800-53|AC-6(3)

Title

NETWORK ACCESS TO PRIVILEGED COMMANDS

Description

The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.

Supplemental

Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-17

Category: ACCESS CONTROL

Parent Title: LEAST PRIVILEGE

Family: ACCESS CONTROL

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.4.16 Set 'Allow Remote Shell Access' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.4.4.2 Ensure 'aaa authorization exec' is configured correctly	Cisco	CIS Cisco Firewall ASA 8 L1 v4.1.0
1.6.9 Restrict root logins to system console 'root'	Unix	CIS HP-UX 11i v1.5
1.12.2 Restrict access to the web administration	Unix	CIS Apache Tomcat5.5/6.0 L2 v1.0
1.12.3 Restrict manager application	Unix	CIS Apache Tomcat5.5/6.0 L2 v1.0
2.2 Ensure access to sensitive site features is restricted to authenticated principals only	Windows	CIS IIS 8.0 v1.5.1 Level 1
2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only - Applications	Windows	CIS IIS 7 L1 v1.8.0
2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 11 Stand-alone v3.0.0 L1
2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL + NG
2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL NG
10.2 Restrict access to the web administration	Unix	CIS Apache Tomcat 7 L2 v1.1.0
10.2 Restrict access to the web administration	Unix	CIS Apache Tomcat 7 L2 v1.1.0 Middleware
10.2 Restrict access to the web administration application	Unix	CIS Apache Tomcat 9 L1 v1.0.0
10.2 Restrict access to the web administration application	Unix	CIS Apache Tomcat 9 L1 v1.0.0 Middleware
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.1.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.1.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)	Windows	CIS Windows Server 2012 MS L1 v2.1.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)	Windows	CIS Windows Server 2012 R2 MS L1 v2.5.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.1.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.1.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.1.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows Server 2012 MS L2 v2.1.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 2 v3.1.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 2 v3.1.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 DC L2 v2.4.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 MS L2 v1.2.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 2 v3.2.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 L2 Bitlocker v2.3.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 L2 v2.3.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.1.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.1.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows Server 2012 DC L2 v2.1.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 2 v3.1.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 2 v3.1.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 MS L2 v2.4.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows Server 2016 DC L2 v1.2.0
18.9.99.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 MS L2 v2.5.0
18.9.99.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 DC L2 v2.5.0

Detections

Analytics