Detections
Analytics

800-53|IA-3(1)

Title

CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION

Description

The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based.

Supplemental

A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections).

Reference Item Details

Related: SC-12,SC-13,SC-8

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: DEVICE IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.2.1.36 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.36 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.42 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.42 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.43 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.43 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.44 Configure 'Domain controller: LDAP server signing requirements'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.50 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.50 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.51 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.51 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.61 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.61 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.69 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.69 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.76 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.76 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.4.14.4 Secure SMBUnixCIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.9.1.1 Ensure 'NTP authentication' is enabledCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.9.1.1 Ensure 'NTP authentication' is enabledCiscoCIS Cisco Firewall ASA 8 L1 v4.1.0
1.9.12 Domain member: Digitally encrypt or sign secure channel data (always)WindowsCIS Windows 2008 SSLF v1.2.0
1.9.12 Domain member: Digitally encrypt or sign secure channel data (always)WindowsCIS Windows 2008 Enterprise v1.2.0
1.9.13 Domain member: Digitally encrypt secure channel data (when possible)WindowsCIS Windows 2008 SSLF v1.2.0
1.9.13 Domain member: Digitally encrypt secure channel data (when possible)WindowsCIS Windows 2008 Enterprise v1.2.0
1.9.14 Domain member: Digitally sign secure channel data (when possible)WindowsCIS Windows 2008 Enterprise v1.2.0
1.9.14 Domain member: Digitally sign secure channel data (when possible)WindowsCIS Windows 2008 SSLF v1.2.0
1.9.17 Domain member: Require strong (Windows 2000 or later) session keyWindowsCIS Windows 2008 Enterprise v1.2.0
1.9.17 Domain member: Require strong (Windows 2000 or later) session keyWindowsCIS Windows 2008 SSLF v1.2.0
1.9.19 Domain controller: LDAP server signing requirementsWindowsCIS Windows 2008 Enterprise v1.2.0
1.9.19 Domain controller: LDAP server signing requirements - Domain ControllerWindowsCIS Windows 2008 SSLF v1.2.0
1.9.19 Domain controller: LDAP server signing requirements - Member ServerWindowsCIS Windows 2008 SSLF v1.2.0
1.9.30 Microsoft network client: Digitally sign communications (always)WindowsCIS Windows 2008 Enterprise v1.2.0
1.9.30 Microsoft network client: Digitally sign communications (always)WindowsCIS Windows 2008 SSLF v1.2.0
1.9.31 Microsoft network client: Digitally sign communications (if server agrees)WindowsCIS Windows 2008 Enterprise v1.2.0
1.9.31 Microsoft network client: Digitally sign communications (if server agrees)WindowsCIS Windows 2008 SSLF v1.2.0
1.9.34 Microsoft network server: Digitally sign communications (always)WindowsCIS Windows 2008 Enterprise v1.2.0
1.9.34 Microsoft network server: Digitally sign communications (always)WindowsCIS Windows 2008 SSLF v1.2.0
1.9.35 Microsoft network server: Digitally sign communications (if client agrees)WindowsCIS Windows 2008 SSLF v1.2.0
1.9.35 Microsoft network server: Digitally sign communications (if client agrees)WindowsCIS Windows 2008 Enterprise v1.2.0
1.11 Ensure Web Tier ELB is using HTTPS listeneramazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.14 Ensure App Tier ELB is using HTTPS listeneramazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
18.5.14.1 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' - NETLOGONWindowsCIS Windows Server 2012 R2 DC L1 v2.4.0
18.5.14.1 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' - NETLOGONWindowsCIS Windows Server 2012 R2 MS L1 v2.4.0
18.5.14.1 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for SYSVOL shares'WindowsCIS Windows Server 2012 R2 DC L1 v2.4.0
18.5.14.1 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for SYSVOL shares'WindowsCIS Windows Server 2012 R2 MS L1 v2.4.0
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares'WindowsCIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 DC
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1