Skip to content

Microsoft Windows PAW Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • Windows PAWs must be restricted to only allow groups used to manage high-value IT resources and members of the local Administrators group to log on locally.

    &lt;VulnDiscussion&gt;A main security architectural construct of a PAW is to limit users of the PAW to only administrators of high-value IT resourc...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts.

    &lt;VulnDiscussion&gt;If the domain is not configured to restrict privileged administrator accounts from logging on to lower-tier hosts, it would b...
    Rule Medium Severity
  • SRG-OS-000132-GPOS-00067

    <GroupDescription></GroupDescription>
    Group
  • A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource.

    &lt;VulnDiscussion&gt;Domain controllers (DC) are usually the most sensitive, high-value IT resources in a domain. Dedicating a PAW to be used sole...
    Rule High Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • PAWs used to manage Active Directory must only allow groups specifically designated to manage Active Directory, such as Enterprise and Domain Admins and members of the local Administrators group, to log on locally.

    &lt;VulnDiscussion&gt;PAW platforms are used for highly privileged activities. The accounts that have administrative privileges on domain-level PAW...
    Rule Medium Severity
  • SRG-OS-000132-GPOS-00067

    <GroupDescription></GroupDescription>
    Group
  • In a Windows PAW, administrator accounts used for maintaining the PAW must be separate from administrative accounts used to manage high-value IT resources.

    &lt;VulnDiscussion&gt;Note: PAW accounts used to manage high-value IT resources have privileged rights on managed systems but no administrative or ...
    Rule Medium Severity
  • SRG-OS-000107-GPOS-00054

    <GroupDescription></GroupDescription>
    Group
  • The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.

    &lt;VulnDiscussion&gt;Due to the highly privileged functions of a PAW, a high level of trust must be implemented for access to the PAW, including n...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW.

    &lt;VulnDiscussion&gt;Note: The Common Criteria Security Functional Requirement (SFR) FTP_ITC.1.1(1) defines "trusted channel" as "a channel that u...
    Rule High Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • If several Windows PAWs are set up in virtual machines (VMs) on a host server, the host server must only contain PAW VMs.

    &lt;VulnDiscussion&gt;A main security architectural construct of a PAW is to remove non-administrative functions from the PAW. Many standard user f...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Windows PAW must be configured so that all inbound ports and services to a PAW are blocked except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.

    &lt;VulnDiscussion&gt;A main security architectural construct of a PAW is that the workstation is isolated from most Internet threats, including ph...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Windows PAW must be configured so that all outbound connections to the Internet from a PAW are blocked.

    &lt;VulnDiscussion&gt;Note: Internal domain connections from a PAW to communicate with IT resources being managed via the PAW with domain controlle...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules