Microsoft Windows PAW STIG Version Comparison

There are 1 differences between versions v2 r3 (Nov. 9, 2023) (the "left" version) and v3 r2 (July 2, 2025) (the "right" version).

Check WPAW-00-001600 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.

Check Content

Review the configuration on the PAW. Verify group policy is configured to enable either smart card or another DoD-approved DOD-approved two-factor authentication method for site PAWs. - In Active Directory, go to Computer Configuration\Windows Configuration Settings\Security Settings\Local Policies\Security >> Windows Settings >> Security Settings >> Local Policies >> Security Options. - Verify "Interactive logon: Require Windows Hello for Business or smart card" is set to "Enabled". If group policy is not configured to enable either smart card or another DoD-approved DOD-approved two-factor authentication method, this is a finding.

Discussion

Due to the highly privileged functions of a PAW, a high level of trust must be implemented for access to the PAW, including non-repudiation nonrepudiation of the user session. One-factor authentication, including username and password and shared administrator accounts, does not provide adequate assurance.

Fix

In Active Directory, configure group policy to enable either smart card or another DoD-approved DOD-approved two-factor authentication method for all PAWs. - Go to Computer Configuration\Windows Configuration Settings\Security Settings\Local Policies\Security >> Windows Settings >> Security Settings >> Local Policies >> Security Options. - Set "Interactive logon: Require Windows Hello for Business or smart card" to "Enabled".