STIGQter: STIG Summary: Windows PAW Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 15 May 2020:

All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources.

DISA Rule

SV-92855r1_rule

Vulnerability Number

V-78149

Group Title

PAW-00-000600

Rule Version

WPAW-00-000600

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Set up an administrative tier model for the domain (for example, the Microsoft-recommended Tier 0-2 AD administrative tier model). (Details of the Tier model are found at https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM.)

Using the list of site designated high-value IT resources (see check WPAW-00-000200), indicate on the list the administrative Tier level the resource is assigned to. (Note: The updated list will be used in check WPAW-00-000400.)

In Active Directory, assign all high-value IT resources to the appropriate Organizational Units (for example):

- Admin\Tier 0\Devices
- Admin\Tier 1\Devices
- Admin\Tier 2\Devices

Check Contents

Verify the site has assigned each high-value IT resource to an administrative tier level by reviewing the site's list of high-value IT resources.

In Active Directory verify each high-value IT resource has been assigned to the Organizational Unit (OU) corresponding to the administrative tier the resource is assigned to.

If the site has not assigned an administrative tier level to each high-value IT resource or any high-value IT resource is not assigned to the appropriate OU in Active Directory, this is a finding.

Vulnerability Number

V-78149

Documentable

False

Rule Version

WPAW-00-000600

Severity Override Guidance

Verify the site has assigned each high-value IT resource to an administrative tier level by reviewing the site's list of high-value IT resources.

In Active Directory verify each high-value IT resource has been assigned to the Organizational Unit (OU) corresponding to the administrative tier the resource is assigned to.

If the site has not assigned an administrative tier level to each high-value IT resource or any high-value IT resource is not assigned to the appropriate OU in Active Directory, this is a finding.

Check Content Reference

M

Target Key

3283

Comments