An error occurred:

Check: WPAW-00-000600

Microsoft Windows PAW STIG: WPAW-00-000600 (in versions v2 r3 through v1 r1)

Title

All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources. (Cat II impact)

Discussion

Note: The Microsoft Tier 0-2 AD administrative tier model (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM) is an example. A key security construct of a PAW is to separate high-value IT resources into specific trust levels so that if a device at one trust level is compromised the risk of compromise of more critical IT resources at a different tier is reduced. This architecture protects IT resources in a tier from threats from higher-risk tiers. Isolating administrative accounts by forcing them to operate only within their assigned trust zone implements the concept of containment of security risks and adversaries within a specific zone.

Check Content

Verify the site has assigned each high-value IT resource to an administrative tier level by reviewing the site's list of high-value IT resources. In Active Directory verify each high-value IT resource has been assigned to the Organizational Unit (OU) corresponding to the administrative tier the resource is assigned to. If the site has not assigned an administrative tier level to each high-value IT resource or any high-value IT resource is not assigned to the appropriate OU in Active Directory, this is a finding.

Fix Text

Set up an administrative tier model for the domain (for example, the Microsoft-recommended Tier 0-2 AD administrative tier model). (Details of the Tier model are found at https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM.) Using the list of site designated high-value IT resources (see check WPAW-00-000200), indicate on the list the administrative Tier level the resource is assigned to. (Note: The updated list will be used in check WPAW-00-000400.) In Active Directory, assign all high-value IT resources to the appropriate Organizational Units (for example): - Admin\Tier 0\Devices - Admin\Tier 1\Devices - Admin\Tier 2\Devices

Additional Identifiers

Rule ID: SV-243446r722909_rule

Vulnerability ID: V-243446

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings