An error occurred:

Check: WPAW-00-001050

Microsoft Windows PAW STIG: WPAW-00-001050 (in versions v2 r3 through v2 r1)

Title

Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard Code Integrity Policy). (Cat II impact)

Discussion

A main security architectural construct of a PAW is to restrict non-administrative applications and functions from the PAW workstation. Many standard user applications and functions, including email processing, Internet browsing, and using business applications, can increase the security risk to the workstation. These apps and functions are susceptible to many security vulnerabilities, including phishing attacks and embedded malware. This increased risk is not acceptable for the highly privileged activities of a PAW.

Check Content

Note: This requirement is Not Applicable (NA) if the Endpoint Security Solution (ESS) managed system is used on the PAW and application white listing is enforced. Verify Device Guard is enforcing a code integrity policy to restrict authorized applications. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | FL *codeintegrity*" If "CodeIntegrityPolicyEnforcementStatus" does not have a value of "2" indicating "Enforced", this is a finding. (For reference: 0 - Not Configured; 1 - Audit; 2 - Enforced) Alternately: - Run "System Information". - Under "System Summary", verify the following: If "Device Guard Code Integrity Policy" does not display "Enforced", this is finding.

Fix Text

Implement a whitelist of authorized PAW applications using Device Guard. See the Device Guard Deployment Guide (https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide) for deployment information and hardware requirements and the IAD Device Guard document "Implementing a Secure Administrative Workstation using Device Guard" at https://github.com/iadgov/Secure-Host-Baseline/tree/master/Device%20Guard.

Additional Identifiers

Rule ID: SV-243450r804960_rule

Vulnerability ID: V-243450

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings