STIGQter: STIG Summary: Windows PAW Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 15 May 2020:

Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard Code Integrity Policy).

DISA Rule

SV-92863r2_rule

Vulnerability Number

V-78157

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

WPAW-00-001050

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Implement a whitelist of authorized PAW applications using Device Guard. See the Device Guard Deployment Guide (https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide) for deployment information and hardware requirements and the IAD Device Guard document "Implementing a Secure Administrative Workstation using Device Guard" at https://github.com/iadgov/Secure-Host-Baseline/tree/master/Device%20Guard.

Check Contents

Note: This requirements is Not Applicable (NA) if the HBSS ePO managed system is used on the PAW and application white listing is enforced.


Verify Device Guard is enforcing a code integrity policy to restrict authorized applications.

Run "PowerShell" with elevated privileges (run as administrator).

Enter the following:

"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | FL *codeintegrity*"

If "CodeIntegrityPolicyEnforcementStatus" does not have a value of "2" indicating "Enforced", this is a finding.

(For reference: 0 - Not Configured; 1 - Audit; 2 - Enforced)

Alternately:

- Run "System Information".
- Under "System Summary", verify the following:

If "Device Guard Code Integrity Policy" does not display "Enforced", this is finding.

Vulnerability Number

V-78157

Documentable

False

Rule Version

WPAW-00-001050

Severity Override Guidance

Note: This requirements is Not Applicable (NA) if the HBSS ePO managed system is used on the PAW and application white listing is enforced.


Verify Device Guard is enforcing a code integrity policy to restrict authorized applications.

Run "PowerShell" with elevated privileges (run as administrator).

Enter the following:

"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | FL *codeintegrity*"

If "CodeIntegrityPolicyEnforcementStatus" does not have a value of "2" indicating "Enforced", this is a finding.

(For reference: 0 - Not Configured; 1 - Audit; 2 - Enforced)

Alternately:

- Run "System Information".
- Under "System Summary", verify the following:

If "Device Guard Code Integrity Policy" does not display "Enforced", this is finding.

Check Content Reference

M

Target Key

3283

Comments