800-53|AC-17(3)

Title

MANAGED ACCESS CONTROL POINTS

Description

The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.

Supplemental

Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.

Reference Item Details

Related: SC-7

Category: ACCESS CONTROL

Parent Title: REMOTE ACCESS

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.5.4 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.5 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.5.6 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.7 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS 16 L1 v2.0.0
1.5.7 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS 17 L1 v2.0.0
1.5.8 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.5.8 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.6.2 Ensure 'SSH version 2' is enabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.6.2 Restrict VTY AccessCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
2.4.2 Ensure all the login accounts having specific trusted hosts enabledFortiGateCIS Fortigate 7.0.x Level 1 v1.2.0
3.2.1.16 Ensure 'Allow adding VPN configurations' is set to 'Disabled'MDMMobileIron - CIS Apple iOS 17 Institution Owned L1
3.2.1.16 Ensure 'Allow adding VPN configurations' is set to 'Disabled'MDMAirWatch - CIS Apple iOS 17 Institution Owned L1
5.2.1 Minimize the admission of privileged containersOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.2.5 Minimize the admission of containers with allowPrivilegeEscalationOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.2.6 Minimize the admission of root containersOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.11 (L1) Host must isolate management communicationsVMwareCIS VMware ESXi 8.0 v1.1.0 L1
6.2 Ensure that operating system resource limits are set for MongoDBUnixCIS MongoDB 3.6 L2 Unix Audit v1.1.0
6.2 Ensure that operating system resource limits are set for MongoDBWindowsCIS MongoDB 3.6 L2 Windows Audit v1.1.0
Big Sur - Managed Access Control PointsUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Managed Access Control PointsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Managed Access Control PointsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Catalina - Managed Access Control PointsUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Managed Access Control PointsUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Managed Access Control PointsUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.UnixDISA STIG AIX 5.3 v1r2
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.UnixDISA STIG AIX 6.1 v1r14
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.UnixDISA STIG for Oracle Linux 5 v2r1
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.UnixDISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
Monterey - Managed Access Control PointsUnixNIST macOS Monterey v1.0.0 - 800-53r5 High
Monterey - Managed Access Control PointsUnixNIST macOS Monterey v1.0.0 - All Profiles
Monterey - Managed Access Control PointsUnixNIST macOS Monterey v1.0.0 - 800-53r5 Moderate
WBSP-AS-000140 - The WebSphere Application Server bus security must be enabled.UnixDISA IBM WebSphere Traditional 9 STIG v1r1 Middleware
WBSP-AS-000140 - The WebSphere Application Server bus security must be enabled.UnixDISA IBM WebSphere Traditional 9 STIG v1r1
WBSP-AS-000140 - The WebSphere Application Server bus security must be enabled.WindowsDISA IBM WebSphere Traditional 9 Windows STIG v1r1