STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Microsoft Windows PAW Security Technical Implementation Guide

Version

V3R3

Benchmark ID

Windows_PAW_STIG

Total Checks

24

Tags

windows
CAT I: 2CAT II: 21CAT III: 1

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (24)

V-243442LOWAdministrators of high-value IT resources must complete required training.V-243443MEDIUMSite IT resources designated as high value by the Authorizing Official (AO) must be remotely managed only via a Windows privileged access workstation (PAW).V-243444MEDIUMAdministrative accounts of all high-value IT resources must be assigned to a specific administrative tier in Active Directory to separate highly privileged administrative accounts from less privileged administrative accounts.V-243445MEDIUMA Windows PAW must only be used to manage high-value IT resources assigned to the same tier.V-243446MEDIUMAll high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources.V-243447MEDIUMThe Windows PAW must be configured with a vendor-supported version of Windows 11 and applicable security patches that are DOD approved.V-243448MEDIUMA Windows update service must be available to provide software updates for the PAW platform.V-243449MEDIUMThe Windows PAW must be configured so that all non-administrative-related applications and functions are blocked or removed from the PAW platform, including but not limited to email, Internet browsing, and line-of-business applications.V-243450MEDIUMDevice Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard Code Integrity Policy).V-243451MEDIUMDevice Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard User Mode Code Integrity).V-243452MEDIUMWindows PAWs must be restricted to only allow groups used to manage high-value IT resources and members of the local Administrators group to log on locally.V-243453MEDIUMThe domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts.V-243454HIGHA Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource.V-243455MEDIUMPAWs used to manage Active Directory must only allow groups specifically designated to manage Active Directory, such as Enterprise and Domain Admins and members of the local Administrators group, to log on locally.V-243456MEDIUMIn a Windows PAW, administrator accounts used for maintaining the PAW must be separate from administrative accounts used to manage high-value IT resources.V-243457MEDIUMThe Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.V-243458HIGHThe Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW.V-243459MEDIUMIf several Windows PAWs are set up in virtual machines (VMs) on a host server, the host server must only contain PAW VMs. If the PAW is hosted, the hosting system must be separated either physically or logically from other servers. The server is restricted to only PAW hosting functions.V-243460MEDIUMThe Windows PAW must be configured so that all inbound ports and services to a PAW are blocked except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.V-243461MEDIUMThe Windows PAW must be configured so that all outbound connections to the Internet from a PAW are blocked.V-243462MEDIUMThe local Administrators group on the Windows PAW must only include groups with accounts specifically designated to administer the PAW.V-243463MEDIUMLocal privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members.V-243464MEDIUMRestricted remote administration must be enabled for high-value systems.V-243465MEDIUMIf several PAWs are set up in virtual machines (VMs) on a host server, domain administrative accounts used to manage high-value IT resources must not have access to the VM host operating system (OS) (only domain administrative accounts designated to manage PAWs should be able to access the VM host OS).