STIGQter: STIG Summary: Windows PAW Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 15 May 2020:

Restricted remote administration must be enabled for high-value systems.

DISA Rule

SV-92867r1_rule

Vulnerability Number

V-78161

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

WPAW-00-002500

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Enable RestrictedAdmin mode or Remote Credential Guard on high-value systems.

On target systems (high-value assets), configure the following registry value:

- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- Name: DisableRestrictedAdmin
- Type: REG_DWORD
- Value: 0

On PAW systems:

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation "Restrict delegation of credentials to remote servers" to "Enabled".

Starting with v1607 of Windows 10, this setting also requires selection of an option for "Use the following restricted mode:" which includes the following:

Prefer Remote Credential Guard (v1703 - Restrict Credential Delegation)
Require Remote Credential Guard
Require Restricted Admin

Check Contents

In the Registry Editor of the remote target system (high-value assets), verify the following registry key has a value of "0":

- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- Name: DisableRestrictedAdmin
- Type: REG_DWORD
- Value: 0

If restricted remote administration has not been enabled on the target system, this is a finding.

In the Registry Editor of the PAW system, verify the following registry key has a value of "1":

HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation
Name: RestrictedRemoteAdministration
Type: REG_DWORD
Value: 1

If restricted remote administration has not been enabled on the PAW and is not enforced by policy, this is a finding.

Vulnerability Number

V-78161

Documentable

False

Rule Version

WPAW-00-002500

Severity Override Guidance

In the Registry Editor of the remote target system (high-value assets), verify the following registry key has a value of "0":

- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- Name: DisableRestrictedAdmin
- Type: REG_DWORD
- Value: 0

If restricted remote administration has not been enabled on the target system, this is a finding.

In the Registry Editor of the PAW system, verify the following registry key has a value of "1":

HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation
Name: RestrictedRemoteAdministration
Type: REG_DWORD
Value: 1

If restricted remote administration has not been enabled on the PAW and is not enforced by policy, this is a finding.

Check Content Reference

M

Target Key

3283

Comments