Amazon WorkSpaces STIG-compliant Windows image guidelines
This document provides prescriptive guidance for configuring Amazon WorkSpaces using the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG).
Robert Fountain
Amazon Employee
Published Aug 8, 2024
Last Modified Aug 26, 2024
DISA STIGs are the configuration standards submitted by operating system or software vendors to the Defense Information Systems Agency (DISA) for approval. Once approved, the configuration standards are used to configure security hardened information systems and software. STIGs contain technical guidance to help secure information systems or software that might otherwise be vulnerable to a malicious attack.
DISA develops and maintains STIGs and defines the vulnerability Severity Category Codes (CAT) which are referred to as CAT I, II, and III.
| Severity category code | DISA category code guidelines |
|---|---|
| CAT I | Any vulnerability, the exploitation of which will directly and immediately result in loss of confidentiality, availability, or integrity. |
| CAT II | Any vulnerability, the exploitation of which has a potential to result in loss of confidentiality, availability, or integrity. |
| CAT III | Any vulnerability, the existence of which degrades measures to protect against loss of confidentiality, availability, or integrity. |
Amazon WorkSpaces supports a variety of different bundles which are made up of different operating system versions and software applications. We will break down the different bundles into sections with the following structure:
I. Applicable STIGs
II. Implementation Guide
III. Exceptions & False Positives
The DoD Cyber Exchange contains the documentation and tools for applying DISA STIGs to your Amazon WorkSpaces images. All STIGs referenced in this document can be found on the DoD Cyber Exchange website.
DISA provides a set of Group Policy Objects (GPOs) that can be applied to your Active Directory environment providing centralized configuration management of the Windows Operating system. The recommended approach for applying DISA STIGs is through Group Policy. Alternatively, you may use the local policy editor to apply the STIG to a single operating system. For more information on importing group policy objects, review How to Import a GPO from a file.
This guide provides prescriptive guidance on applying STIGs to your Amazon WorkSpaces environment. It is recommended to thoroughly test all STIG policies and GPOs in a non-production environment before applying the settings to your production environment.
The Security Content Automation Protocol (SCAP) is a tool for scanning your images for compliance. The SCAP Tools section contains the relevant executables that can be downloaded and run against your images to ensure compliance. Scans can be run locally on the intended target or remotely through the remote registry service.
The following sections describe the process for applying STIG requirements to Amazon WorkSpaces images.
The applicable STIGs outlined in the following sections cover the base operating system as well as software titles that are included in the image as provided by AWS. Additional application packages installed per your organizational needs may have additional STIGs that are not referenced in this document.
For BYOL sections, the applicable STIGs reference the base operating system and embedded components. Additional application packages installed per your organizational needs may have additional STIGs that are not referenced in this document.
The following section outlines the implementation of DISA STIGs to the Amazon provided Windows Server 2022 image.
- MS_Windows_Server_2022_STIG
- E_11_STIG
- MS_EDGE_STIG
- MOZ_Firefox_Windows
- MS_Dot_Net_Framework
- Create Group Policy objects for the applicable STIGs listed in the previous section. It is recommended to create separate policies for each applicable STIG as each STIG may be deployed independently.
- Import the associated STIG policy into the GPO created in Step 1.
- Apply the GPO to the associated Organizational Unit (OU) for deployment.
There are no exceptions or false positives for this section.
The following section outlines the implementation of DISA STIGs to the Amazon provided Windows Server 2019 image.
- Windows_Server_2019_STIG
- IE_11_STIG
- MOZ_Firefox_Windows
- MS_Defender_Antivirus
- MS_Dot_Net_Framework
- Windows_Firewall_with_Advanced_Security
- Create Group Policy objects for the applicable STIGs listed in the previous section. It is recommended to create separate policies for each applicable STIG as each STIG may be deployed independently.
- Import the associated STIG policy into the GPO created in Step 1.
- Apply the GPO to the associated Organizational Unit (OU) for deployment.
The following STIG findings will need exceptions as they cannot be applied.
| Severity | Description | Notes |
|---|---|---|
| CAT II | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | TPM modules are not supported on AWS provided Windows Server 2019 bundles. |
| CAT III | Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS | UEFI firmware is not supported on AWS provided Windows Server 2019 bundles. |
| CAT III | Windows Server 2019 must have Secure Boot enabled | Secure boot is not supported on AWS provided Windows Server 2019 bundles. |
The following section outlines the implementation of DISA STIGs to the Amazon provided Windows Server 2016 image.
- Windows_Server_2016_STIG
- IE_11_STIG
- MOZ_Firefox_Windows
- MS_Defender_Antivirus
- MS_Dot_Net_Framework
- Windows_Firewall_with_Advanced_Security
- Create Group Policy objects for the applicable STIGs listed in the previous section. It is recommended to create separate policies for each applicable STIG as each STIG may be deployed independently.
- Import the associated STIG Group Policy into the GPO created in Step 1.
- Apply the GPO to the associated Organizational Unit (OU) for deployment.
There are no exceptions or false positives for this section.
The following section outlines the implementation of DISA STIGs for a customer provided Windows 11 BYOL image.
- Microsoft_Windows_11_STIG
- MS_Edge_STIG
- Create Group Policy objects for the applicable STIGs listed in the previous section. It is recommended to create separate policies for each applicable STIG as each STIG may be deployed independently.
- Import the associated STIG Group Policy into the GPO created in Step 1.
- Apply the GPO to the associated Organizational Unit (OU) for deployment.
The following STIG findings will either need exceptions as they cannot be applied or are to be noted as Not a Finding
| Category | Description | Notes |
|---|---|---|
| CAT II | Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest. | NOT A FINDING: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN11-00-000031 and WN11-00-000032). See. https://docs.aws.amazon.com/workspaces/latest/adminguide/encrypt-workspaces.html |
| CAT II | Windows 11 must use multi-factor authentication for local and network access to privileged and non-privileged accounts | NOT A FINDING: If the system is a member of a domain this is Not Applicable. |
The following section outlines the implementation of DISA STIGs to the customer provided Windows 10 BYOL image.
- MS_Windows_10_STIG
- MS_Defender_Antivirus
- MS_Dot_Net_Framework
- Windows_Firewall_with_Advanced_Security
- MS_Edge_STIG
- Create Group Policy objects for the applicable STIGs listed in the previous section. It is recommended to create separate policies for each applicable STIG as each STIG may be deployed independently.
- Import the associated STIG Group Policy into the GPO created in Step 1.
- Apply the GPO to the associated Organizational Unit (OU) for deployment.
The following STIG findings will need exceptions as they cannot be applied.
| Category | Description | Notes |
|---|---|---|
| CAT II | Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest. | NOT A FINDING: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN11-00-000031 and WN11-00-000032). |
| CAT II | Windows 11 must use multifactor authentication for local and network access to privileged and non-privileged accounts | NOT A FINDING: If the system is a member of a domain this is Not Applicable. |
DISA regularly releases updates to the STIGs referenced in this document as well as the automation tools. It is recommended that you bookmark the applicable STIG repository and periodically check for updates to the STIG to ensure you are compliant.
Robert Fountain
David Ryder
Don Scott
Michael Lamanna
Michael Mattes
Nicholas Czabaranek
Puria Djafari
Roger LaMarca
Roy Tokeshi
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.