Skip to content

III - Administrative Public

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • Administrators of high-value IT resources must complete required training.

    &lt;VulnDiscussion&gt;Required training helps to mitigate the risk of administrators not following required procedures. High-value IT resources are...
    Rule Low Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • Site IT resources designated as high value by the Authorizing Official (AO) must be remotely managed only via a Windows privileged access workstation (PAW).

    &lt;VulnDiscussion&gt;The AO must designate which IT resources are high value. The list must include the following IT resources: - Directory servi...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • Administrative accounts of all high-value IT resources must be assigned to a specific administrative tier in Active Directory to separate highly privileged administrative accounts from less privileged administrative accounts.

    &lt;VulnDiscussion&gt;Note: The Microsoft Tier 0-2 AD administrative tier model (https://docs.microsoft.com/en-us/windows-server/identity/securing-...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • A Windows PAW must only be used to manage high-value IT resources assigned to the same tier.

    &lt;VulnDiscussion&gt;Note: Allowed exception - For sites that are constrained in the number of available workstations, an acceptable approach is t...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources.

    &lt;VulnDiscussion&gt;Note: The Microsoft Tier 0-2 AD administrative tier model (https://docs.microsoft.com/en-us/windows-server/identity/securing-...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Windows PAW must be configured with a vendor-supported version of Windows 11 and applicable security patches that are DOD approved.

    &lt;VulnDiscussion&gt;Older versions of operating systems usually contain vulnerabilities that have been fixed in later released versions. In addit...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • A Windows update service must be available to provide software updates for the PAW platform.

    &lt;VulnDiscussion&gt;Older versions of operating systems usually contain vulnerabilities that have been fixed in later versions. In addition, most...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Windows PAW must be configured so that all non-administrative-related applications and functions are blocked or removed from the PAW platform, including but not limited to email, Internet browsing, and line-of-business applications.

    &lt;VulnDiscussion&gt;Note: The intent of this requirement is that a PAW must not be used for any function not related to the management of high-va...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard Code Integrity Policy).

    &lt;VulnDiscussion&gt;A main security architectural construct of a PAW is to restrict non-administrative applications and functions from the PAW wo...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard User Mode Code Integrity).

    &lt;VulnDiscussion&gt;A main security architectural construct of a PAW is to restrict non-administrative applications and functions from the PAW wo...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules