Check: WN11-00-000080
Microsoft Windows 11 STIG:
WN11-00-000080
(in versions v2 r2 through v1 r1)
Title
Only authorized user accounts must be allowed to create or run virtual machines on Windows 11 systems. (Cat II impact)
Discussion
Allowing other operating systems to run on a secure system may allow users to circumvent security. For Hyper-V, preventing unauthorized users from being assigned to the Hyper-V Administrators group will prevent them from accessing or creating virtual machines on the system. The Hyper-V Hypervisor is used by virtualization-based Security features such as Credential Guard on Windows 11; however, it is not the full Hyper-V installation.
Check Content
If a hosted hypervisor (Hyper-V, VMware Workstation, etc.) is installed on the system, verify only authorized user accounts are allowed to run virtual machines. For Hyper-V, run "Computer Management". Navigate to System Tools >> Local Users and Groups >> Groups. Double click on "Hyper-V Administrators". If any unauthorized groups or user accounts are listed in "Members:", this is a finding. For hosted hypervisors other than Hyper-V, verify only authorized user accounts have access to run the virtual machines. Restrictions may be enforced by access to the physical system, software restriction policies, or access restrictions built into the application. If any unauthorized groups or user accounts have access to create or run virtual machines, this is a finding. All users authorized to create or run virtual machines must be documented with the ISSM/ISSO. Accounts nested within group accounts must be documented as individual accounts and not the group accounts.
Fix Text
For Hyper-V, remove any unauthorized groups or user accounts from the "Hyper-V Administrators" group. For hosted hypervisors other than Hyper-V, restrict access to create or run virtual machines to authorized user accounts only.
Additional Identifiers
Rule ID: SV-253271r958702_rule
Vulnerability ID: V-253271
Group Title: SRG-OS-000312-GPOS-00124
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002135 |
Implement the organization-defined list of dynamic privilege management capabilities. |
CCI-002165 |
Enforce organization-defined discretionary access control policies over defined subjects and objects. |