5.10 Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled''

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices.

The recommended state for this setting is: 'Disabled'.

Rationale:
This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security.

Solution

To establish the recommended configuration via GP, set the following UI path to: 'Disabled'.


Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Microsoft iSCSI Initiator Service


Impact:
The computer will not be able to directly login to or access iSCSI targets.

See Also

https://workbench.cisecurity.org/files/1929

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7

Plugin: Windows

Control ID: 110324dc01480c00e3b1bc30feb64ed3cb7709e12c46444fa6446825d7625aed