800-53|AC-17

Title

REMOTE ACCESS

Description

The organization:

Supplemental

Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-18,AC-19,AC-2,AC-20,AC-3,CA-3,CA-7,CM-8,IA-2,IA-3,IA-8,MA-4,PE-17,PL-4,SC-10,SI-4

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.2 Install and configure HP-UX Secure Shell 'PermitRootLogin=no'	Unix	CIS HP-UX 11i v1.5
1.1.2 Install and configure HP-UX Secure Shell 'X11Forwarding=yes'	Unix	CIS HP-UX 11i v1.5
1.2 Enable SSH (PermitRootLogin)	Unix	CIS FreeBSD v1.0.5
1.2.1 Restrict Access to VTY Sessions	Cisco	CIS Cisco NX-OS L1 v1.1.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.2.2.1.1 Configure 'Offer Remote Assistance'	Windows	CIS Windows 2003 MS v3.1.0
1.2.2.1.1 Configure 'Offer Remote Assistance'	Windows	CIS Windows 2003 DC v3.1.0
1.2.2.1.2 Configure 'Solicited Remote Assistance'	Windows	CIS Windows 2003 MS v3.1.0
1.2.2.1.2 Configure 'Solicited Remote Assistance'	Windows	CIS Windows 2003 DC v3.1.0
1.2.16 Ensure that the --secure-port argument is not set to 0	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.16 Ensure that the --secure-port argument is not set to 0	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.18 Ensure that the --secure-port argument is not set to 0 - KubeApiServers	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.18 Ensure that the --secure-port argument is not set to 0 - Pods	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.19 Ensure that the --secure-port argument is not set to 0	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.24 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate	Unix	CIS Kubernetes Benchmark v1.9.0 L1 Master
1.2.25 Ensure that the --client-ca-file argument is set as appropriate	Unix	CIS Kubernetes Benchmark v1.9.0 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - cert	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - cert	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - key	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - key	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.27 Ensure that the --client-ca-file argument is set as appropriate	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.27 Ensure that the --client-ca-file argument is set as appropriate	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.29 Ensure that the --client-ca-file argument is set as appropriate	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS CentOS Linux 8 Server L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS Oracle Linux 9 Workstation L1 v1.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS Fedora 28 Family Linux Server L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS Red Hat EL9 Server L1 v1.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS Red Hat EL9 Workstation L1 v1.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS Rocky Linux 9 Server L1 v1.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS CentOS Linux 8 Workstation L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS Fedora 28 Family Linux Workstation L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS AlmaLinux OS 9 Server L1 v1.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS AlmaLinux OS 9 Workstation L1 v1.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS Rocky Linux 9 Workstation L1 v1.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS Oracle Linux 9 Server L1 v1.0.0
1.10.1 Always prompt client for password upon connection	Windows	CIS Windows 2008 Enterprise v1.2.0
1.10.1 Always prompt client for password upon connection	Windows	CIS Windows 2008 SSLF v1.2.0
1.10.2 Set client connection encryption level	Windows	CIS Windows 2008 SSLF v1.2.0
1.10.2 Set client connection encryption level	Windows	CIS Windows 2008 Enterprise v1.2.0
1.12 Ensure 'Internet-facing receive connectors' is set to 'Tls, BasicAuth, BasicAuthRequireTLS'	Windows	CIS Microsoft Exchange Server 2019 L1 Edge v1.0.0
1.12.4 Offer Remote Assistance	Windows	CIS Windows 2008 SSLF v1.2.0
1.12.4 Offer Remote Assistance	Windows	CIS Windows 2008 Enterprise v1.2.0
1.12.5 Solicited Remote Assistance	Windows	CIS Windows 2008 SSLF v1.2.0
1.12.5 Solicited Remote Assistance	Windows	CIS Windows 2008 Enterprise v1.2.0

Detections

Analytics