STIGQter: STIG Summary: Windows PAW Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 15 May 2020:

The Windows PAW must be configured so that all inbound ports and services to a PAW are blocked except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.

DISA Rule

SV-92887r1_rule

Vulnerability Number

V-78181

Group Title

PAW-00-002100

Rule Version

WPAW-00-002100

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Determine which inbound ports, services, addresses, or subnets are needed on the PAW for the organization's monitoring, scanning, and management tools.

Configure the host-based firewall on the PAW to block all inbound connection requests except for organizational monitoring, scanning, and management tools or for inbound connections that are responses to outbound connection requests.

Configure the host-based firewall on the PAW to block users with local administrative access from creating or modifying local firewall rules.

Note: The exact configuration procedure will depend on which host-based firewall (for example, Host-Based Security System [HBSS]) is used on the PAW. DoD sites should refer to DoD policies and firewall STIGs to determine acceptable firewalls products.

Check Contents

Obtain a list of all ports and services required for site monitoring, scanning, and management tools.

Review the configuration setting of the PAW host-based firewall.

Verify the firewall is configured to block all inbound ports and services from a PAW except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.

Note: The exact procedure for verifying the configuration will depend on which host-based firewall (for example, Host-Based Security System, or HBSS) is used on the PAW. DoD sites should refer to DoD policies and firewall STIGs to determine acceptable firewalls products.

If the PAW host-based firewall is not configured to block all inbound ports and services from a PAW except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request, this is a finding.

Vulnerability Number

V-78181

Documentable

False

Rule Version

WPAW-00-002100

Severity Override Guidance

Obtain a list of all ports and services required for site monitoring, scanning, and management tools.

Review the configuration setting of the PAW host-based firewall.

Verify the firewall is configured to block all inbound ports and services from a PAW except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.

Note: The exact procedure for verifying the configuration will depend on which host-based firewall (for example, Host-Based Security System, or HBSS) is used on the PAW. DoD sites should refer to DoD policies and firewall STIGs to determine acceptable firewalls products.

If the PAW host-based firewall is not configured to block all inbound ports and services from a PAW except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request, this is a finding.

Check Content Reference

M

Target Key

3283

Comments