STIGQter: STIG Summary: Windows PAW Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 15 May 2020: STIGQter: STIG Summary: Windows PAW Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 15 May 2020:SV-92851r1_rule
V-78145
PAW-00-000400
WPAW-00-000400
CAT II
10
Set up an administrative tier model for the domain (for example, the Microsoft recommended Tier 0-2 AD administrative tier model).
Note: Details of the Tier model are found at https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM.
Set up an Admin Organizational Unit (OU) Framework to host site PAWs. (Recommend the Microsoft PAW scripts be used to set up the PAW OU and group framework. They can be downloaded at http://aka.ms/PAWmedia.)
For example:
- Admin\Tier 0\Accounts
- Admin\Tier 1\Accounts
- Admin\Tier 2\Accounts
- Admin\Tier 0\Groups
- Admin\Tier 1\Groups
- Admin\Tier 2\Groups
- Admin\Tier 0\Devices
- Admin\Tier 1\Devices
- Admin\Tier 2\Devices
Note: If using the Microsoft scripts, after running the scripts, PAW Users Tier 0, PAW Users Tier 1, and PAW Users Tier 2 groups may need to be created under Admin/Tier 0/Groups, Admin/Tier 1/Groups, and Admin/Tier 2/Groups, respectively.
Set up administrative accounts for each assigned administrator for high-value IT resources.
Based on the list of high-value IT resources with assigned administrative tier level, move Tier 0-2 administrative accounts to the appropriate Organizational Units and add the appropriate members to the relevant groups. Make sure each account and group has been assigned to one and only one tier.
(Reference-defined groups in the Active Directory Domain STIG)
In Active Directory, verify an Organizational Unit (OU) and Group hierarchy have been set up to segregate administrative accounts used to manage both high-value IT resources and PAWs into assigned tiers.
Verify each administrative account and each PAW has been assigned to one and only one tier.
If the site has not set up a tier structure on Active Directory for administrative accounts used to manage either high-value IT resources or PAWs, this is a finding.
If any administrative account used to manage either high-value IT resources or PAWs is assigned to more than one tier, this is a finding.
If each administrative account and each PAW has not been assigned to one and only one tier, this is a finding.
V-78145
False
WPAW-00-000400
In Active Directory, verify an Organizational Unit (OU) and Group hierarchy have been set up to segregate administrative accounts used to manage both high-value IT resources and PAWs into assigned tiers.
Verify each administrative account and each PAW has been assigned to one and only one tier.
If the site has not set up a tier structure on Active Directory for administrative accounts used to manage either high-value IT resources or PAWs, this is a finding.
If any administrative account used to manage either high-value IT resources or PAWs is assigned to more than one tier, this is a finding.
If each administrative account and each PAW has not been assigned to one and only one tier, this is a finding.
M
3283