WPAW-00-001600 - The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Due to the highly privileged functions of a PAW, a high level of trust must be implemented for access to the PAW, including non-repudiation of the user session. One-factor authentication, including username and password and shared administrator accounts, does not provide adequate assurance.

Solution

In Active Directory, configure group policy to enable either smart card or another DoD-approved two-factor authentication method for all PAWs.

- Go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
- Set 'Interactive logon: Require Windows Hello for Business or smart card' to 'Enabled'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_PAW_V2R3_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000767, Rule-ID|SV-243457r819679_rule, STIG-ID|WPAW-00-001600, STIG-Legacy|SV-92881, STIG-Legacy|V-78175, Vuln-ID|V-243457

Plugin: Windows

Control ID: 06bd765eaaa1231b1d7cc14bd040e92857c6bdb0091b1c23fa80f241bab09696