and shared administrator accounts, does not provide adequate assurance.Solution
In Active Directory, configure group policy to enable either smart card or another DOD-approved two-factor authentication method for all PAWs.- Go to Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.
- Set 'Interactive logon: Require Windows Hello for Business or smart card' to 'Enabled'.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_PAW_V3R1_STIG.zip
Item Details
References: CAT|II, CCI|CCI-000765, Rule-ID|SV-243457r997927_rule, STIG-ID|WPAW-00-001600, STIG-Legacy|SV-92881, STIG-Legacy|V-78175, Vuln-ID|V-243457
Plugin: Windows
Control ID: 9028398d6f37bb5f6039eb711e4c456e38c0c1742cac3c9dc81f21b9bd77f45a