DISA STIG Requires Privilege Access Workstations (PAW) for Cloud Tenant Administration

  • Article

DISA recently published a Security Technical Implantation Guide (STIG) updated in February mandating DoD to use Privilege Access Workstations (PAWS) for remote administration of all Cloud services (e.g. Azure, O365, AWS, etc...) See: DISA STIG - Microsoft PAW

This STIG is design to protect cloud tenant credentials from credential theft which is used in almost all advanced or complex cyber-attacks. Microsoft's latest Threat Intelligence Report: Threat Intelligence Report shows that:

As an increasing number of sites are breached and passwords phished, attackers attempt to reuse the stolen credentials on multiple services.

So as customers move the cloud, so do the attackers, but they still attack through phishing and malicious Web sites to compromise credentials entered on the desktops from weakly protected PCs and devices that surf the Internet and check e-mail.  The credentials now though include cloud tenants for Office 365, Azure and other cloud administrators.

It’s well-known for years that re-using session cookies via popular man-in-the-middle attacks such as session hijacking can be used to bypass multi-factor authentication requirements. These attacks are often manifest locally on a workstation or device via malicious e-mail exploits leveraging arp spoofing on the client machine checking e-mail. Therefore, isolation and protection of the endpoint from the broader Internet where a privilege user logs on to the cloud as an admin is of the utmost importance.

Accordingly, the DISA STIG memorandum for distribution for the Microsoft PAW states that:

Department of Defense (DoD) Instruction 8500.01 directs that the Defense Information Systems Agency (DISA) “develops and maintains control correlation identifiers (CCIs), security requirements guides (SRGs), security technical implementation guides (STIGs), and mobile code risk categories and usage guides that implement and are consistent with DoD cybersecurity policies, standards, architectures, security controls, and validation procedures, with the support of the NSA/CSS, using input from stakeholders” and DoD Component heads “ensure that all DoD IT under their purview complies with applicable STIGs, security configuration guides, and SRGs.”

In accordance with DoD Instruction 8500.01, the Microsoft Windows Privileged Access Workstation (PAW) STIG Version 1 is released for immediate use.

Specifically, this new PAW STIG mandates that all DoD under the purview should:

Remotely manage high-value IT resources only via a PAW.

  • Administrative accounts will not be used for non-administrative functions (for example, read email, browse Internet)

High-value IT resources are the most important and critical IT resources within an organization.

Administrator accounts for high-value IT resources must be protected against various threats and attacks because threats to sensitive privileged accounts are high and risk of compromise is increasing.

Requiring a PAW used exclusively for remote administrative management of designated high-value IT resources, including servers, workstations, directory services, applications, databases, and network components, will provide a separate "channel" for the performance of administrative tasks on high-value IT resources and isolate these functions from the majority of threats and attack vectors found on higher-risk standard client systems.

Note: The term "manage" in the Requirement statement includes any remote connection to a high-value IT resource (for example, to view resource status and current configuration or to make changes to any resource configuration

The Information System Security Manager (ISSM) or other site personnel will assist the Authorizing Official (AO) in designating and documenting which IT resources in the organization are high value. The organization's list of high-value IT resources will include the following:

  • Active Directory
  • Cloud service
  • Identity management service
  • Privileged access management service
  • Credential management service
  • Security management service (anti-virus, network monitoring/scanning, IDS/IPS, etc.)
  • Any sensitive business service
  • Any other IT resource designated as high value by the AO

The way you should isolate and protect Domain & Enterprise Admins in on-premises solutions, is replicated in cloud to protect the cloud tenant credentials. More than hardened than a typical workstation in an “ assumed compromised” network, the PAW requires application whitelisting using Windows 10 Device Guard according to the STIG.  The STIG states DoD should:

Implement a whitelist of authorized PAW applications using Device Guard. See the Device Guard Deployment Guide (/en-us/windows/device-security/device-guard/device-guard-deployment-guide) for deployment information and hardware requirements and the IAD Device Guard document "Implementing a Secure Administrative Workstation using Device Guard" at https://github.com/iadgov/Secure-Host-Baseline/tree/master/Device%20Guard.

These isolation and other requirements are based Microsoft’s PAW documentation https://aka.ms/cyberpaw.  The STIG also support Microsoft’s best practices recommendation for Azure especially when synchronizing DCs as documented here: /en-us/azure/active-directory/admin-roles-best-practices and in Azure’s IaaS  best practices guidance published here: https://docs.microsoft.com/en-us/azure/security/azure-security-iaas.