Detections
Analytics
WPAW-00-000200 - Site IT resources designated as high value by the Authorizing Official (AO) must be remotely managed only via a Windows privileged access workstation (PAW) - AO must be remotely managed only via PAW
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
The AO must designate which IT resources are high value. The list must include the following IT resources:- Directory service (including Active Directory)
- Cloud service
- Identity management service
- Privileged access management service
- Credential management service
- Security management service (anti-virus, network monitoring/scanning, IDS/IPS, etc.)
- Any sensitive business/mission service
- Any other IT resource designated as high value by the AO
Note: A high-value IT resource is defined as any IT resource whose purpose is considered critical to the organization or whose loss or compromise would cause a significant impact on the organization.
Note: Sensitive business/mission service is any business or mission service that needs additional protection from higher-risk IT services based on the nature of the function it provides; sensitivity of the data it consumes, processes, or stores; or criticality to the operation of the organization.
High-value IT resources are the most important and critical IT resources within an organization. They contain the most sensitive data in an organization, perform the most critical tasks of an organization, or have access to and can control all or nearly all IT resources within an organization. Administrator accounts for high-value IT resources must be protected against various threats and attacks because threats to sensitive privileged accounts are high and risk of compromise is increasing. Requiring a PAW used exclusively for remote administrative management of designated high-value IT resources, including servers, workstations, directory services, applications, databases, and network components, will provide a separate 'channel' for the performance of administrative tasks on high-value IT resources and isolate these functions from the majority of threats and attack vectors found on higher-risk standard client systems.
Some IT resources, by the nature of the function they perform, should always be considered high value and should be remotely administered only via a PAW. The IT resources listed above are in this category.
Note: The term 'manage' in the Requirement statement includes any remote connection to a high-value IT resource (for example, to view resource status and current configuration or to make changes to any resource configuration).
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
The Information System Security Manager (ISSM) or other site personnel will assist the Authorizing Official (AO) in designating and documenting which IT resources in the organization are high value. The organization's list of high-value IT resources will include the following:- Active Directory
- Cloud service
- Identity management service
- Privileged access management service
- Credential management service
- Security management service (anti-virus, network monitoring/scanning, IDS/IPS, etc.)
- Any sensitive business service
- Any other IT resource designated as high value by the AO
Set up procedures to ensure a Windows PAW is used to remotely manage each of these types of IT resources.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_PAW_V2R3_STIG.zip
Item Details
References: CAT|II, CCI|CCI-000366, Rule-ID|SV-243443r722900_rule, STIG-ID|WPAW-00-000200, STIG-Legacy|SV-92849, STIG-Legacy|V-78143, Vuln-ID|V-243443
Plugin: Windows
Control ID: c494d0442f261bd31d10d5df50b5b4a2b8c9182dfb90465c6a89894a2cd71731