800-53|SC-7(5)

Title

DENY BY DEFAULT / ALLOW BY EXCEPTION

Description

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Supplemental

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

Reference Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.2 Install TCP Wrappers - Allow localhost. Note: Replace 172.16.100.0/255.255.255.0 with a network block in use at your organization.UnixCIS Solaris 9 v1.3
1.2 Install TCP Wrappers - Deny access to this server from all networksUnixCIS Solaris 9 v1.3
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are setWindowsCIS Microsoft SharePoint 2016 OS v1.1.0
1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are setWindowsCIS Microsoft SharePoint 2019 OS v1.0.0
1.3.1 Disable CDPCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.3.2 Disable TCP and UDP small serversCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.1 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.2 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.3 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 12 L1 v4.0.0
2.1 Configure TCP WrappersUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2016 Database L1 AWS RDS v1.4.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2017 Database L1 DB v1.3.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS Microsoft SQL Server 2019 v1.4.0 L1 AWS RDS
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2022 Database L1 AWS RDS v1.1.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS Microsoft SQL Server 2019 v1.4.0 L1 Database Engine
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2017 Database L1 AWS RDS v1.3.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2022 Database L1 DB v1.1.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2016 Database L1 DB v1.4.0
2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'UnixCIS Oracle Server 19c Linux v1.2.0
2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'WindowsCIS Oracle Server 19c Windows v1.2.0
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora'UnixCIS Oracle Server 18c Linux v1.1.0
2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora'WindowsCIS Oracle Server 18c Windows v1.1.0
2.1.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
2.1.3 Ensure NFS and RPC are not enabledUnixCIS Google Container-Optimized OS v1.2.0 L1 Server
2.1.4 Ensure rsync service is not enabledUnixCIS Google Container-Optimized OS v1.2.0 L1 Server
2.1.7 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
2.1.8 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
2.1.8 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
2.1.8 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
2.10 Disable Removable Volume ManagerUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.10 Ensure Unnecessary SQL Server Protocols are set to 'Disabled'WindowsCIS SQL Server 2016 Database L1 OS v1.4.0
2.10 Ensure Unnecessary SQL Server Protocols are set to 'Disabled'WindowsCIS SQL Server 2022 Database L1 OS v1.1.0
2.10 Ensure Unnecessary SQL Server Protocols are set to 'Disabled'WindowsCIS SQL Server 2017 Database L1 OS v1.3.0
2.10 Ensure Unnecessary SQL Server Protocols are set to 'Disabled'MS_SQLDBCIS Microsoft SQL Server 2019 v1.4.0 L1 Database Engine
2.10.2 - TCP Wrappers - creating a hosts.deny file - configuration - 'hosts.deny file contains ALL:ALL'UnixCIS AIX 5.3/6.1 L1 v1.1.0
2.10.3 - TCP Wrappers - creating a hosts.allow file - configuration - 'hosts.allow has been configured'UnixCIS AIX 5.3/6.1 L1 v1.1.0
2.11 Configure TCP Wrappers - hosts.allowUnixCIS Solaris 11.2 L1 v1.1.0
2.11 Configure TCP Wrappers - hosts.allowUnixCIS Solaris 11.1 L1 v1.0.0
2.11 Configure TCP Wrappers - hosts.denyUnixCIS Solaris 11.2 L1 v1.1.0
2.11 Configure TCP Wrappers - hosts.denyUnixCIS Solaris 11.1 L1 v1.0.0
2.11 Disable automount ServiceUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.11 Ensure SQL Server is configured to use non-standard portsMS_SQLDBCIS SQL Server 2017 Database L1 DB v1.3.0
2.11 Ensure SQL Server is configured to use non-standard portsMS_SQLDBCIS SQL Server 2016 Database L1 DB v1.4.0
10.2 SN.2 Remove Support for Internet Services (inetd)UnixCIS Oracle Solaris 11.4 L2 v1.1.0