2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled

Information

If User-ID is configured, use the Include/Exclude Networks section to limit the User-ID scope to operate only on trusted networks. There is rarely a legitimate need to allow WMI probing or other User identification on an untrusted network.

Rationale:

The Include/Exclude Networks feature allow users to configure boundaries for the User-ID service. By using the feature to limit User-ID probing to only trusted internal networks, the risks of privileged information disclosure through sent probes can be reduced. Note that if an entry appears in the Include/Exclude Networks section, an implicit exclude-all-networks policy will take effect for all other networks.

Impact:

Not restricting the networks subject to User Identification means that the administrative credentials (userid and password hash) used for this task will transit untrusted networks, or be sent to untrusted hosts. Capturing these credentials exposes them to offline cracking attacks.

Solution

Navigate to Device > User Identification > User Mapping > Include/Exclude Networks.
Set all trusted internal networks to have a Discovery value of Include.
Set all untrusted external networks to have a Discovery value of Exclude. Note that any value in the trusted networks list implies that all other networks are untrusted.

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/benchmarks/13792

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|9.2

Plugin: Palo_Alto

Control ID: 99d91c50612dcc4333b040ae8383d7eb52459297907274c3505ca6507e18aea2