Detections
Analytics
WPAW-00-002400 - Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members - excluding Administrators on the Windows PAW must be restricted to include no members
Information
A main security architectural construct of a PAW is to restrict access to the PAW from only specific privileged accounts designated for managing the high-value IT resources the PAW has been designated to manage. If unauthorized standard user accounts or unauthorized high-value administrative accounts are able to access a specific PAW, high-value IT resources and critical DoD information could be compromised.Solution
Complete the following configuration procedures to restrict access to privileged accounts on the PAW (see the instructions for use of group policy to define membership, PAW Installation instructions in the Microsoft PAW paper).Configure membership of all local privileged groups (except for 'Administrators (built-in)' group) so it is empty*. This procedure applies to the following local privileged groups:
- Backup Operators (built-in)
- Hyper-V Administrators
- Network Configuration Operators
- Power Users
- Remote Desktop Users
- Replicator
Link the PAW group policy object (GPO) to the appropriate Tier devices Organizational Unit (OU).
*Allowed exception: If a Hyper-V environment is used, the Hyper-V Administrators group may include members.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_PAW_V3R2_STIG.zip
Item Details
Audit Name: DISA Microsoft Windows PAW STIG v3r2
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-243463r991589_rule, STIG-ID|WPAW-00-002400, STIG-Legacy|SV-92865, STIG-Legacy|V-78159, Vuln-ID|V-243463
Plugin: Windows
Control ID: fd703259c2f90657d5aed9cd7c9e3503ecae858b68e6c365c5cf9e7d178b6ccc