Check: WN10-00-000030
Microsoft Windows 10 STIG:
WN10-00-000030
(in versions v2 r8 through v2 r4)
Title
Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest. (Cat II impact)
Discussion
If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running.
Check Content
Verify all Windows 10 information systems (including SIPRNet) employ BitLocker for full disk encryption. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. If full disk encryption using BitLocker is not implemented, this is a finding. Verify BitLocker is turned on for the operating system drive and any fixed data drives. Open "BitLocker Drive Encryption" from the Control Panel. If the operating system drive or any fixed data drives have "Turn on BitLocker", this is a finding. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).
Fix Text
Enable full disk encryption on all information systems (including SIPRNet) using BitLocker. BitLocker, included in Windows, can be enabled in the Control Panel under "BitLocker Drive Encryption" as well as other management tools. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).
Additional Identifiers
Rule ID: SV-220702r859296_rule
Vulnerability ID: V-220702
Group Title: SRG-OS-000185-GPOS-00079
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001199 |
The information system protects the confidentiality and/or integrity of organization-defined information at rest. |
CCI-002445 |
The organization distributes symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes. |
CCI-002446 |
The organization produces asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user^s private key. |
CCI-002475 |
The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. |
CCI-002476 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components. |