Detections
Analytics
WPAW-00-001700 - The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW.
Information
Note: The Common Criteria Security Functional Requirement (SFR) FTP_ITC.1.1(1) defines 'trusted channel' as 'a channel that uses IPsec, SSH, TLS, or TLS/HTTPS to provide a trusted communications channel between itself and authorized IT entity that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure.' The trusted channel uses IPsec, TLS, DTLS, or HTTPS as the protocol that preserves the confidentiality and integrity of PAW communications.The confidentiality and integrity of the communications between the PAW and high-value IT resources being managed from the PAW must be protected due to the highly sensitive nature of the administrative functions being performed. A trusted channel provides the requisite assured identification of its end points and protection of the channel data from modification or disclosure.
Solution
Configure the PAWs to use IPsec, SSH, TLS, or TLS/HTTPS for all connections between the PAW and managed IT resources on the intranet.Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' to 'Enabled'.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_PAW_V3R2_STIG.zip
Item Details
Audit Name: DISA Microsoft Windows PAW STIG v3r2
Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|CM-6b., 800-53|SC-11, 800-53|SC-11(1), CAT|I, CCI|CCI-000366, CCI|CCI-001135, CCI|CCI-002426, Rule-ID|SV-243458r991589_rule, STIG-ID|WPAW-00-001700, STIG-Legacy|SV-92883, STIG-Legacy|V-78177, Vuln-ID|V-243458
Plugin: Windows
Control ID: 9a4dd5038ec2444660ac87e3e3408963f855bd59c90a1a33880e7c6048c40797