5.12 Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices.

The recommended state for this setting is: Disabled.

Rationale:

This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security.

Impact:

The computer will not be able to directly login to or access iSCSI targets.

Solution

To establish the recommended configuration via GP, set the following UI path to: Disabled.

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Microsoft iSCSI Initiator Service

Default Value:

Manual

See Also

https://workbench.cisecurity.org/benchmarks/12434