800-53|AC-17

Title

REMOTE ACCESS

Description

The organization:

Supplemental

Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.

Reference Item Details

Related: AC-18,AC-19,AC-2,AC-20,AC-3,CA-3,CA-7,CM-8,IA-2,IA-3,IA-8,MA-4,PE-17,PL-4,SC-10,SI-4

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2 Enable SSH (PermitRootLogin)UnixCIS FreeBSD v1.0.5
1.2.1 Restrict Access to VTY SessionsCiscoCIS Cisco NX-OS L1 v1.1.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPSPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPSPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMPPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMPPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSHPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSHPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.2.3 Ensure that the --kubelet-https argument is set to trueUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.3.4.1 Set 'Configure Solicited Remote Assistance' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.3.4.2 Set 'Configure Offer Remote Assistance' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.3.4.3 Configure 'Customize Warning Messages'WindowsCIS Windows 8 L1 v1.0.0
1.2.4 Create 'access-list' for use with 'line vty'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.4 Create 'access-list' for use with 'line vty'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.4 Use https for kubelet connectionsOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.4.5.3 Set 'Encryption Level' to 'Enabled:High Level'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.5.4 Set 'Always prompt for password upon connection' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.6.1 Set 'Disallow Digest authentication' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.6.3 Set 'Allow Basic authentication' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.6.5 Set 'Allow unencrypted traffic' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.5 Ensure valid certificate is set for browser-based administrator interfacePalo_AltoCIS Palo Alto Firewall 11 v1.1.0 L2
1.2.5 Ensure valid certificate is set for browser-based administrator interfacePalo_AltoCIS Palo Alto Firewall 10 v1.2.0 L2
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.16 Ensure that the --secure-port argument is not set to 0UnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.16 Ensure that the --secure-port argument is not set to 0UnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.18 Ensure that the --secure-port argument is not set to 0OpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.19 Ensure that the --secure-port argument is not set to 0UnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.24 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriateUnixCIS Kubernetes v1.10.0 L1 Master
1.2.25 Ensure that the --client-ca-file argument is set as appropriateUnixCIS Kubernetes v1.10.0 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - certUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - certUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - keyUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - keyUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.27 Ensure that the --client-ca-file argument is set as appropriateUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.27 Ensure that the --client-ca-file argument is set as appropriateUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriateOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.29 Ensure that the --client-ca-file argument is set as appropriateOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - certUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - keyUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.30 Ensure that the --client-ca-file argument is set as appropriateUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.30 Ensure that the --etcd-cafile argument is set as appropriateOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.10 Ensure system-wide crypto policy is not legacyUnixCIS CentOS Linux 8 Server L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacyUnixCIS Fedora 28 Family Linux Server L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacyUnixCIS CentOS Linux 8 Workstation L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacyUnixCIS Fedora 28 Family Linux Workstation L1 v2.0.0
1.10.1 (L1) Ensure 'Allow Basic authentication for HTTP' is set to 'Disabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.10.3 (L2) Ensure 'Supported authentication schemes' is set to 'Enabled: ntlm, negotiate'WindowsCIS Microsoft Edge v3.0.0 L2
1.12 Ensure 'Internet-facing receive connectors' is set to 'Tls, BasicAuth, BasicAuthRequireTLS'WindowsCIS Microsoft Exchange Server 2019 L1 Edge v1.0.0