From Windows PAW Security Technical Implementation Guide
Part of SRG-OS-000480-GPOS-00227
Associated with: CCI-000366
A main security architectural construct of a PAW is to restrict access to the PAW from only specific privileged accounts designated for managing the high-value IT resources the PAW has been designated to manage. If unauthorized standard user accounts or unauthorized high-value administrative accounts are able to access a specific PAW, high-value IT resources and critical DoD information could be compromised.
Verify membership of local admin groups on the PAW are empty: On the Windows PAW, verify there are no members in the following local privileged groups (excluding Administrators)*: - Backup Operators (built-in) - Cryptographic Operators - Hyper-V Administrators - Network Configuration Operators - Power Users - Remote Desktop Users - Replicator If the membership of the following admin groups is not empty, this is a finding: Backup Operators (built-in), Cryptographic Operators, Hyper-V Administrators, Network Configuration Operators, Power Users, Remote Desktop Users, and Replicator. *Allowed exception: If a Hyper-V environment is used, the Hyper-V Administrators group may include members.
Complete the following configuration procedures to restrict access to privileged accounts on the PAW (see the instructions for use of group policy to define membership, PAW Installation instructions in the Microsoft PAW paper). Configure membership of all local privileged groups (except for "Administrators (built-in)" group) so it is empty*. This procedure applies to the following local privileged groups: - Backup Operators (built-in) - Hyper-V Administrators - Network Configuration Operators - Power Users - Remote Desktop Users - Replicator Link the PAW group policy object (GPO) to the appropriate Tier devices Organizational Unit (OU). *Allowed exception: If a Hyper-V environment is used, the Hyper-V Administrators group may include members.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer