800-53|SC-7(5)

Title

DENY BY DEFAULT / ALLOW BY EXCEPTION

Description

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Supplemental

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.3.2 Disable TCP and UDP small servers	Cisco	CIS Cisco IOS XR 7.x v1.0.0 L1
1.5.3 Do not set 'RW' for any 'snmp-server community'	Cisco	CIS Cisco IOS XR 7.x v1.0.0 L1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'	Unix	CIS Oracle Server 19c Linux v1.2.0
2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'	Windows	CIS Oracle Server 19c Windows v1.2.0
2.1.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
2.1.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora'	Unix	CIS Oracle Server 18c Linux v1.1.0
2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora'	Windows	CIS Oracle Server 18c Windows v1.1.0
2.1.2 Ensure Firewall Stealth Mode Is Enabled	Unix	CIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
2.1.4 Ensure rsync service is not enabled	Unix	CIS Google Container-Optimized OS v1.2.0 L1 Server
2.2 Disable Local-only Graphical Login Environment	Unix	CIS Oracle Solaris 11.4 L1 v1.1.0
2.2.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 13.0 Ventura v3.0.0 L1
2.2.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 14.0 Sonoma v2.0.0 L1
2.2.2 Ensure Firewall Stealth Mode Is Enabled	Unix	CIS Apple macOS 15.0 Sequoia v1.0.0 L1
2.2.2 Ensure Firewall Stealth Mode Is Enabled	Unix	CIS Apple macOS 13.0 Ventura v3.0.0 L1
2.2.2 Ensure Firewall Stealth Mode Is Enabled	Unix	CIS Apple macOS 14.0 Sonoma v2.0.0 L1
2.2.5 Ensure 'REMOTE_LISTENER' Is Empty	OracleDB	CIS Oracle Server 19c DB Traditional Auditing v1.2.0
2.2.5 Ensure 'REMOTE_LISTENER' Is Empty	OracleDB	CIS Oracle Server 19c DB Unified Auditing v1.2.0
2.3 Configure sendmail Service for Local-Only Mode	Unix	CIS Oracle Solaris 11.4 L1 v1.1.0
2.4 Configure TCP Wrappers - Allow localhost.	Unix	CIS Solaris 10 L1 v5.2
2.4 Configure TCP Wrappers - Deny access to this server from all networks	Unix	CIS Solaris 10 L1 v5.2
2.4 Disable RPC Encryption Key	Unix	CIS Oracle Solaris 11.4 L1 v1.1.0
2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'	MS_SQLDB	CIS Microsoft SQL Server 2019 v1.4.0 L1 AWS RDS
2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'	MS_SQLDB	CIS Microsoft SQL Server 2019 v1.4.0 L1 Database Engine
2.5 Disable Generic Security Services (GSS)	Unix	CIS Oracle Solaris 11.4 L1 v1.1.0
2.6 Disable Apache Service	Unix	CIS Oracle Solaris 11.4 L1 v1.1.0
2.7 Disable Kerberos TGT Expiration Warning	Unix	CIS Oracle Solaris 11.4 L1 v1.1.0
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'	MS_SQLDB	CIS SQL Server 2016 Database L1 AWS RDS v1.4.0
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'	MS_SQLDB	CIS SQL Server 2022 Database L1 DB v1.1.0
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'	MS_SQLDB	CIS SQL Server 2017 Database L1 AWS RDS v1.3.0
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'	MS_SQLDB	CIS Microsoft SQL Server 2019 v1.4.0 L1 Database Engine
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'	MS_SQLDB	CIS SQL Server 2017 Database L1 DB v1.3.0
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'	MS_SQLDB	CIS SQL Server 2016 Database L1 DB v1.4.0
2.10.2 - TCP Wrappers - creating a hosts.deny file - configuration - 'hosts.deny file contains ALL:ALL'	Unix	CIS AIX 5.3/6.1 L1 v1.1.0
2.10.3 - TCP Wrappers - creating a hosts.allow file - configuration - 'hosts.allow has been configured'	Unix	CIS AIX 5.3/6.1 L1 v1.1.0
2.11 Configure TCP Wrappers - hosts.allow	Unix	CIS Solaris 11.1 L1 v1.0.0
2.11 Configure TCP Wrappers - hosts.deny	Unix	CIS Solaris 11.1 L1 v1.0.0
2.12 Configure TCP Wrappers - hosts.allow	Unix	CIS Solaris 11 L1 v1.1.0
2.12 Configure TCP Wrappers - hosts.deny	Unix	CIS Solaris 11 L1 v1.1.0
2.12 Disable Telnet Service	Unix	CIS Oracle Solaris 11.4 L1 v1.1.0
10.1 Ensure Unused Features are Removed	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
10.2 SN.2 Remove Support for Internet Services (inetd)	Unix	CIS Oracle Solaris 11.4 L2 v1.1.0
20.31 Ensure 'Host-based firewall is installed and enabled'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.31 Ensure 'Host-based firewall is installed and enabled'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.31 Ensure 'Host-based firewall is installed and enabled'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.31 Ensure 'Host-based firewall is installed and enabled'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS

Detections

Analytics