STIGQter: STIG Summary: Windows PAW Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 15 May 2020:

Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members.

DISA Rule

SV-92865r1_rule

Vulnerability Number

V-78159

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

WPAW-00-002400

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Complete the following configuration procedures to restrict access to privileged accounts on the PAW (see the instructions for use of group policy to define membership, PAW Installation instructions in the Microsoft PAW paper).

Configure membership of all local privileged groups (except for "Administrators (built-in)" group) so it is empty*. This procedure applies to the following local privileged groups:

- Backup Operators (built-in)
- Hyper-V Administrators
- Network Configuration Operators
- Power Users
- Remote Desktop Users
- Replicator

Link the PAW group policy object (GPO) to the appropriate Tier devices Organizational Unit (OU).

*Allowed exception: If a Hyper-V environment is used, the Hyper-V Administrators group may include members.

Check Contents

Verify membership of local admin groups on the PAW are empty:

On the Windows PAW, verify there are no members in the following local privileged groups (excluding Administrators)*:

- Backup Operators (built-in)
- Cryptographic Operators
- Hyper-V Administrators
- Network Configuration Operators
- Power Users
- Remote Desktop Users
- Replicator

If the membership of the following admin groups is not empty, this is a finding: Backup Operators (built-in), Cryptographic Operators, Hyper-V Administrators, Network Configuration Operators, Power Users, Remote Desktop Users, and Replicator.

*Allowed exception: If a Hyper-V environment is used, the Hyper-V Administrators group may include members.

Vulnerability Number

V-78159

Documentable

False

Rule Version

WPAW-00-002400

Severity Override Guidance

Verify membership of local admin groups on the PAW are empty:

On the Windows PAW, verify there are no members in the following local privileged groups (excluding Administrators)*:

- Backup Operators (built-in)
- Cryptographic Operators
- Hyper-V Administrators
- Network Configuration Operators
- Power Users
- Remote Desktop Users
- Replicator

If the membership of the following admin groups is not empty, this is a finding: Backup Operators (built-in), Cryptographic Operators, Hyper-V Administrators, Network Configuration Operators, Power Users, Remote Desktop Users, and Replicator.

*Allowed exception: If a Hyper-V environment is used, the Hyper-V Administrators group may include members.

Check Content Reference

M

Target Key

3283

Comments